Ordr Recognized in Gartner Market Guide for CPS Protection Platform Read more here!

Ordr

Request a Demo Search

Tag: Healthcare IoT

A little background on why I’ve agreed to do this guest QA blog for Ordr:

In my role as CTO at CDW Healthcare, I talk to former healthcare peers, in an advisory capacity, to help them protect patient safety and resources with the best cybersecurity technology solutions. Prior to joining CDW, I was CIO of Halifax Health where we deployed Ordr for our medical device security needs

I’ve been at CDW for slightly more than two years, after more than two decades in the healthcare trenches, most recently as the former CIO of Halifax Health. I decided on a different role at CDW to bring best practices and cybersecurity technologies to my CIO colleagues who are on the forefront of fighting the cyber war. If the healthcare industry could more effectively collaborate and share security expertise to mitigate cyber-attacks, we would stand a much better chance against the cyberattacker army working together against us every day!

What is your primary goal as the CTO of CDW Healthcare Division?

To bring awareness to our healthcare customers on the importance of bringing modern IT tools into healthcare organizations to optimize patient safety and hospital resources. With Ordr’s cybersecurity solution there are many ways network visibility helps hospitals beyond, of course, ransomware, but also what’s happening with device utilization, what’s happening with compliance and what’s being communicated externally. There are several important use cases we want to advise our customers about to develop a proactive plan before something bad happens.

Why is IoT and connected device monitoring and enforcement so unique for hospitals?

There’s a problem with biomed devices and it’s not going away. There will always be biomed devices that have outdated and unsupported operating systems. In the beginning, when first purchased, they were of course running mainstream and perhaps even state of the art operating systems, but now these operating systems are no longer supported by the manufacturers. As a result, O/S patches are no longer available to address vulnerabilities, even though these devices are still within their useful lifecycle and are still viable, delivering strategic care for patients and revenue to healthcare organizations.

Why weren’t patches performed on outdated operating systems on biomed devices?

Unfortunately, this is due to the biomedical industry. As a medical device design engineer for ten years, I may have helped cause the problem, although we thought it made sense the way we did it back then. We would buy an off the shelf computer and put it in a cabinet or a device we were creating, and it would run it. The computer we installed ran whatever the latest operating system was at the time. The issue back then was per the FDA 510k rules for class two, and three medical devices once the device was tested, it could never be altered.  This included the operating system on the off the shelf computer.  So, the manufacturers never changed them or patch the OS because they could not!

Can you patch today?

In 2016, the FDA reversed their guidelines and said you can patch devices now because it is important to upgrade operating systems. But it was a guideline, it was not a mandate. Because it was a guideline and because it is hard for biomedical manufacturing companies to transition to have a global patch program for all the devices they sell, they do not do it. And they do not want to release the product to an IT team to open it up and obviously, upgrade the operating system or patch it due to inherent risk on their part, because it might make their system not work properly.

Bottom line, the problem is going to persist because biomed devices will continue to outlast the useful life of their operating systems and CFOs do not want to replace a $4M imaging device that makes the hospital money every day only because it has a security vulnerability.

If you don’t patch what can the CISOs and security leaders to do?

They are stuck, because now they have a known vulnerability in their system, and they must do something about it. This is the reason I was introduced to Ordr.

How did you select Ordr for addressing the patching issue?

“To get the security and network teams to completely agree on something was amazing.”

Our first step was to do a POC (proof of concept) by my IT security team. A few weeks  later, my network and security team had a meeting with IT leadership to show the results of the POC. We were all blown away. I’ll never forget that moment because everyone was happy, even joyous which doesn’t normally happen with software in general.

To get the security and network team to completely agree on something was amazing, because normally, they have a little contention just due to their job functions where one wants data to flow, and the other one wants to control data.

Once deployed, did you meet your objective?

“One of the major tenants of cyber security is to understand your landscape. And that includes all devices connected to your network. Are they patched? Or are they outdated and unsupported?”

