Read Ordr Security Bulletin on Volt Typhoon Advisory Read more here!

What a year it has been. Looking back there were plenty of surprises, but much to celebrate, be grateful for, proud of, and to leave us with ample optimism for the year to come. We’ll make our resolutions on January 1st, and have offered our opinions on what might transpire in 2023 elsewhere. But for now, let’s review the last twelve months and take in all that we accomplished as an organization–every member of the Ordr team together with our partners, customers, and advisors.

For starters, despite economic friction remaining from the pandemic and the headwinds of inflation and recession, the Ordr team scored many new customer wins, including many large enterprises representing every industrial sector. The message that organizations need to secure their growing inventory of connected devices is spreading, and Ordr stands head-and-shoulders above all other solutions in meeting that need. Among our many representative new customers earned during 2022 were:

  • Large pharmaceuticals companies;
  • Major children’s hospitals;
  • A multinational financial institution;
  • One of the largest U.S. federal agencies;
  • Global industrial and high tech manufacturers;
  • U.S. and UK universities; and,
  • Many healthcare services providers throughout the U.S. Canada, and Europe.

Wins like these don’t happen without a lot of hard work. And as it has been since our founding, the Ordr team put in a lot of hard work during 2022 to build on past successes and execute against a goal of continuous improvement.

Bringing the Power of Personalization to HTM Teams

In March we launched Clinical Defender to enable Healthcare Technology Management (HTM) teams to manage their connected medical devices more efficiently and accurately in the face of an explosion of IoT and IoMT deployments in healthcare environments. As many as 20% of connected devices operating in healthcare organizations are unaccounted for. Clinical Defender closes that visibility gap while providing focused, actionable, and accurate HTM insights and workflows, so HTM and clinical engineering teams can:

  • Access a dedicated dashboard for simplifying HTM workflows and address specific use cases;
  • Automate real-time asset inventory without impacting device operations;
  • Address compliance by identifying missing, newly connected, or misplaced devices;
  • Mitigate risks by identifying devices with vulnerabilities, recalls, and outdated operating systems;
  • Accelerate remediation efforts for devices with clinical risks; and,
  • Save millions of dollars by optimizing device utilization.

Then in August we released Clinical Defender 8.1, adding the Ordr Software Inventory Collector and integration with Crowdstrike and Crowdstrike Humio to enhance the value of the platform by making it easy for Clinical Defender to gather contextual information from connected devices, and collaborate with security teams to defend the healthcare enterprise.

Expanding Our Partner Network, Embracing the Technology Ecosystem

In May Ordr announced expanded technology integrations with our long-time partner Cisco, making Ordr available as a hosted application on Cisco Catalyst 9000 series switches. The integration enables Ordr’s seamless visibility, comprehensive insights, and enhanced security for connected devices in every environment using the Catalyst 9000 product family, and extends Ordr integrations with Cisco Meraki, Cisco Identity Services Engine (ISE), Cisco Software-Defined Access (SDA), and Cisco Trustsec.

“Ordr is a great purpose-built product that delivers exactly what they promise it will. It’s easy to work with and easy to maintain.” Network Engineer, healthcare and biotech industry.

Our partner relationships expanded further through new technology integrations with Arista, AWS, BigFix, Cisco Prime, CrowdStrike, Microsoft, Qualys, Rapid7, ServiceNow, and Tenable, as well as support for Osquery, contributing to the list of  more than 80 integrations with the Ordr Data Lake. In total, these new integrations deliver stronger “ground to cloud” visibility, device management, and security capabilities for our customers by enabling them to operate with a richer, more contextual understanding of their connected device operations.

And then in November we added Sodexo Healthcare Technology Management to our partner network. The Ordr-Sodexo relationship delivers a people, process, and technology solution combining Sodexo Managed HTM Cybersecurity services with the Ordr platform. By combining the strengths of Ordr’s connected device security platform with Sodexo’s healthcare technology management services expertise, HTM teams can more easily identify threats and mitigate risks to their enterprises by securing all connected healthcare devices.

