Ordr Recognized in Gartner Market Guide for CPS Protection Platform Read more here!

Ordr

Request a Demo Search

Month: April 2023

The HIMSS 2023 conference kicks off this week in Chicago, Illinois from April 17 – April 21 2023. This year’s theme is on “Health that connects” and “Tech that cares”. We’re excited to be sharing best practices on securing connected devices in healthcare, implementing Zero Trust segmentation and accelerating medical device security programs. You won’t want to miss hearing directly from our customers including J.D. Whitlock, CIO of Dayton Children’s and Keith Whitby, Division Chair, HTM, from Mayo Clinic in our speaking sessions. We also have a lot of partner activities. Check out everything we’re doing at HIMSS here.

Connect with Us

Join us for demos and discussions with our product experts at our Booth #4333. Book a 1-1 meeting for a deep dive into how we address critical use cases. Attend our speaking sessions.

Accelerating Your Medical Device Security Program

  • Speakers: Keith Whitby, Division Chair, HTM, Mayo Clinic and Jim Hyman, CEO, Ordr
  • When: Wednesday, April 19, 2023, 11:30 am CDT
  • Where: McCormick Center, South Building, Level 1, S105 C

This session is one of eighteen HIMSS CXO Experience endorsed sessions, and one of fourteen sessions that are a part of the HIMSS 23 Digital Health Transformation Series.

Zero Trust in Healthcare is Not an All Or Nothing Option

  • Speaker: Danelle Au, CMO, Ordr
  • When: Monday, April 17, 2023, 10:30 am CDT
  • Where: McCormick Center, South Building, Level 1, S102

Practical Approach to Securing Every Connected Device in Healthcare

  • Speaker: Darrell Kesti, VP Sales, Ordr
  • When: Tuesday, April 18, 2023, 1:15 pm CDT
  • Where: McCormick Center, South Building, Level 2, Hall A, Booth 4309-4333, Cybersecurity Command Center – Theater B

Better Together With Ordr and Our Partners

As an industry, and particularly in a highly targeted vertical like healthcare, we are stronger and better together when we collaborate. We are proud to work with so healthcare, networking and security partners. See first-hand our strong partner integrations with Cisco, Cisco Meraki, ServiceNow, Fortinet, and others at HIMSS:

Cisco:

  • Check out Ordr and Cisco Integrations at the Security Workstation in Cisco (Booth 2225) from April 18-20th in the afternoons
  • Attend our Fireside Chat with CIO J.D Whitlock on Zero Trust on Tuesday April 18th
  • An Ordr and Cisco “Happy Hour” will be held in the booth at 4:00 pm CDT immediately following this fireside chat.

Sodexo:

Sodexo will feature their HTM Cybersecurity managed services powered by Ordr on April 18th, 2023 from 2:30 – 3:30 pm CDT (Booth 8315)

GE HealthCare:

GE HealthCare will feature their ReadySee services offering powered by Ordr (Booth 1712)

ServiceNow:

  • Participate in our ServiceNow partner Bingo Card that will include a visit to the Ordr Booth
  • Attend our speaking session on our integration – “Maintain an Accurate, Real-time Asset Inventory with Ordr and ServiceNow”
    • Speaker: Srinivas Loke, VP Product Management, Ordr
    • When: Wednesday, April 19, 2023, 4:00 pm CDT
    • Where: McCormick Center, ServiceNow Booth3609

CrowdStrike:

Visit an Ordr demo station to see CrowdStrike and Ordr integration up close at Booth#4332

We can’t wait to see you in person!

The “shared responsibility” philosophy for improving cybersecurity is becoming a worldwide phenomenon. It was woven throughout the U.S. National Cybersecurity Strategy issued by the White House in early March, and later that month the UK also announced its plan to improve cybersecurity for the country’s National Health Service (NHS).

On March 22, the UK government announced it will draft a six-year plan to “promote cyber resilience across the health and care sectors by 2030, protecting both services and patients.” That plan will build on five pillars for reducing the risk and impact of cyberattacks on healthcare organizations, while also improving recovery and resiliency should an attack succeed. Those pillars include:

  • Identifying the areas of the sector where disruption would cause the greatest harm to patients, such as through sensitive information being leaked or critical services being unable to function.
  • Uniting the sector so it can take advantage of its scale and benefit from national resources and expertise, enabling faster responses and minimizing disruption.
  • Building on the current culture to ensure leaders are engaged and the cyber workforce is grown and recognized, and relevant cyber basics training is offered to the general workforce.
  • Embedding security into the framework of emerging technology to better protect it against cyber threats.
  • Supporting every health and care organization to minimize the impact and recovery time of a cyber incident.