I was amazed. Ordr worked and it worked well. We purchased Ordr originally because I knew I had a problem with older biomed devices running Windows XP. Before Ordr, our vulnerability scans would find them but then they would disappear because of their dynamic nature of how they connected to the network. And if we didn’t find them that very minute and physically locate them, we would lose sight of them. It was a real problem. We could not see and didn’t know our full landscape. And that is scary, because to me, one of the major tenets of cyber security is to understand your landscape. And that includes all devices connected to your network and their patch status. Are they patched? Or are they unsupported? It is not just your IT devices, it is anything that is connected to your network. As you know, in the last five years, that’s grown greatly with so many other things connecting now, and you still have these legacy biomed devices that are out there too.

How did you manage all the outdated and unsupported biomed devices you found?

When we fully deployed Ordr, we noticed a couple of things right away. First, we not only found all the biomed devices, but we also now had an inventory of them. And we were able to understand what operating systems they were running and could have a plan of what to do about it. At that time, we had three choices.

  1. Replace the device. But again, financially that might not be viable.
  2. Get the manufacturer to patch it, or to upgrade the operating system so it was no longer vulnerable.
  3. Bury it by micro segmentation. Through micro segments, you have controls around it from the internal firewall, Even though we have controls, you still need to monitor it and we used Ordr.

When I would talk to people, they understood Splunk monitors user behavior. Ordr monitors device behavior. I can now set upper or lower limits on the device itself. And if Ordr detects something odd, we can be alerted

What was the next step to managing these vulnerable devices?

“If the hacker gets in and gets to an XP device, that would be the biomed device, it takes about 20 minutes for them to own that device. If the device is connected to a server, then they can own the network.”

The roadmap was moving more towards enforcement and that sat well with me. The reason why is that hackers do not attack during the day, they tend to attack at night and on weekends. At those times, depending on what hospital you’re at, you might be relying on a managed Security Operations Center (SOC), which is pretty good. Or you might be relying on your on-call staff to fight any cyber problems in the middle of night. And there’s latency in that. If the hacker somehow gets in and gets to an XP device, it takes about 20 minutes for them to own that device. If there are any servers connected to that kind of device, then they have the opportunity to own the network. Now the world turns bad quickly. To have a system that has deep understanding of proper network communication related to strategic IoMT devices and can monitor those devices 24/7and alert us when something is wrong, is great.

Next, if I could actually enforce policy, or at least send API commands from Ordr to change the policy in my  firewall or my NAC,  these devices could shut down communication at 3 am in milliseconds.  This is much better than the time it would take the team to figure out what the problem was, based on a calls to the service.  IoT and connected device security enforcement can stop a virus from propagating

What else could you do now with full visibility of your network landscape?

Device utilization is a big deal. Ordr creates custom views per departmental stakeholders. For example, the Biomed and/or Operations team could go into their Ordr view and just look at medical device utilization. Their view doesn’t allow them to see the other aspects of cyber or network information Ordr was capturing.

I like to tell the story that if a clinician wants another ultrasound device in your hospital, but your ultrasound fleet is only being utilized 30% of the time, you do not need another ultrasound, you need to improve your processes to get better utilization of your devices. And when you do this, you save money by not buying another device while improving your processes. And so that is valuable.

For some devices, Ordr was monitoring down to the battery life level. Since we all know batteries go bad, to have an alert to the Clinical Engineering team for low batteries on biomed devices is cool and important.

The next important outcome we gained is forensic device data. Ordr collecting all device data in the cloud. When we have a potential security incident, we called the security team. The team uses Ordr to determine what device was bad and see who it was talking to and how it was talking, to see if it was doing things that it should not do. We always used Ordr during any security incident as part of our incident response toolbox. And it worked well. And even the network team liked it because Ordr does an incredibly good job of showing how everything communicates, and what it is trying to communicate and what is being blocked from communication.

To sum it up, first and foremost the outdated and unsupported biomed devices are a problem that is not going away, ever! Operating systems only have a life for so long, so you need something to address the issue. With Ordr though, you get more use cases including device utilization management, forensic data and the network team gets to see how things are communicating, outside of their regular forensic toolbox. So that’s why I like Ordr.

