Baptist Health Case Study
Background
Baptist Health is a full-spectrum health system made up of nine hospitals, 23,000 employees (in addition to more than 2,000 independent physicians), more than 400 points of care, and nearly 2,500 licensed beds. The organization’s employed provider network, Baptist Health Medical Group, has close to 1,500 providers. This includes more than 750 physicians and over 740 advanced practice clinicians.
Baptist Health is working to strengthen its cybersecurity posture and Zero Trust platform by adding more layers of defense and equipping itself with the relevant tools to protect against the next generation of attacks.
Challenge
Baptist Health operates and relies on an extensive system of medical devices, IoTs, and traditional IT equipment… All of which need to be properly managed to ensure the efficacy of cybersecurity efforts; an asset inventory is, therefore, critical. However, an accurate asset inventory is difficult to achieve; a lack of Layer 1 visibility means that “understanding what’s in our facilities at any given time is a big challenge,” says Michael Erickson, CISO of Baptist Health. This is a significant risk as the new generation of attack tools is “getting more sophisticated and smaller.”
Further, these tools hide within other assets – be it medical devices, IoTs, peripherals. And they exploit the Layer 1 blind spot by spoofing legitimate devices. “If you have an attack tool that’s designed to actually look like, or simulate or impersonate something that’s relatively benign, and it’s in your environment and it’s not doing anything, it’s pretty difficult to know that it’s there”, says Michael.
Security solutions cannot differentiate between a legitimate HID, a MAC spoofing device or any other rogue device. Thus, allowing the latter to bypass security controls and initiate harmful attacks. With countless devices in use at Baptist Health, ranging from critical medical devices to everyday peripherals, there is cause for concern regarding their integrity. “When you think about the delivery of a piece of equipment, are we able to be sure that the equipment that was delivered is actually what was designed by the manufacturer?”