Enhanced Device Management, Security, and Segmentation

In November we also published our healthcare connected device maturity model entitled A Practical Guide: Implementing Connected Device Security for Healthcare Organizations. The guide outlines five stages of an effective connected device security program and strategies to achieve and maintain a Zero Trust security posture for healthcare organizations beleaguered by a relentless onslaught of cyberattacks. These stages include:

  • Gaining Full Asset Visibility Across Infrastructures;
  • Acquiring Vulnerability and Risk Management Insights;
  • Achieving Reactive Security Capabilities;
  • Evolving to a Proactive Security Posture; and,
  • Maintaining Optimized, Zero Trust Security Operations.

Ultimately our product improvements and partner relationships mean nothing if they don’t translate to greater connected device management and security capabilities for our customers. Our mission to help organizations See, Know, and Secure their entire connected device inventory and maintain a Zero Trust security posture was evinced throughout the year when we stepped up to help our customers identify and protect their devices from new threats like the Log4j and OpenSSL vulnerabilities, rogue device communications to risky foreign locations, malware variants like Maui Ransomware, and other threats to connected devices and the organizations that rely on them.

“Overall, we have a great experience with the Ordr system where our IoT and IoMT devices are well detected and inspected for inventory and vulnerability purposes.” Manager, IT Security and Risk Management, healthcare and biotech

Ordr’s Journey of Growth Continued

Finally, it’s worth noting that every move we make is part of a strategy to grow Ordr into a strong, stand-alone technology leader that our customers know they can trust for years to come. That position as a market leader was reaffirmed during 2022 by respected organizations like KLAS Research, who named Ordr a healthcare IoT security leader for an unprecedented third year in a row, and IDC, who named Ordr a top innovator in healthcare security technology.

Our success and growth to date allowed us to attract another $40 million in new, C-round capital investments in June. Those funds are already at work building our organization through new hires and research and development, including the award of four new patents in October. Those patents are associated with processes for addressing unique challenges to securing connected devices, including the way we profile new devices, as well as innovations that make it easier for organizations to use our technology.

And as we continued to add human capital, among the many new faces Ordr welcomed to its roster was our new CEO, Jim Hyman, who took over the office formerly occupied by Greg Murphy during the last four years of incredible growth and success. Greg remains an integral part of the Ordr family operating as an advisor to the company. His hard work left Jim an organization well-positioned for future growth and success.

New Year, New Opportunities

2022 was a big year for Ordr during which we achieved many important milestones. We look forward to helping even more organizations protect their networks from the increasing threats to their connected devices next year and beyond. After all, we are well-positioned to continue capitalizing on our unparalleled ability to secure the huge and growing number of healthcare and industrial IoT deployments.

“Deployment was easy; once running and we immediately got visibility. Support is great and helpful in tuning system, upgrades have been painless. Ordr has aided us in identifying unwanted devices and remediation activities, the behavior violation alerts position us to drive investigations based on known good traffic.” Director, IT Security and Risk Management, healthcare and biotech

As always, Ordr is here to make a major difference improving the way security controls are implemented, even as enterprises grow more complex. We are eager to meet whatever challenges 2023 has in store with confidence in our mission and clarity in our vision.


Ordr Covers Your Assets with Real-Time Asset Inventory Management

Ordr is a unique and powerful platform because it addresses a plethora of visibility and security use cases for connected devices. In this series of blogs we’ll cover use cases that are top of mind for security, networking, and device owners, starting with asset inventory and management. 

In conversation with CISOs and CIOs, we consistently hear the same challenges when it comes to Internet of Things (IoT), Internet of Medical Things (IoMT), operational technology (OT), and other connected devices:

  1. Maintaining an up to date inventory of connected devices
  2. Finding connected devices that are not included in inventory
  3. Including device details that are critical for device management and security

The lack of a complete connected device inventory leaves teams guessing when it comes to managing devices and creates big gaps resulting in unknown risk when it comes to security. Whether you’re in IT ops struggling to keep up with the constant barrage of new devices, a security pro challenged to understand and mitigate risks, or a biomed engineer in healthcare tasked with managing device deployments, updates, and usage, connected device growth presents unique challenges across your organization.