Please contact me if you’d like to learn more or to share stories that could benefit all of us in addressing outdated medical devices and cybersecurity resiliency in healthcare.

 

The Cyber & Infrastructure Security Agency (CISA) recently issued two security advisories highlighting vulnerabilities associated with connected devices made by medical technology firm Becton, Dickinson & Co. (BD). The advisories follow disclosures BD made to CISA, and describe security flaws in the company’s Pyxis and Synapsys product lines.

Among the vulnerabilities described in the advisories are the use of default and shared credentials in the Pyxis products and “insufficient” session expiration for the Synapsys informatics platform. Both flaws could leave the devices vulnerable to exploitation by threat actors who could then gain access to sensitive patient protected health information (PHI) or even affect the delivery of correct treatment.

Device Vulnerabilities Put Network and Patient Safety at Risk

The disclosure of these security flaws by BD, and the subsequent advisories issued by CISA, underscores the risk to both network and patient security when vulnerable  internet of medical things (IoMT) devices are deployed within healthcare environments. Even when such devices must remain in service and cannot be patched, allowing them to continue operation without taking steps to mitigate their associated risks should be regarded as a dereliction of duty.

In this current case, BD recommends a number of steps to close the now-known security gaps, including:

  • Limit physical access to only authorized personnel;

  • Tightly control management of system passwords provided to authorized users;

  • Monitor and log network traffic attempting to reach the affected products for suspicious activity;

  • Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed; and,

  • Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts.

From an IT and security operations standpoint, these steps may be difficult for hospitals and other healthcare delivery organizations (HDOs), especially in larger organizations with no means for effecting proper asset management. This leaves questions like: Does my organization have these devices in inventory and where are they located? What software versions are installed? Are they in use and unable to be taken out of service?

Ordr can answer these questions and easily address the recommendations by BD above.

See, Know, Secure, Every Connected Device

Our See, Know, Secure approach to connected device security means our customers can find and identify all the BD connected assets—as well as other connected devices operating in the network—within minutes of deployment. Once Ordr has discovered the devices, their specific make, model, and other operational data are identified, the BD products that are impacted by this vulnerability can be  monitored for any anomalous behavior that could be an indicator of compromise (IOC).

Ordr can identify which BD devices are being accessed by which user, and track which users were logged into a specific device, at what time, duration and more.

Ordr also enables security teams to proactively segment the impacted BD devices, and to set Zero Trust security policies specific to each. In the event that a device is compromised, and we detect anomalies such as a suspicious communications pattern or other operations outside of defined parameters—our segmentation policies limit  an attack’s potential “blast radius” by isolating affected devices and network segments, and allowing security teams to take mitigating actions within minutes of a breach.

Ordr Can Help Secure Your Devices and Environment

With studies suggesting that as many as three-quarters of all connected medical devices currently in service contain at least one security vulnerability, and that half may contain two or more, it is critically important for hospitals and HDOs to do what is necessary to gain the upper-hand on connected device inventory, management, and security.  For more information about how the Ordr can assist in this endeavor, please visit our site to learn more about our security platform, or contact us with questions specific to your organization’s situation.

It’s not often that, in a high-tech industry like security, a company can pioneer an emerging market, and then continue to lead that market for the next five years. This is why our recognition as a Healthcare IoT Security market leader—for the third straight year—by KLAS Research in its latest report, “Healthcare IoT Security 2022: Moving beyond Device Visibility,” is such a milestone achievement for us.

We are so grateful to our customers who engaged with KLAS and provided feedback to them. We couldn’t have done it without you! Ordr received high marks from customers in the KLAS report for:

  • Breadth of functionality beyond just visibility, including abnormal activity identification, traffic monitoring, and device utilization tracking;
  • High customer satisfaction rates;
  • High value across multiple stakeholders including Security, Clinical/Biomed and IT;
  • Helpful training and education offerings, including the Masterclass webinar series;
  • User interface enhancements; and,
  • Strong technical background of the Ordr team in security, healthcare and networking.

