Step 4. Apply mitigations to reduce the impact of compromise

An unpatched end user device that is directly exposed to malicious content is likely to result in successful compromise. The impact of compromise can be reduced by controlling access to enterprise services hosting sensitive data and improving the ability to detect attacks. 

The level of access granted to medical devices to connect with an enterprise environment should be restricted to only those functions which are critical. Implementation of  this mitigation may include network separation and zoning controls.

By zoning the network, it's possible to reduce the ability for malware to spread laterally through an enterprise. The traffic flows between zones should be well defined, providing the ability to block and prevent unauthorised communications, such as those made by malware trying to reach its command-and-control systems.

It must be assumed that successful attacks against temporarily unpatched medical systems are likely to be able to subvert the controls provided by any software firewall in that operating system.

Appropriate internet gateway mitigations, such as using an outbound proxy, will help ensure that internet-bound traffic flows are authorised.
Medical devices should be placed into network zones that minimise the traffic which can reach them. Access to those zones should only be granted to clients with a need to communicate with devices in those zones. Consider using an air gap if feasible.

It's especially important to ensure an effective and proactive protective monitoring capability is in place. Many organisations can often record security events but do not proactively alert or act based upon those events.

The first step to having a good protective monitoring solution in place is to ensure that the  logs you are collecting are useful. The NCSC have published advice on how to decide what information to log.

Once you’re logging data it can then be monitored to look for any anomalies in the data, such as unusual log-on activity and an increase in traffic. With the right tools and resources, such activity can be flagged, investigated and, if malicious, acted on. With various options available, from open source solution to fully managed Security Operating Centres, organisations need to determine their risk profile and budget to determine the option that is most suitable to them. 

Where possible (recognising that many manufactures will not allow additional software onto CMD or their supporting equipment) it is strongly recommended to deploy MDE to any CMD operating a Windows operating systems as part of the centrally provided O365 licence. By having MDE on the device, it will provide an additional layer of security and allow monitoring by NHS Digital’s Cyber Security Operational Centre (CSOC). 

Products such as antivirus, host-based and network-based intrusion detection systems can be used and will continue to offer some benefits in detecting malicious code. Their effectiveness may be reduced as the products may not be updated during the supplier’s assessment period.

Intrusion detection products located on the medical devices segregated network may provide an early warning of malware as these devices can be maintained and updated immediately when patches are released. Care should be taken to ensure that implementing a path for updates to these intrusion detection devices does not bypass the network segregation controls needed for the medical devices on that same network.

Vulnerability management tools (such as port scanners) should be used with caution on areas of the network operating medical devices as they may disrupt the proper operation of the device and endanger patients. Appropriate approval should be gained by the relevant department operating the medical device before any such scanning takes place.

Timely response to security critical events is important given the vulnerability of medical devices. Actions to contain and eradicate the compromise should be timely to try and reduce any compromise spreading.

Ensure engagement with clinical colleagues to understand the potential impact of any incident and plan for remediation. It is recommended that you include a compromised medical device as part of your regular incident response exercises.