Faster Response, Minimized Disruption

The second of the five pillars is notable to us because it calls for “uniting” the healthcare sector in an effort to combine resources and expertise to “enable faster responses and minimize disruption.” At a macro level that is a critical capability for hardening the networks of organizations connected through extensive digital supply chains. At the individual level it is vital for an NHS Trust to approach cybersecurity from a “whole hospital” perspective. Recognizing that, with IT systems operating on the same infrastructure as the operational technologies (OT) that run the hospital operations—and also alongside the sophisticated connected medical devices (Internet of Medical Things) integral to delivering a high quality of healthcare to patients—a vulnerability anywhere in the network puts the entire Trust at risk.

“This new strategy will be instrumental to ensure every organization in health and adult social care is set up to meet the challenges of the future.” — Health Minister Lord Markham

Protecting 1.7 Million Devices

The announcement points out that there are more than 1.7 million devices operating within NHS Trust networks, and that the strategy seeks to monitor each for suspicious activity that could indicate an attack or active threat. That’s wise, and an imminently achievable goal. In fact, many Trusts in the NHS system currently use the Ordr platform to discover, monitor, and protect the hundreds or thousands of Internet of Medical Things (IoMT) devices that populate their networks for the delivery of patient care.

When the full NHS cybersecurity strategy is published later this year, Ordr is confident that our customers will be prepared to meet whatever standards are set as they pertain to protecting connected devices. And as the CISOs and other leaders in those Trusts have already demonstrated a desire to work toward a Zero Trust security posture, there is no doubt they will establish themselves as cybersecurity exemplars for their peer Trusts.

Ordr is also actively working with NHS Trusts to comply with the NHS Data Security Protection Toolkit (DSPT) and  ensure the security and privacy of data shared within the NHS system. Contact us for more information about how we can protect the connected devices in your network.

Binding Operational Directive 23-01 can help close a government security gap

 

The Cybersecurity & Infrastructure Security Agency (CISA) recently issued an advisory on a dozen new exploits and vulnerabilities affecting industrial control systems (ICS) from nine different manufacturers. The warning is the latest in a growing body of evidence that critical public infrastructure–things like the power grid, transportation systems and facilities, government buildings, and public safety organizations–will soon become the primary target of threat actors in an escalation of attacks against national economic interests. In fact, some observers believe a shift in strategies in the war between Russia and Ukraine is proof that such an escalation is well underway.

It’s hard to argue that threat actors are not becoming increasingly aggressive and willing to attack targets, even when there might be a human cost. Hospitals and healthcare services providers have seen a sharp increase in attacks over the last three years, and research suggests those attacks are associated with an increase in patient mortality. Even the U.S. Federal Reserve warns that attacks on industrial enterprises and infrastructure could impede economic activity and seriously undermine confidence and stability in national financial systems.

Setting a Good Example

And so, as attention turns toward the hardening of private and public infrastructure against cyberattacks, leaders in Washington, D.C. are trying to set a positive example by updating their own security policies. When the White House issued the Executive Order on Improving the Nation’s Cybersecurity on May 12, 2021, it established the foundation for the government’s strategy to address the protection of a sprawling and complex federal IT infrastructure comprising hundreds of different agencies. Then in early March this year the White House published its National Cybersecurity Strategy to bring the issue into sharper focus.

The Cybersecurity & Infrastructure Security Agency (CISA) took a big step forward when it issued Binding Operational Directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks.

But the work toward improving the federal government’s readiness and resilience against cyberthreats was underway before the release of the National Cybersecurity Strategy. In October of 2022 the Cybersecurity & Infrastructure Security Agency (CISA) took a big step forward when it issued Binding Operational Directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks.

Connected Device Visibility is Critical

BOD 23-01, which had a deadline of April 3, 2023, requires all federal civilian executive branch (FECB) agencies to establish the means for effecting “continuous and comprehensive asset visibility” as a first step in assessing and monitoring cyber risk. CISA did not identify penalties for missing the April 3 deadline, but there are ongoing reporting and improvement timelines to ensure asset inventories are up-to-date. The philosophy behind the directive is sound. Today’s IT estates are complex and include thousands of components operating on-premises and in the cloud. Servers, routers, switches, software, application, services, and all kinds of devices, many of which are practically invisible to traditional IT management systems.