There are several aspects of the report that are important to highlight.

1.     3-Time Leader with High Customer Satisfaction Rates

In 2019, when we first appeared in the KLAS report, the market was just emerging. In November 2020, we were named a market leader for the 2nd time. In 2022 again, we’re named a market leader. In the same report, KLAS highlighted our client list transparency.

For healthcare organizations, we emphasize the value of working with a partner with a consistent track record of leadership in healthcare. That consistency and focus is something we’re really proud of.

2.     Evolution of Our Customers from Visibility to Risk Insights and Security

Customers interviewed celebrated Ordr’s ability to provide value beyond device visibility. In its report, KLAS noted that, “Ordr customers (often very large health systems) use the platform to do more than simply see what devices are connected to their network—they also track device utilization, identify abnormal device activity, and monitor traffic.”

“Ordr customers (often very large health systems) use the platform to do more than simply see what devices are connected to their network—they also track device utilization, identify abnormal device activity, and monitor traffic.”

This is an important distinction.

As an early vendor in this market, working with so many large healthcare system customers over the last couple of years, our customers have moved beyond visibility (“See”) towards the “Know” and “Secure” part of their connected device security lifecycle. Many healthcare customers utilize Ordr as the source of truth for both device and network context as well as flow level analytics for policy generation. Our customers depend on us for critical risk and clinical insights, and we’ve successfully implemented Zero Trust policies to support their initiatives.

The KLAS report also celebrated our ability to deliver high value across the domains of different stakeholders. Observe the broad range of ways different users within a healthcare organization – Clinical/biomed engineering, security and networking– are using Ordr in these KLAS customer insights, and the outcomes we’ve delivered:

“On the clinical engineering side, the value of the product comes from utilizing the product. We look at whether things are performing as expected or whether the system requires patching. We can get patches from the vendor, but we may miss something, and that makes things very difficult. With Ordr’s system, we can identify which things have been patched and which haven’t. We are also feeding the data into the asset management tool so that we know exactly which systems are involved in our work. The data is very rich and useful.”

“I would definitely recommend the system. The major strength is complete visibility into the endpoints for the traffic that we send through the solution. That will assist us when we get into a more stringent RADIUS authentication requirement for our wired network. Another strength is the ability to see exactly what a device has talked to from either a profile view or a specific device view. We can see what ports were used, how many times the communication happened, and what the date and time were. We can get a rather slick visual representation of that and easily export it.”

“The biggest outcome is a significant decrease in the amount of incident response time. We have used Ordr Platform as a part of our incident response with ransomware. Because we couldn’t run our antivirus on our machines, we were able to go in and identify the specific machines in Ordr Platform and provide a picture to the field support. The network engineers had already logged in to Ordr Platform, saw the traffic, and then killed the port so that it couldn’t communicate. That was very handy so that when a field support person walked into the room, they knew exactly where they were going. We were able to get the medical devices back up and running on our network and segmented really quickly. Ordr made that quick turnaround happen. We have factored the utilization of Ordr Platform into our incident response plans. We have been able to reduce our response time by hours. We already had a really robust response time and plan, and the system sped things up significantly.”

3.     Preferred by the Top Healthcare Delivery Organizations (HDOs)

Top healthcare organizations, including 3 of the top 6 HDOs in the world use Ordr. Addressing the needs of these large and sophisticated healthcare organizations is NOT easy and requires a mature product that can meet requirements of accuracy, scale, resiliency and reliability. Our customers have higher levels of expectations with Ordr and we are a critical part of their mission critical security journey. Designing a system to discover 15,000 connected devices for asset inventory in a single hospital is far different than designing a solution for 500,000 devices across an entire healthcare system, delivering granular profiling, device flow mapping, clinical and security risk insights, and segmentation policies.

We are proud of the fact that as we continue to evolve our product and through our many years in the market, we continue to receive some of the highest ratings and deliver the highest levels of transparency to KLAS.

And when it comes to delivering value for healthcare providers, we are just getting started. Stay tuned to this space to see what’s coming next from Ordr!

