From legacy to leading edge: Taking a holistic approach to medical device security

Fortinet will be hosting a webinar series to address the challenge of securing medical devices for healthcare institutions. You can find out more and register for the webinar here.

As public healthcare institutions embrace telehealth and remote patient monitoring, the challenge of securing medical devices becomes more complex.

This is exacerbated by the need to manage a complex mix of legacy systems and new medical devices.

Fortinet’s Regional Solutions Architect for Healthcare and Education, Michelle Parreno, believes that hospitals need more than just new technologies to secure medical devices effectively.

She shares that a holistic approach that provides the framework and tools for healthcare providers to assess risk, implement strong security policies, and respond effectively to the evolving threats is what is required.

A structured approach needed

Stressing on the point about legacy systems working alongside state-of-the-art devices, Parreno notes that public healthcare systems across Southeast Asia have different infrastructure and cybersecurity maturity levels.

While Singapore is highly advanced in medical device technology, other countries in the region often face budget limitations and funding delays. This impacts their ability to secure healthcare networks and adopt new medical devices.

Additionally, not all medical devices have comprehensive, built-in security features, making it challenging for hospitals to secure their patient data, she added.

To address the diverse needs across healthcare systems and medical devices, Parreno noted the need for cybersecurity providers like Fortinet to work with each organisation to create a customised cybersecurity journey.

This is why Fortinet employs a structured, phase approach, by identifying the immediate requirements and prioritising them before moving to the organisation’s longer-term goals.

To guide this process, Fortinet provides internal security readiness assessments to help organisations identify gaps and prioritise requirements for both immediate and future action.

Whether patient data is at rest or in transit, it is key requirement to have an encryption as part of the consolidation journey.

Security by design

With a limited budget, Parreno recommends healthcare providers to prioritise proper network design, especially with network segmentation that provides a critical and budget-friendly solution for securing medical devices and other internet of things (IoT) services and solutions.

She added that there are some basic segmentation guidelines that healthcare organisations can follow.

These include isolating medical devices from other network segments to reduce attack surface and impact of potential breaches, segmenting them based on the role, process and criticality of medical devices, as well as deploying a next-generation firewall to control traffic between segments.

For devices where endpoint detection and response (EDR) are not feasible, such as legacy medical devices, Parreno recommended organisations to adopt alternative ways to gain visibility into device’s behavior.

These include network detection and response (NDR), log assessment and security information and event management (SIEM) to monitor the behaviour of these devices and provide integrated and centralised logging with events correlation.

For example, Fortinet previously worked with Australian Catholic nonprofit, St. Agnes’ Parish, to secure their 25 sites and integrate new medical devices to better support their community.

The organisation used several solutions, including FortiManager which is a centralised management solution that ties different solutions together, as well as the FortiGuard AI-powered security systems to deliver the best possible care, while operating with greater flexibility and resilience.

Additionally, Fortinet provides network access control solutions that can quarantine new devices at the port level to ensure that they are compliant before they are placed on the network.

The firm also partners visibility vendors who can provide deeper insights into device vulnerabilities.

This enhances network security by enforcing access control based on detailed medical device profiles and real-time behavior, preventing unauthorised or compromised devices from impacting the clinical network.

Emerging trends

Parreno said that Fortinet is already integrating emerging technologies like artificial intelligence (AI) into its solutions, particularly in its security operations centre (SOC) tools.

For example, its Analyser and SIEM solution, which provides real-time monitoring, currently has an AI assistant that helps to expedite threat investigation and faster mitigation reducing the need for security analysts to manually comb through the network.

Fortinet currently has over 500 patents related to AI, and has been actively developing AI- powered cybersecurity solutions.

Fortinet’s webinar series

Fortinet will be hosting a webinar series to address the challenge of securing medical devices.

The series is designed to offer a holistic understanding of medical device security by incorporating the viewpoints of all stakeholders – from healthcare professionals, IT staff to tech partners of healthcare.

The four episodes will cover the entire life cycle of medical device security through a four-episode journey:

• Risk assessment and security policies
• Compliance and segmentation
• Patch management and visibility
• Access control and incident response

You can find out more and register for the webinar series here.