This is especially true for connected devices, including the Internet of Things (IoT), Internet of Medical Things (IoMT), operational technology (OT), and more. And what BOD 23-01 does is acknowledge that, without a complete accounting of every single device that connects to the enterprise—expected or unexpected, and for however long it remains connected—each is a potential vector for attack. Also, when connected assets are unaccounted for, an organization’s configuration management database (CMDB) will be inaccurate, leading to other IT operations and security issues that can put the enterprise at risk. Ordr’s experience with connected device discovery illustrates the wide variety of unexpected devices that can be found operating in some enterprises alongside mission-critical equipment. Vending machines and building controls, Tesla cars and Kegerators, Alexas and Pelotons, all connected to the network and communicating out to the Internet, unmanaged and unknown to IT operations and security.

See IT, Protect IT

You can’t protect what you can’t see, and so device discovery, visibility, and monitoring is vital to maintaining security at a high level. Ordr is not only able to discover and monitor these devices in real-time, but the extensive Ordr Data Lake contains detailed profiles of millions of IoT, IoMT, and OT devices, identifying their purpose and operational profile. That enables security teams to identify devices with vulnerabilities, establish a risk score for every device operating in the network, detect when devices exhibit indicators of compromise, and automate policy creation to accelerate response and prevent attacks targeting connected devices or prevent lateral movement. These capabilities support BOD 23-01’s objective to “make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities… an important step to address current visibility challenges at the component, agency, and [federal civilian executive branch] enterprise level.”

These capabilities support BOD 23-01’s objective to “make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities… an important step to address current visibility challenges at the component, agency, and [federal civilian executive branch] enterprise level.”

It’s good that the U.S. federal government recognizes that maximizing the effectiveness of a cybersecurity program demands a full accounting of every device operating in the network. That is the foundational tenet to Ordr’s mission, and it has been embraced by our customers, including many of the world’s largest healthcare, financial, and manufacturing organizations. And for our customers in the federal government, they had a head start on meeting (and likely exceeding) requirements ahead of CISA’s April 3 deadline.

If your agency or organization recognizes that it has blind spots it needs to address to take a full inventory of every device it has connected to its network, give us a call. We can run a demonstration that can show you every connected device on the network. And with a complete accounting of your connected assets, you can build a plan to see, know, and secure your enterprise.

Before medical device manufacturers are able to release a product to market, they are subject to Food and Drug Administration (FDA) reviews to evaluate the safety and effectiveness of these devices. Since 2014, those evaluations have included medical device security guidance, with a subsequent update in 2018. Now, with the explosive growth of connected devices used by hospitals and healthcare providers and a growing number of cyberattacks that have crippled healthcare services, the FDA recently released draft guidelines requiring that devices comprising the Internet of Medical Things (IoMT) meet more stringent cybersecurity standards.  

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” is a 45-page document that deals with security design, vulnerability disclosures, Software Bill of Materials (SBOMs), and other documentation requirements that will have to be addressed by medical device manufacturers before their new devices can gain FDA premarket approval. 

In general, this is a step in the right direction for the FDA. Security needs to be built into the design of medical devices. At the same time, because medical devices have longer lifecycles than typical IT devices, it also means that it may be a while years before new devices falling under this new guidance are deployed. Because of the risks inherent with existing medical devices, healthcare organizations need to take action to secure legacy devices now. 

What Is Included in the FDA Guidance for Medical Devices? 

New medical device applicants are advised to submit “a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities, and exploits.” 

 They are also asked to “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure.” This includes making patches available “on a reasonably justified regular cycle,” and for newfound critical vulnerabilities, “as soon as possible out of cycle.” 

 Finally, manufacturers must provide the FDA with “a Software Bill of Materials,” including any open-source or other software their devices use. This is one of the new changes in the FDA guidance— a complete SBOM requirement instead a Cybersecurity Bill of Materials (CBOM), as outlined in the 2018 guidance.  

 Note that even with a manufacturer-provided SBOM, when a zero vulnerability like Log4J or OpenSSL is discovered, it is almost impossible to find out the real composition of the packages and the dependent libraries that was pulled into each package when the software was built and shipped. Sometimes, the manufacturer may have customized and configured functionality and those additional details aren’t released. 

Therefore, as the FDA determines the format for manufacturer SBOMs, it is important to ensure that these SBOM declarations are detailed enough to include each and every piece of library that is included in the build. With this FDA mandate, if manufacturers release an SBOM that is accurate and complete, along with configuration settings, Ordr (and our vulnerability matching engine) can immediately assess the risk of these vulnerabilities and understand the exposure and exploitability. 

When Does This Mandate Take Effect?  