Here’s an At-A-Glance on the report. Want to read the full report? Email us at info@ordr.net.

The second episode of the seven-part CHIME Medical Device Security webinar series aired last week. The episode addressed the topic of aligning healthcare cybersecurity for connected medical devices with a new cybersecurity law for healthcare. Once again, I moderated the episode under my new role as, Senior Account Executive with Nuvolo. I was joined by two industry experts who weighed in on the subject. Erik Decker, the CISO of Intermountain Healthcare, former Board Chair of the Association for Executives in Healthcare Information Security (AEHIS), and co-leader of the HHS task group implementing the Cybersecurity Act of 2015. Returning from Episode One was Rob Suárez, CISO of Becton Dickinson (BD) and chairman of the Medical Device Innovation Consortium’s (MDIC) Cybersecurity Steering Committee and the Advanced Medical Technology Association’s (AdvaMed) Cybersecurity Work Group.

The Cybersecurity Act of 2015, in particular its 405(d) provision, expressly calls out the healthcare industry. While the name “405(d)” offers little insight as to the legislation’s relevance to medical device security, Mr. Decker is uniquely positioned, perhaps more so than anyone else, to elaborate on its significance. As he explained, healthcare is officially designated as critical infrastructure and simply requires more protection. Cyber-attacks to hospital operations are direct threats to patient safety, and compromises to highly sensitive electronic health information threatens patient privacy rights. Ransomware attempts against healthcare are increasing, rising 123% in 2020, incurring $20.8 billion in downtime costs. 405(d) mandates the formation of an industry-led task group to publish a compendium of cybersecurity best practices, frameworks, methodologies, technologies, and other recommendations to serve as a set of Federally recognized cybersecurity practices that afford legal safe harbor to Health Delivery Organizations (HDOs) when implemented. In the words of Mr. Decker, “It’s a way to draw a line in the sand and say, ‘here is an example of what you can do that demonstrates best practice’; and if you do it, you get a benefit for it; and if you don’t, you might be hindered by it.” The cornerstone publication of the 405(d)-task group is Health Industry Cybersecurity Practices (HICP, pronounced liked ‘hiccup’). Comprised of three primary volumes, HICP has a main document providing a high-level summary of the threats and recommendations, and two technical volumes prescribing specific practices, including connected medical devices, to be implemented by IT specialists of small, medium, and large HDOs. Under the new law, Public Law 116-321, following the best practices for medical device security detailed in HICP will require the Office of Civil Rights within the HHS (OCR) to consider reductions in fines, audits and post breach oversight.

Next, Mr. Suárez discussed the Medical Device and Health IT Joint Security Plan (JSP), authored by a Healthcare and Public Health Sector Coordinating Council (HSCC) task group in 2019, which Mr. Suárez co-chaired. The JSP document proposes a voluntary framework in which responsibility for medical device security is disseminated across healthcare stakeholder organizations. Under the JSP, MDMs proactively aid their customers by developing and communicating processes, personnel training recommendations, device life-cycle strategy, vulnerability patches, decommissioning plans, and incorporating HDO feedback into future product design. HDOs work with their vendors to establish baseline best practices and measures of device maturity and process effectiveness, communicate complaints and discovered vulnerabilities, and institute remediation procedures.

Episode Three of CHIME’s Medical Device Security webinar series airs on Thursday, August 5th. If you missed Episodes One, you can view my recap here, or register for the entire series at https://store.ignitedigital.org/product?catalog=medical_device_security_webinar_series.

