Ordr Appoints Wes Wright as Chief Healthcare Officer Read more here!

The last of the seven-part CHIME Medical Device Security Webinar series focused on building a business case for next-gen medical device solutions. In our wrap up webinar, we delved into the featured topic with two special guests.

  1. Matt Dimino: VP of Operational Technology and Security at First Health Advisory. Mr. Dimino’s professional credentials include CEH, CISM, CISC, and HCISPP.
  2. Chuck Christian: With over 40 years of experience in healthcare IT, Mr. Christian, is VP of Technology and CTO of Franciscan Health and a Life Fellow Member of both CHIME and HIMSS.

We began Episode 7 with Mr. Dimino briefly refreshing us on the unique challenges, risks, and threats associated with medical devices, and the burgeoning marketplace for cybersecurity tools to address them. The formidable obstacle in any major organizational initiative is often simply articulating a compelling case to executives and departmental management to decide upon an actionable plan. There is a perception cybersecurity drains funds and is among the foremost detriments to one’s case for next-gen security tools. Adding his insight to the discussion, Mr. Christian comments, “At a lot of the places I’ve seen over time, medical organizations look at security as an expense that can be avoided, and that they can ‘roll the dice’ and accept the risk.”

Successfully persuading budget-conscious decision-makers requires recharacterizing device security as an investment rather than an expense; building value through not only avoiding costs in risk reserves and hedging, but recovering unrealized revenues by correcting operational inefficiencies as well.

Emphasizing integration capabilities is critical in building your case. Healthcare Delivery Organizations (HDOs) frequently have a patchwork of partial security solutions across varying departments. For instance, Healthcare Technology Management (HTM) or Biomed may have a Computerized Maintenance Management System (CMMS), IT manages a Configurations Management Databse (CMDB), and the maintenance techs work out of spreadsheet. With the right vendor, an Medical Device Security (MDS) or discovery and monitoring tool can be integrated into the existing enterprise architecture, and constructed into a unified, streamlined system that fills the gaps of under-connected personnel and departments, enhances the utility of existing security tools, and provides a centralized hub of organizational intelligence and coordination. More often than not, implementing a complete next-gen solution is not a scorched earth or start-from-scratch ordeal. Instead, it is identifying and inserting the missing piece of the medical device security puzzle.

Illustrating the numerous vectors from which returns on a security tool investment are expected is equally essential to its rationale. Mr. Christian and I examine some of the use cases Franciscan Health considered during the process of selecting an MDS tool. For example, workflow management reflects the potential for procedure data revealing OT capacity configurations that optimize device utilization. Fleet management attempts to quantify how granular network visibility produces superior intelligence for capital planning and lease-or-buy decisions. The microsegmentation use case estimates the value of HTM and IT labor, which in the absence of having to manually segment devices, can be assigned to other priorities.

A sincere thank you to all who attended this webinar series, the guests who contributed their invaluable expertise, and to CHIME for allowing me to design and host this series. All seven archived episodes of the Medical Device Security webinar series are available to stream for CHIME members or for purchase on store.ignitedigital.org.

I still remember vividly the day I met René Bonvanie at the very early stage of this company to get his feedback on our vision to make this connected device world a safe place. Rene emphasized the importance of keeping the mission super simple and offering a product that focuses only on one or at the maximum two key areas but with huge differentiation.

As we set out to bring “Ordr” to the world of all connected devices, our ambition, though daunting, was to catalog the world’s device information base. We are still focused on that mission to date as our crowd sourced library keeps growing– powered by our machine learning engine and data from our customers.

Little did we realize that this device data library with behavioral models we created using passive packet techniques could become so critical in offering incredible forensics to solve so many cybersecurity use cases. Today we are in a position to be able to offer unique insights into every device that is involved in an advanced attack. It has helped our customers detect and rapidly mitigate compromised devices very early in the kill chain during a ransomware attack. In one case, one of our customers detected the Conti ransomware 15 days before the IoCs were officially shared by the FBI and other threat intelligence teams.

Our next chapter in security unfolds with even more focus on the foundational technologies we built – to precisely profile each and every device in an organization, its risks and its behavioral interactions with other systems and servers. This is timely, as every organization today is facing the highest levels of cyberattacks.

In lockstep with our product development efforts, we are thrilled to have René Bonvanie join as Executive Chairman of the Ordr Board to add deep industry knowledge and operational experience in cybersecurity.

René brings more than 35 years of industry experience to Ordr and currently serves as an Executive in Residence at Battery Ventures. He previously worked for over ten years as Chief Marketing Officer of Palo Alto Networks.

Those of us who have been in the cybersecurity industry for many years have admired how he disrupted the firewall market at Palo Alto Networks. He also knows the connected device security market particularly well, having been part of the startup ecosystem in this space in the past. René joins us at a pivotal point in Ordr’s journey. With the alarming increase in cybercrime, organizations are looking not only for visibility and insights on connected devices, but a complete set of security features to protect and respond to cyberattacks. Ordr is well positioned to meet these needs, and René’s experience will be invaluable in accelerating our growth.

The executive team has been working closely with René and we know the company will benefit greatly from his strategic counsel and go-to-market expertise. Dominic Orr, Ordr’s Executive Chairman of the Board since 2019, will remain on our Board of Directors and continue working closely with the senior management team. We will continue to leverage Dom on an ongoing basis as our board member, coach, and mentor, tapping into his industry knowledge and years of wisdom building great companies.