The new security requirements came into effect when the $1.7 trillion federal omnibus spending bill (the 2023 Consolidated Appropriations Act) was signed by President Joe Biden on December 29, 2022.  

Section 3305 of the spending bill — “Ensuring cybersecurity of medical devices”— is an amendment to the Federal Food, Drug, and Cosmetic Act. It took effect 90 days after the Act became law, and with its new authority, the FDA has given manufacturers six months — until Oct. 1, 2023 — to comply with the new regulations. The new law also requires the FDA to update its medical device cybersecurity guidance at least every two years. 

How Can Ordr Help with This Mandate? What About Existing Medical Devices?  

 Security of medical devices is a shared responsibility. While the FDA mandate can ensure security for a device before it is released to the market, the day-to-day management and security of devices post FDA approvals is the responsibility of healthcare providers and requires a solution like Ordr.  Ordr not only maintains an accurate device inventory and monitors devices for vulnerabilities and threats but also delivers device utilization details to optimize operations. 

 In addition, medical devices are expensive, and a complete upgrade to new devices that adhere to the new guidelines is not operationally feasible or cost effective. Ordr can ensure existing devices (pre-2022 devices) or devices with outdated operating systems in the network can be secured via Zero Trust segmentation policies to restrict access and communications to only enable access required for their role.  

 We recommend the following approach to secure every connected device. Download our Maturity Guide for connected device security for more details:   

  • See every device: You can’t protect what you don’t know about. Security starts with real-time, granular visibility of every device connected to your network and how those devices communicate within your environment and externally to the Internet. Every connected device in the hospital including IoMT, IoT, and operational technology (OT), plays a role in either patient care or hospital operations. Ultimately, the security of every device in the hospital can impact hospital services and patient safety, therefore real-time visibility into every device is essential.  

With regard to the new 2022 FDA mandate, Ordr can ingest SBOMs as manufacturers make them available, to enable easy visibility across the entire organization. Ordr Software Inventory Collector can complement manufacturer SBOMs by identifying applications for devices running Windows, iOS, and Linux operating systems.  

  • Know your attack surface: The attack surface for healthcare organizations can range widely. Organizations need to be able to identify the following risks within their connected devices 
    • Vulnerabilities – CVEs need to be prioritized and patched. Ordr offers full lifecycle vulnerability management capabilities to identify these vulnerabilities, prioritize them based on impact to a hospital (I.e., clinical risk), track and tag them for appropriate remediation workflows, and generate reports on them. Ordr also integrates with CMMS, CMDB tools to enrich their view of vulnerabilities, and ITSM systems to create tickets and manage workflows for remediation.  
    • FDA or manufacturing recalls – To meet compliance requirements, it is important to identify devices that have been recalled either by the FDA or manufacturers. Ordr integrates with FDA and manufacturing databases to provide insights and help hospitals identify impacted devices. 
    • Exploits and active threats – To protect healthcare organizations from active threats, Ordr offers an integrated intrusion detection system (IDS) that can inspect East West and North South device communications for active threats. Devices that are impacted by top security issues such as OpenSSL, Log4J, Solar Winds, and Conti, are highlighted in a unique security category in the Ordr dashboard for easy analysis. 
    • Anomalous behavior – Unlike most IT systems and software, medical devices, and many IoT and OT devices have deterministic functions. Ordr uses machine learning (ML) to baseline normal behavior for every device. From that baseline Ordr identifies deviations which can be an indication of attack or compromise including zero-day activity. In addition, Ordr can dynamically create policy to help ensure a rapid response enabling teams to contain and stop an attack. 
    • Track who is using your devices – By tracking and associating devices to users, Ordr can identify compromised devices and potential account misuse. 
  • Reacting to Zero Day events: By ingesting SBOMs and utilizing Ordr’s Software Inventory Collector, organizations can react quicker to Zero Day events. There is no need to wait for manufacturers to determine if devices are running a vulnerable application. Ordr correlates all the application information from both SBOM and Software Inventory Collector into one searchable database. 
  • Secure with automated policies:  
    • During an incident, quickly prevent lateral movement by pinpointing compromised devices and creating policies to quarantine the device, block ports or terminate sessions. 
    • Implement Zero Trust segmentation for vulnerable devices that cannot be patched: Zero Trust segmentation policies can keep these devices in operations by allowing only “normal communications” required for its function, while limiting exposure. 
    • When a new IoC (indicator of compromise) is announced, identify whether a device communicated with the malicious domain in the past 365 days.  

The Ordr platform is trusted by the world’s leading healthcare delivery organizations. Schedule a demo with our product experts to see how we can secure your connected devices.