Based on the VA Office of Inspector General (OIG) findings regarding the VA Medical Device Protection Program (MDPP) the MedFusion project was established to investigate alternative approaches to device isolation (for both medical and non-medical devices) that would utilize existing network security management and isolation technologies.
The intent of the pilot is to reduce cyber security material weakness without creating an overly complex environment while maximizing the re-use of existing infrastructure. A balance of operational ability and security must be attained meet the VA’s dynamic environmental and mission requirements.
This solution builds upon existing architecture- providing an agentless network discovery of Open Systems Interconnection (OSI) Layer 2/3 devices that are able to discover and authenticate authorized wired, wireless, Virtual Private Network (VPN) or Bring Your Own Device (BYOD) end-point devices . In addition, the pilot needs to interface with existing VA discovery Continuous Diagnostics Monitoring (CDM) products such as Gigamon. The pilot solution hardware and software must integrate with existing Network Security Operations Center (NSOC).
Our Mission
All medical devices carry a certain amount of risk and new devices are added to hospital/medical networks constantly. Frequently, these are unmanaged Medical/SpS IoT devices or endpoints. These devices significantly expand our attack surface, many times going unnoticed. While the increased use of wireless technology and software in medical devices also increases the risks of potential cybersecurity threats, these same features also improve health care and increase the ability of health care providers to treat patients.
The VA currently has over 50,000 network medical devices that require protection from the general enterprise network. These devices are currently isolated using Virtual LANs and over 14,000 Layer-3 Access Control Lists (ACLs) hosted on over 1000 switch/router/firewall devices. The management of the 14,000 ACLs is a difficult task, requiring extensive manual efforts for configuration and annual verification. Additionally, at Layer-2, these networked medical devices are not currently subject to any form of Network Access Control.