Cisco Cisco Identity Services Engine 1.3 백서
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 4 of 27
Core components of the Cisco Medical NAC solution include the following:
●
Cisco Identity Services Engine (ISE) for advanced visibility, policy management, and access control
●
Cisco TrustSec
®
software-defined segmentation for visibility, and access control
●
Cisco AnyConnect
®
clients for highly secure mobile connectivity on and off the healthcare network
●
Cisco infrastructure and security devices to deliver reliable and highly secure access
●
Technology partners that share rich contextual data with Cisco ISE to deliver superior visibility, threat
detection, and containment
detection, and containment
The Challenge of Securing Medical Devices
The healthcare industry faces unique challenges when it comes to the identification, classification, and
authentication of medical devices. Rigid
authentication of medical devices. Rigid
software on these devices without a formal submission. With a primary focus on clinical function over security,
manufacturers have failed to implement the most rudimentary forms of protection. Features that are often missing
include operating system hardening, patch updates, and client security services like personal firewall, antimalware,
host intrusion prevention, or authentication services like an 802.1X supplicant. It can be a time-consuming and
costly process to validate compliance after a modification. Consequently, these devices are often deployed in an
unprotected state, and manufacturers have little incentive to provide security updates as new vulnerabilities are
discovered.
manufacturers have failed to implement the most rudimentary forms of protection. Features that are often missing
include operating system hardening, patch updates, and client security services like personal firewall, antimalware,
host intrusion prevention, or authentication services like an 802.1X supplicant. It can be a time-consuming and
costly process to validate compliance after a modification. Consequently, these devices are often deployed in an
unprotected state, and manufacturers have little incentive to provide security updates as new vulnerabilities are
discovered.
It is common to see medical devices that have been in operation for many years without any modifications that
improve or address their security posture. These are the same devices responsible for the safety and health of the
patients they serve. Their compromise or failure can result in a failure of the treatment or even death. However,
awareness of the security gaps and risks in the healthcare environment has risen significantly. In the past couple of
years individual testers have exposed the ease with which medical devices can be compromised or whose
functions can be controlled without being detected, even devices that deliver critical care. For more details on the
threat prevalence, refer to the article “
improve or address their security posture. These are the same devices responsible for the safety and health of the
patients they serve. Their compromise or failure can result in a failure of the treatment or even death. However,
awareness of the security gaps and risks in the healthcare environment has risen significantly. In the past couple of
years individual testers have exposed the ease with which medical devices can be compromised or whose
functions can be controlled without being detected, even devices that deliver critical care. For more details on the
threat prevalence, refer to the article “
,” by Monte Reel and Jordan
Robertson (November 2015).
With the stakes so high, healthcare delivery organizations are left with an enormous problem: how to ensure the
safety of their patients—protecting both life and privacy—while having little control over the security of the devices
used to treat and care for them.
safety of their patients—protecting both life and privacy—while having little control over the security of the devices
used to treat and care for them.
that “each manufacturer shall establish and maintain procedures for implementing corrective
and preventive action.” This directive may include the maintenance of the security baseline of medical devices
such as security patches, antimalware, and encryption. The FDA further extends the responsibility of medical
device manufacturers (MDMs) to off-the-shelf (OTS) software [Reference:
such as security patches, antimalware, and encryption. The FDA further extends the responsibility of medical
device manufacturers (MDMs) to off-the-shelf (OTS) software [Reference:
]. Unfortunately, not all MDMs are vigilant in
updating their systems, and these mandates are at odds with the directive that prohibits device changes without
formal submission. Once these devices are deployed, IT security administrators are typically unable or fearful to
make updates and modifications to critical-care devices that could compromise the intended functionality or
increase the risk of liability due to a malfunction.
formal submission. Once these devices are deployed, IT security administrators are typically unable or fearful to
make updates and modifications to critical-care devices that could compromise the intended functionality or
increase the risk of liability due to a malfunction.