October is Cybersecurity Awareness Month under the leadership of CISA and the National Cyber Security Alliance (NCSA). The goal is to continue to raise awareness about the importance of cybersecurity across our Nation. This year’s theme is to be #cybersmart, as we all play a role in the security of our own “cyberspace”. Focusing on cybersecurity and being cybersmart can positively impact our lives, but also the organization we work for and our nation.

To kick off cybersecurity awareness month, here are the five tips to be #cybersmart.

  1. Use a password manager – It’s important to have great password hygiene. This means making sure your passwords are hard to crack, that it is long enough and a combination of uppercase and lowercase characters, numbers and special characters. You also don’t want to reuse passwords for various accounts, so the best way to manage this is to use a password manager that will securely store all your passwords for your various accounts.
  2.  Don’t use public hotspots – When you’re at the airport, your favorite coffee place or at the library, do you connect to the public WI-FI network? A safer option is to connect to your phone’s hotspot, or use a VPN. There are no guarantees that public WI-FI networks are secure. In fact, with the flaws discovered in WPA2, the encryption standard that secures modern WI-FI networks, attackers within the range of vulnerable wireless access points can become a “man-in-the-middle”, intercepting passwords, emails and other sensitive data. In many cases, they can also inject malware into the sites that you’re visiting.
  3. Update your applications – whether you’re on your mobile device or laptop, you’re probably running a number of key applications that will come with vulnerabilities. Enable automatic updates on your applications or make sure that you’re updating them regularly with patches. This includes browser updates such as Chrome or Safari.
  4. Use multi-factor authentication – Many applications offer multi-factor authentication. This means you’re required to validate your identify via two or more pieces of credential. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint or faceID). Your credentials must come from two different categories to enhance security. You can add an extra layer of defense to your accounts by enabling multi-factor authentication.
  5. Beware of phishing scams – One of the most common delivery systems for malware is via phishing scams, via attachments that come to you in an email, masquerading as a file you should trust. Once they’re downloaded and opened, they can take over you computer. Avoid clicking on links from people you don’t know about, or clicking on links in email messages with grammatical errors and details that don’t make sense. Some phishing scams are very targeted so beware of oversharing sensitive information on social media that would make it easy for hackers to target you.

Continuing an ongoing theme explored throughout the CHIME Medical Device Security webinar series, the central subject of Episode 6 discussion and analysis was the necessity of device monitoring and discovery tools (aka medical device security or MDS) and a computerized maintenance management system (CMMS) to adequately protect a clinical network from the serious threats that are now a reality faced by managers of critical infrastructure across countless industries.

Either tool on its own is only a partial solution, and a true next-gen technological approach is an integration of both into a unified system.

Mayo Clinic has been pioneering exactly such a solution in its HTM Cybersecurity Program. Today, I was joined by two pivotal members of HTM leadership at Mayo Clinic.

  • Keith Whitby, MBA, CHTM, is the Healthcare Technology Management Section Head and has 20 years of experience in IT and HTM service experience.
  • Kurt Griggs, CRISC, CISA, MCSE is a Senior Manager of HTM and has over 28 years of experience in IT and IS risk management and information security.

Previously in Episodes 4 and 5, we discussed Mayo’s selected vendors of both tools, Ordr and Nuvolo respectively. Today our discussion turned to the finer details of their integration in the live environment.

“A true next-gen technological approach is an integration of tools into a unified system”

As thoroughly explored in previous episodes, Mr. Whitby starts by summarizing the inherent risks of medical devices:

  • Dispersal of ePHI
  • Low granular visibility amongst all IoT
  • Inventory challenges
  • Coordinating IT and HTM remediation responses
  • Real-time incident identification
  • Diverse hardware and software specifications
  • Extended lifecycles of high-capital legacy devices.

At the outset of Mayo’s journey to build a comprehensive solution to these problems, the first step was constructing a framework for the project’s objectives and guiding doctrine of security. Mr. Griggs elaborated on the influences of the Program’s foundational thesis, which includes the NIST Cybersecurity Framework, and the AAMI publications Medical Device Cybersecurity: A Guide for HTM Professionals and Technical Information Report 57: Principles for Medical Device Security – Risk Management.

Having completed the MDS and CMMS vendor selection, installation in facilities, integration and incorporation into the overarching enterprise information system, Mayo entered the most exhaustive and prolonged phase of implementation; that of gradual refinement of the technology itself and organizational processes and procedures through careful analysis of feedback and intelligence. A core concept of the Program is the Security Lifecycle Profiles (SLPs), defined by Mr. Griggs as “living profiles” of devices. Mayo committed to fully leveraging the capabilities of the solution from the start, and the fully automated, dynamic, and real-time device records and analytics of SLPs is a testament of that steadfast persistence of recalibrating the system until its operationalization capabilities are completely optimized. For an investment of this scale, and for the scale of the risks it mitigates, it is essential that the HDO recognize the vast, unrealized potential caused by taking half-measures and making compromises. I feel like “Mayo is living the standards that have yet to be set.”

“Mayo is living the Medical Device Security standards that have yet to be set.”

Be sure to attend the conclusion of the 7-part CHIME Medical Device Security Webinar series, A Business Case for Next Gen Medical Device Solutions. If you missed an episode, you can view my recap here and register for the entire series.