Using FortiNAC to identify medical devices

If you can’t see it, you can’t protect it

The network inside a hospital is a fluid, changing environment. Infusion pumps move from room to room – some wireless, some hard-wired. Ultrasounds roll from room to room and floor to floor, sometimes plugging into a network jack and other times connecting wirelessly to the hospital networks. Guests log in with their mobile phones. Patients may even plug their laptops into a nearby available network port.

One way is to use a Network Access Control (NAC) product such as FortiNAC. As devices connect to the network, FortiNAC can use a variety of methods to detect and identify these devices and just as importantly, classify them by device type and assign them to security groups and VLAN’s. This allows hospital IT and biomed staff to automate device classification and security. Rogue or unknown devices can be placed into quarantine until they can be identified. Devices such as ultrasounds or infusion pumps can be placed into a specific VLAN with controlled access to and from other parts of the network. This can protect expensive medical assets from ransomware or other types of malware or hacking.

Device Identification

FortiNAC uses a variety of methods to identify devices on the network. It can read information from switches and routers using CLI, SNMP, Radius, Syslog, API and DHCP to find when a new device connects to the network. This means FortiNAC is not dependent on a network scan, which takes time.

Medical Device Database

Once FortiNAC detects a device, it can use a variety of methods to help determine what type of device it is. It can look at identifying factors such as the MAC address and the operating system to help identify the device. FortiNAC has an identification database of thousands of device types, including hundreds of medical devices. If a particular device is not in the database, network administrators and biomed personnel can add the device type to their own custom database so that in the future FortiNAC can auto-identify similar devices.

Follow this link to learn more about how FortiNAC helps when managing network device access.

So for example, FortiNAC can identify a particular type of infusion pump and record the manufacturer and other information. This allows IT and biomed personnel to quickly see what type of device is on the network and not just identify it by an IP address.

FortiNAC Control Manager

FortiNAC Control Manager allows you to manage your medical devices globally from a “single pane of glass”. If you have multiple hospitals, clinics, or campuses, you can place a FortiNAC at each location and the information can be accessed and managed globally. Policies can be controlled from a central location, and various levels of access to the FortiNAC database can be granted. For example, you may want to provide read-only access to your biomed technicians, while only allowing IT security teams to control rules.

Control Manager makes it easy to scale your network identification and security monitoring, and to provide granular access to the information gathered by FortiNAC. This way your staff, such as biomed, are more familiar with devices on the network and can take ownership in security monitoring and management.

Fortinet Security Fabric

Perhaps even more importantly, FortiNAC plugs into Fortinet’s Security Fabric. This means it can pass information it learns about network devices to other systems on the network that can share Security Fabric information. For example, FortiNAC can pass on information about all the infusion pumps to Fortigate firewalls, which can use this information to control and monitor access to these devices. Without Security Fabric, you would need to manually set up rules and add devices to the infusion pump group. Each time a new infusion pump is added to the networ, or moved to a new part of the network, you would need to manually update your security policies. With Fortinet Security Fabric, this step is automatic. Install a new infusion pump and FortiNAC sees it, classifies the device as an infusion pump, put is in the correct security group and VLAN, and then notifies Fortigate firewall that this new device is now authorized on the VLAN and to apply infusion pump traffic rules to this new device. All at machine speed and without human intervention.