Juniper Research estimates we’ll see more than 83 billion devices deployed by 2024, a 130 percent increase from the 36 billion in use today. With this and similar growth estimates, we’re faced with the reality that IT and security challenges will continue to expand as the volume and variety of connected devices grows.

Unique Challenges of Connected Devices

Compiling and maintaining an inventory of connected devices that is up to date with all the required details is challenging due to several factors, including the number and diversity of devices, improper procurement processes, remote users, and locations behind VPNs. In addition, many connected devices are not only unmanaged but unmanageable since they do not or cannot support agents, and scanning these devices is not always an option for fear of service impact. These factors mean traditional methods aren’t an option for device discovery.

The sheer volume, variability, and mobility of connected devices means inventory and status of devices is constantly changing. Relying on manual efforts or periodic snapshots of the network to maintain a device inventory comes with an almost certain risk of inaccuracy. You need to be able to discover and track your complete asset inventory, including unmanaged devices, and you need to be able to do it in real-time.

You need to be able to discover and track your complete asset inventory, including unmanaged devices, and you need to be able to do it in real-time.

Procurement processes that aren’t aligned with IT and security add to these challenges since they can introduce devices to an environment without being properly onboarded. This results in the potential for more unknown devices on the network, some of which may not meet organizational standards for management and security. In this category are devices that are added by individuals or teams that purchase them outside of organizational protocols. In the case of healthcare it can include vendors that work directly with physicians and drop off devices for evaluation.

Remote users, and locations behind VPNs provide additional challenges. You have less insight and control over devices being connected from users working from home. IP addresses from devices connecting over VPN can change rapidly making it difficult to ensure all connected devices are properly captured in inventory.

How Ordr Helps

Ordr addresses connected device challenges with deep packet inspection (DPI), artificial intelligence (AI), and machine learning (ML) to enable a real-time asset inventory that’s accurate and always up to date. By analyzing network data, we automatically discover every device connected to the network without the need for agents and without impact to device operations. We also accurately classify every device with details such as make, model, operating system, serial number, application/port usage, and location.

Device details are sent to the Ordr Data Lake and enriched with more than 80+ integrations to form a granular and complete profile of every device in the environment. Enrichment includes data from vulnerability and threat feeds, manufacturer and FDA recalls, IT tools to help track IP address changes and user logins, and more.

With Ordr, teams not only know what’s on the network but can also identify risks such as devices with an outdated operating system, unauthorized applications, vulnerabilities, or recalls.

With Ordr, teams not only know what’s on the network but can also identify risks such as devices with an outdated operating system, unauthorized applications, vulnerabilities, or recalls. Ordr also helps identify devices with weak passwords or certificates, and those exhibiting risky behavior that might indicate an active threat. This detail, combined with other insights from Ordr, is used to calculate a risk score for each device and help teams prioritize remediation tasks such as patching and mitigation efforts like quarantining or microsegmentation.

Ordr also integrates with existing CMMS or CMDB tools to enrich details for devices that already exist in inventory, and fill in the blanks with details for devices that were missing. With Ordr, you’ll create a single source of truth for all your connected devices that is always up-to-date and accurate. With that foundation, you can start to wrap your arms around the other unique challenges associated with managing and securing connected devices. In a future post, we’ll cover more on Ordr capabilities beyond asset management.

If you’d like to get a handle on your connected device asset inventory get in touch with us to learn more.


