Once you have all devices identified on your network and you have developed Fortigate access control rules for your medical devices in Fortimanager, you need to monitor and manage those devices to watch for unusual activity, emerging threats, and attempted attacks. And you must do this 24/7/365. And you must have a plan in place on how to respond to various threats.
People who are experienced in security management are expensive to train and hard to find. There are far more jobs in the security industry than there are trained staff to fill those roles. If you train and hire from within, chances are those people will be poached off to higher-paying jobs once they gain a bit of experience.
So what are your options to monitor medical device security?
- Do nothing. Your security tools should take care of the threats for you.
- Hire and train staff to monitor your devices 24/7/365 and comb through the logs, check traffic stats, and report any unusual activity. This can take time since training is arduous, long, and highly technical. You will also want to maintain security certificates on your staff AND on your department processes as a whole.
- Automate the process by purchasing SIEM (Security Information and Event Management) software, and then train your staff on how to use and maintain SIEM software and implement best practices. You will need to maintain the software, pay for license fees, continually train your staff on how to best use the SIEM software, and audit your security department and software to ensure it is working effectively.
- Hire a company such as SageNet, which already has the staff, processes, and certifications in place to ingest your device logs into our SIEM software and allow our experienced security professionals to automate and monitor your system and notify you of unusual, actionable security events.
FortiSIEM is Fortinet’s security information and event monitoring solution that can gather the information from the Fortigate firewalls protecting your devices, as well as the devices themselves. FortiSIEM will provide dashboards for various departments, showing the security vulnerability of each device, and provide recommendations on remediating any problems found. You can give your biomed team access to see the devices and receive alerts when suspected problems arise, and provide your security team and network team the ability to make changes, drill into switches and routers to view logs, and tighten access lists to protect these devices.
FortiSIEM can be deployed in a variety of fashions, from a simple device in an imaging center to a multi-hospital, multi-department environment. It has several components, which can be purchased as a single appliance (for an imaging center) or in a distributed architecture.
Collectors are the probes that receive events from devices such as your CT, MRI, firewall, switch, etc. Normally you will need one collector per facility. Collectors must have direct access to the VLAN with the medical devices.
Workers are processing systems that analyze and correlate data captured by the collectors. Works can be installed on virtual machines, Docker containers, or in a Fortinet hardware appliance.
The supervisor is the management viewing server that provides “single pane of glass” viewing of security events. You will normally have one supervisor per organization. Users can simply log into the Supervisor via a web browser. You can then create dashboards for various people to view threats and activity. For example, you can have a graph showing traffic patterns into and out of your CT scanner and PACS archive. If you see a spike in activity, you can investigate to see if it is normal traffic or something more sinister.
FortiSIEM is multi-tenant, meaning you can set up an environment for each facility or department and give them access to their own devices while maintaining overall control from your security or networking department. This allows you to scale up to monitor an entire enterprise, with each hospital, clinic or department able to see their own information without having access to the entire FortiSIEM environment. With FortiSIEM you get very granular control over who can make changes, view particular devices and dashboards, control users, add or remove devices, etc.