Revelations by former Twitter cybersecurity chief-turned-whistleblower Peiter “Mudge” Zatko had tongues wagging across the industry Tuesday morning. Articles by CNN and the Washington Post included details from a 200-page letter Zatko sent to Congress, the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), and Department of Justice (DOJ) detailing claims of poor security practices and management by the social media giant. Zatko alleges Twitter’s security program is rife with bad practice, vulnerable devices, and executive apathy in violation of privacy and security assurances it made to regulators following a major data breach in 2020.

According to CNN, one of the concerning allegations is that, “About half of the company’s 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors.” The report also claims that, of the computers employees use for work—including accessing sensitive production environments—“4 in 10 devices do not meet basic security standards.”

Peiter “Mudge” Zatko (CNN photo)

Twitter denies Zatko’s accusations and told CNN in a written statement, “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.”

Device Vulnerability is an Unavoidable Reality

Whatever the outcome of any subsequent investigation, the situation described by Zatko might have many CISOs sleeping fitfully tonight as an environment populated by vulnerable devices is more common that many will publicly admit. And it doesn’t mean that the tech and security leaders in those organizations are derelict in their duties. Often, running such at-risk gear is an unavoidable necessity.

Industrial IT environments frequently include state-of-the-art IoT (internet of things) technology on the same network as equipment and operational technology (OT) that is decades old, running with obsolete operating systems and unsupported software. Such devices were not built to be secure because they were never intended to be connected to the public internet.

In healthcare organizations the challenges are even greater. Many connected medical devices in the realm of what is known as the internet of medical things (IoMT) must remain in service for the sake of patient safety, even if those devices are known to exhibit vulnerabilities. And because of FDA regulations intended to maintain a device’s operational integrity, typical patch management practices cannot be followed when vulnerabilities are discovered.

While Zatko claims that half of the servers behind Twitter’s operations are vulnerable, in healthcare the problem may be worse. Security researchers recently found that as many as 75% of the 200,000 medical devices they studied contained security flaws that make them vulnerable to exploitation by threat actors. That is why hospitals and healthcare providers around the world are turning to Ordr.

Unknown, Unseen, Unmanaged

Compounding the challenge for cybersecurity leaders is that many of these devices are unmanaged, and may operate outside the view of IT management. That adds up to potentially thousands of IoTdevices, building controls, security equipment, consumer-grade tech, and other unknown, unseen, and unsecured devices operating at risk on the network. The result is critical healthcare, manufacturing, and public and commercial infrastructure environments with an enormous attack surface and, using legacy tools and traditional strategies, with no way to understand the scale of the risk and secure the enterprise. Fortunately, there is a solution to close this gap.

The Ordr platform “passively” scans an enterprise network to discover and classify all the devices that are connected, including medical devices, operational technology, building controls, traditional IT systems  and more. Within minutes of deployment, Ordr provides full, real-time visibility of the environment fromIoT, IoMT, OT, and other connected devices comprising the organization’s complete asset inventory, as well as how the devices are connected, and what other systems they are communicating with.

Ordr has You Covered

Ordr identifies risks for every device via an integrated threat detection engine, threat intelligence feeds, and continuously enriching device profiles within the Ordr DataLake. Ordr also monitors and compares device activity against a baseline of “normal,” good behavior.  Because devices are deterministic and therefore should operate within specific, narrow parameters based on functions, abnormal behaviors that may be indicative of a cyberattack are easier to identify. Any suspicious behavior or unexpected communications patterns trigger automated alerts. When that happens, Ordr can dynamically generate Zero Trust security policies to contain an attack, while keeping mission-critical devices in service.

Read more about the award-winning Ordr connected device security platform, here, or contact us with any questions you may have about how we can help you secure your enterprise environment.


Ordr has one of the most robust channel partner programs in the market, and I often meet with our partners to understand not only what opportunities they’re working on, but also address any questions they have about our products.

In a conversation with Steven Dastoor of CITON recently, we spoke about the convergence of IT and OT environments, and how it was important to have visibility and security for IT (IoT) and OT devices. The Colonial Pipeline attack demonstrated that the security of IT systems is just as important as OT, because when your billing system goes down, your business operations are impacted even if the ransomware did not hit the OT systems.

We discussed best practices and specifically the recommendations outlined in the September 2020 Microsoft Digital Defense Report on securing IoT/OT Networks.

These were great recommendations by Microsoft. Here’s how Ordr maps to them:

Reducing exposure of IoT/OT devices

Beyond discovering and classifying all connected devices– from traditional servers, workstations and PCs to IoT, IoMT and OT devices. Ordr profiles device behavior and risks, and then automates appropriate action. In addition, there are visual representations of your network and associated risk. You can view this at the device group level easily to see all devices with communications to the internet in our Ordr Traffic Analysis connectivity map, or at the individual device level in our Ordr Flow Genome. We also integrate threat intelligence from multiple sources, enriching the Ordr Data Lake with data on emerging threats, domains associated with phishing sites, Command and Control (C2) infrastructure etc. We can also map “good behavior,” and flag and alert on any anomalies or new traffic patterns we have never seen before. This good behavior can be shared with other tools like the firewalls, switch infrastructure too, to create zero trust policies that only allow a device access and communication flows it needs. Anything else is automatically blocked based on the dynamically generated policies.

Mitigating risks

Ordr has a number of capabilities to first identify devices that are high-risks. These include devices with weak passwords and certificates, running outdated operating systems, or with vulnerabilities. Ordr also includes an integrated Threat Detection Engine that detects exploits and active threats, in addition to machine-learning models that alerts on anomalous traffic. Ordr helps validate security-based workflows like red teaming.

In addition, once vulnerable or compromised devices are identified, we can deliver rapid response to remediate and mitigate risks. We dynamically generate policies to save security teams time on manually writing policies individually for VLANs, SGTs, internal Firewall rules. In addition, organizations globally, use Ordr to triage events during the incident response (IR) process, often through enriching their Security Information Event Management (SIEM) solution.

Implement Zero Trust IoT/OT strategies

In order to create the appropriate Zero Trust policies, it is important to not only identify devices but also what they are doing in the network, and be able to create policies that align to business needs. This is one of Ordr’s biggest differentiators– creation of Zero Trust policies and the ability to be able to enforce them across existing networking and security infrastructure such as Aruba ClearPass, Cisco ISE, FortiManager/FortiGate, FortiNAC, CheckPoint, etc…

Centralize asset/configuration/patch management (IT, IoT, and OT)

Ordr delivers real-time asset inventory of every device. As we discover devices on the network, we can push and pull information from tools like ServiceNow or other CMDB/IT Asset Management tools to ensure the devices we see are cataloged by the business. We can keep asset management systems continuously up-to-date about systems that are not being tracked. We see this a lot where Ordr detects devices on the network that do not exist in the Asset Management tool, and also devices that are still in the Asset Management system as Active, but not deployed or online in the environment.

Ordr also works with vulnerability management tools like Tenable and Rapid7 to deliver vulnerability insights into devices that may not previously have been scanned for CVEs.

Convergence of IT and OT

We are a bridge between these teams, as we give them a data set they can both work with, from their unique perspective. I am working with a manufacturer right now where we are delivering visibility and security of their OT and IT networks. Because there aren’t “air-gapped” networks anymore, the IT security team was concerned about exactly what was connected. We found a number of OT Workstations running Windows XP, not part of IT as they are Siemens control systems, But the IT team was using Remote Access (RDP) to connect to them remotely for work. This is similar to how threat actors infiltrated the water treatment plant in Florida. Ordr was able to map out what specific devices are allowed to be part of remote work and remote access, limiting the attack surface. It is a great story of IT and OT coming together to ensure the security and availability of these systems.

Continuously monitor for unusual or unauthorized behavior

The Ordr platform includes a machine learning engine that baselines and maps every single device communications. This baseline allows us to understand what is “normal behavior” and alert on unusual behavior.

Ordr also monitors all devices that use supervisory protocols like SSH, telnet, ftp, etc., associates them with user names, correlates them with the network they logged in from (corporate or guest), and maintains an accurate access record for each and every device as well as each and every user.

Plan for Incident response

We are a critical product for Security Operations Centers (SOCs) and Cyber Security Incident Response Teams (CSIRTs) and should be a tool used in diagnostics. When an incident occurs, Ordr provides the context for the device and details about what it is communicating with. We can also provide insights on communications to C2 sites retrospectively. Finally, we empower SOCs and incident response teams by creating security policies to quickly lock down or isolate a device, block threats through NGFW policies, ACL blocks, quarantine VLAN assignment, port shutdown, or session termination–either directly to firewalls, existing switches, wireless controllers, or via NAC platform.

For example, when the SolarWinds vulnerability hit, we had a customer reach out and ask: “Can you give me an inventory of all of my SolarWinds devices, and where they are in the network”? We did it in two clicks. We also monitored the customer’s environment to see if there were any communications to SolarWinds domains.

Remember third parties

We can monitor third party connections. We see this all the time in healthcare where a third party, like Siemens, is connecting to do remote support on a device, like an MRI. We see the communications coming in from the Netherlands, generally over traditional management protocols like Telnet, SSH, HTTPS, and RDP. We can track the source/destination of this traffic, as well as have the time stamps for when it is occurring. We can then create Zero Trust policies to lock down these management ports, but still allow the third party access that is needed.

Ready to achieve total visibility into what’s on your network? Request a free Ordr sensor today and you’ll be able to see what connected devices are on your network in minutes!


In the first week of National Cybersecurity Awareness Month (NSCAM), we covered the theme, If You Connect It, Protect It. This week, we will cover Securing Devices at Home and Work.

2020 saw a major disruption in the way many work, learn, and socialize online. Our homes are more connected than ever. Our businesses are more connected than ever. With more people now working from home, these two internet-connected environments are colliding on a scale we’ve never seen before, introducing a whole new set of potential vulnerabilities that users must be conscious of. Week 2 of Cybersecurity Awareness Month will focus on steps users and organizations can take to protect internet connected devices for both personal and professional use. 

Bring Your Own Device vs. Bring Your Work Device Home

In the early 2000s, we saw the onset of Bring Your Own Device (BYOD), where organizations were allowing the use of personal devices for work functions. It can range by organization but can be a cell phone or laptop that is able to connect to the corporate network so that an employee can execute their daily functions from the comfort of their selected device. Now, in 2020, we have almost the opposite happening, organizations are supporting devices that are connecting on unmonitored home networks. Not only are the employees leveraging their home networks, but potentially so are the others that reside under the same roof.

When home life and work life bleed together, like they have for so many folks in 2020, we find that a general set of guidelines on how to protect your devices works best:

  • Have a solid inventory of your connected devices – do you know all the devices that are connected and how they are behaving
  • Make sure that your devices are updated with the proper operating system, there are no recalls on the devices, and all applications are verified and not listed on any blocklist
  • Use caution with every email, link, and application – slow down during your workday or when just perusing, never click on links from unknown sources, and try to understand the risks associated with engaging on any platform
  • When in doubt, always reach out to your IT or security team if something looks suspicious or is acting inappropriately

How Ordr Can Help 

In the true spirit of Ordr’s mission of protecting all connected devices and creating a safer network infrastructure. Recently, we began an IoT Discovery Program that allows you to:

  • Gain high-fidelity visibility into devices that you may not know are in your network
  • Understand risks including communication patterns and vulnerabilities
  • Discover usage patterns for your devices
  • Map these devices to your Layer 2 and Layer 3 architecture
  • Identify appropriate segmentation policies to secure your devices

If you feel this program would be a good fit for your organization, register here: https://ordr.net/sensor/

Through the Cybersecurity Awareness month of October, we will be releasing a set of blogs to focus on weekly topics. Next Tuesday, catch our blog on “Securing Internet – Connected Devices in Healthcare”.


Watching Part 2 of the Minnesota HIMSS webinar series Medical Device Security Overview for Healthcare Delivery Organizations with speakers Matt Dimino and Carrie Whysall from CynergisTek, I found the following to be useful information that you can apply to your organization’s security program development.

IoT & IoMT Device Security

Device Risk

The biggest medical device security risk organizations face is the possibility of a widespread attack or multiple security threats happening at once. This can cause widespread unavailability of devices needed to treat patients. The integrity of devices is also important to consider, without proper device management and supervision, malware can remain undetected.

Gaps

Medical devices should be assessed at point of purchase. Before putting a device on a network it should be checked for basic passwords and other vulnerabilities. Organizations should also know all devices that are on the clinical network, and track what those devices are doing. Clinical Engineering (CE) and Information Technology (IT) teams should work together to leverage their training and awareness of device security risks.

Challenges

Typically there are safety specialists who focus on technical controls and separate specialists who work on risk management, but these tasks should be joined into one security plan so that medical devices are controlled and monitored for risks.

Difficulties Developing a Medical Device Security Program

Developing a medical device security program can be difficult for a multitude of reasons:

  • Business: Lack of adequate funding, staffing and training issues, as well organizational structure impede the creation of a joint CE and IT security program.
  • Policy and Procedure: Organizations’ IT policies and procedures rarely include medical device security, and have disjointed governance and sponsorship policies.
  • Technical: Typical IT network tools do not work for medical device security purposes, and without passively scanning them as part of the IT network, medical devices often get overlooked. Use of legacy devices also causes technical issues, as devices are not updated for long periods of time.
  • Vendors: Medical device vendors utilize different remote access controls that may or may not be able to show who/what causes devices to crash.
  • Physical Security: Physical guest access to devices and the potential for organization IDs to be used to gain access to devices puts them at risk.

Addressing the Stakeholders

Involve all parties in the creation of a medical device security plan. Make clinical staff aware of the integrity of medical devices such as ultrasounds and anesthesia machines. Also include CISOs, IT teams, Healthcare Technology Management (HTM) teams and vendors. Discuss with all those involved the objectives of creating a medical device security plan and set up a timeline, as creating and rolling out a security plan can take many months.

How Ordr Can Help

Creating a device security program is challenging on its own, and would be even more difficult without a product to help passively scan for devices and identify risks.

The Ordr System Control Engine (SCE) gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk and automate action for every network-connected device in the enterprise. Want to experience Ordr on your network? Request a free sensor.

Look for a blog post covering Part 3 of the Medical Device Security webinar series in the future. You can watch the full HIMSS webinar here.


Internet of Things – Digital Transformation  

Merriam-Webster’s definition of the Internet of Things (IoT) is, “the networking capability that allows information to be sent to and received from objects and devices (such as fixtures and kitchen appliances) using the Internet”. In 1999 Kevin Ashton coined the term and since then we have seen the expansive growth of IoT and while these devices have been around for decades, the regulations on these devices still remain ineffectual.

And, while IDC estimates that there will be 41.6 billion connected IoT devices, or “things,” generating 79.4 zettabytes (ZB) of data in 2025, we still are not able to properly build IoT devices with security in mind.

The United States  

Recently, a bipartisan bill, the IoT Cybersecurity Improvement Act, from Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.), along with Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) was passed by the House but now must go to the Senate before hitting the President’s desk. The bill took more than three years to get to the House of Representatives and in that time more than 6 billion IoT devices entered the market.

While the bill would set the minimum security standards for IoT devices connected to federal networks, it would also require the National Institute of Standards and Technology (NIST) to set best practices for device security, the Office of Management and Budget to create guidance for agencies to meet, and require the Department of Homeland Security to publish guidance on coordinated vulnerability disclosures for contractors and vendors.

The Food and Drug Administration (FDA) is trying to achieve medical device security and makes it well known on their website what they aim to accomplish:

The U.S. Food and Administration (FDA) regulates medical devices and works aggressively to reduce cybersecurity risks in what is a rapidly changing environment. It is a responsibility the Agency shares with device makers, hospitals, health care providers, patients, security researchers, and other government agencies, including the U.S. Department of Homeland Security and U.S. Department of Commerce. 

The FDA provides guidance to help manufacturers design and maintain products that are cyber secure. And on behalf of patients, the FDA urges manufacturers to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and solutions to address them. 

The medical device cybersecurity guidance by the FDA was last updated in 2018. While they release a list of vulnerabilities, their guidance points organizations to the MITRE Corporation’s Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook in which they were a contributor.

Much like with regulatory compliance standards around sensitive data, in the United States the individual states are leading the charge again. California and Oregon have enacted legislation that mandates that manufactures that supply IoT devices do so with “reasonable security features.” In addition to California and Oregon, eight additional states are considering legislation.

The United States is likely to not see real meaningful regulatory compliance standards for IoT devices until the impact has already hit most organizations and homes. Compare that to the European Union (EU) and what they have in place and are working to put in place.

The European Union (EU) 

The EU in June of this year introduced a new cybersecurity standard for consumer IoT (ETSI EN 303 645 V2.1.1) products. With the hopes of better security practices and more manufactures adopting a security-by-design principle when developing new connected consumer products.

The standard consists of 13 provisions:

  • No universal default passwords
  • Implement a means to manage reports of vulnerabilities
  • Keep software updated
  • Securely store sensitive security parameters
  • Communicate securely
  • Minimize exposed attack surfaces
  • Ensure software integrity
  • Ensure that personal data is secure
  • Make systems resilient to outages
  • Examine system telemetry data
  • Make it easy for users to delete user data
  • Make installation and maintenance of devices easy
  • Validate input data

In addition to ETSI EN 303 645 V2.1.1, the EU also explicitly addresses medical devices in the European Medical Device Regulation (EU MDR). Much like the US FDA’s UDI, it seeks to ensure high standards of quality and safety for medical devices being produced in or supplied into Europe. With the introduction of this directive, devices entering the EU will have:

  • Stricter pre-market control of high-risk devices at an EU level
  • The inclusion of certain aesthetic products which present the same characteristics and risk profile as equivalent medical devices
  • A new risk classification system for diagnostic medical devices based on international guidance
  • Improved transparency through the establishment of a comprehensive EU database of medical devices
  • Device traceability through the supply chain from its manufacturer through to the final user
  • An EU-wide requirement for an ‘implant card’ to be provided to patients containing information about implanted medical devices
  • the reinforcement of the rules on clinical data and clinical studies on devices
  • Manufacturers to collect data about the real-life use of their devices
  • Improved coordination between EU Member States

And, now with Brexit, what happens with the United Kingdom (UK) come December 31, 2020 and the IoT regulatory compliance standards? While the UK remains subject to EU law, it is no longer part of the EU’s political bodies or institutions. Will the Department for Digital, Culture, Media & Sport (DCMS) serve as the governing body for IoT device security?

The United Kingdom (UK) 

In June of 2020 the UK DCMS addressed the need for cybersecurity as a fundamental instrument in the building of IoT devices, they are enacting a product assurance schema to mark approved IoT devices with an assurance label or kitemark that demonstrates that the product has undergone independent testing or a robust and accredited self-assessment process. The ultimate goal would be that consumers of IoT devices would purchase approved devices, rather than those that are not, and that retailers would only sell approved devices.

DCMS has been taking forward multiple initiatives to address the matter, including:

“The UK Government looks forward to continuing to work with industry and all interested stakeholders to ensure that the UK is the safest place to be online.” 

While the EU and UK continue to lead the charge in regulatory compliance standards to protect citizen and resident data, it is also years ahead of the US in addressing IoT device security. The fundamental issues still remain. Can we create a global culture where we put securing our data first, both from properly building IoT devices and then by holding device manufactures accountable in our procurement of devices?