Acronym Glossary

  • 405d: A provision within the Cybersecurity Act of 2015 (CSA). The CSA 405(d) document aims to raise awareness, provide vetted practices, and foster consistency in mitigating the most pertinent and current cybersecurity threats to the sector. It seeks to aid the Healthcare and Public Health (HPH) sector organizations to develop meaningful cybersecurity objectives and outcomes.
  • AdvaMed: Advanced Medical Technology Association
  • AEHIS: Association for Executives in Healthcare Information Security
  • BD: Becton Dickinson
  • CHIME: College of Healthcare Information Management Executives
  • HDOs: Health Delivery Organizations
  • HHS: Health and Human Services
  • HICP: Health Industry Cybersecurity Practices
  • HSCC: Healthcare and Public Health Sector Coordinating Council
  • JSP:Medical Device and Health IT Joint Security Plan
  • MDIC: Medical Device Innovation Consotium
  • MDM: Medical Device Manufacturers
  • OCR: Office of Civil Rights within the HHS
  • Public Law 116-321: An act to amend the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognize security practices of covered entities and business associates when making certain determinations, and for other purposes

Healthcare has been one of the key verticals for Ordr since our inception as CloudPost Networks. Over the last couple of years, we’ve helped many healthcare organizations address visibiity and security for their unmanaged and IoT devices. In turn, we’ve worked with our customers to evolve our solution and address new use cases.

As a result, we’re grateful and proud to have been named a market leader (with the highest market share) in the new KLAS Research report, Decision Insights: Healthcare IoT Security for the second year in a row. If you’re not familiar with KLAS Research, they are a healthcare IT data and insights company. One of the most unusual aspects of KLAS Research is that they actually interview real clients with questions such as “Are customers happy with a vendor’s products and with customer service?” “Do they have a positive impression of their vendor?” “Do they think their organization has benefited from adopting the vendor’s software?” KLAS is lauded in the industry for their accurate, honest and impartial research.

Market Leader for Second Straight Year 

The KLAS Healthcare IoT Security Report defined the following as key capabilities for an IoT Security solution.

In addition, KLAS spoke to more than 51 customers on which vendors were being selected and why. They had this to say in their report, “ Ordr, who has contracted with some of the largest health systems, has continued to be one of the market leaders in terms of wins and considerations for the second straight year, resulting in their current leading market share.” 

KLAS also noted that we were praised by customers for:

  • The breadth and number of devices Ordr can detect;
  • The highly granular visibility the solution provides;
  • Ordr’s culture of “flexibility and willingness to partner;”
  • Strong technology integrations that help drive value with the solution; and,
  • High customer satisfaction.

We thank all healthcare organizations who participated in the KLAS interviews. We’re excited to continue our growth with our customers, helping to discover, profile and secure connected devices. Thank you to two of our customer advisory board members Skip Rollins and Jeff Vinson,  who supported us throughout our journey and contributed to our release.

“COVID-19 has forced healthcare organizations to double-down on prioritizing security while balancing other organizational priorities and needs. CIOs need to find ways to support the business,” said Skip Rollins, CIO, Freeman Health. “Ordr is a tool we lean on not only for visibility and security of unmanaged and IoT devices, but for device utilization insights. Details about how often a device is being used helps us to optimize device allocation and support procurement decisions.” 

“Most healthcare organizations don’t realize that a vending machine may be connected to the same network as a critical life-saving device like a ventilator,” said Jeffrey Vinson, CISO, Harris Health. “We have partnered with Ordr because the company provides the most comprehensive IoT security solution that goes beyond simple device inventory. Ordr discovers all connected devices, helps us identify risks and malicious behaviors in devices, and can automatically generate segmentation policies to secure high-risk devices.” 

We are excited to continue our growth with our customers, helping to discover, profile and secure connected devices.

For a summary of the report, click here.

On Oct 28, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) along with the Federal Bureau of Investigations (FBI) and Health and Human Services (HHS) announced of an increased and imminent cyberthreat to the Healthcare and Public Health Sector. This warning comes on the heels of increased ransomware incidents in the last few months and includes information on Conti, TrickBot, BazarLoader and new Indicators of Compromise (IOCs). As healthcare continues to grow as a reliable source of income for threat actors because of the necessity to protect patient care, ransomware campaigns will continue to proliferate.
Jeff Horne, Chief Security Officer at Ordr, provides insight into the latest wave of ransomware with a series of articles:

Threat Summary

Ransomware has been around for decades and while the recent evolution in the past few years has transformed into more of a service – yes, Ransomware-as-a-Service (RaaS), it can be attributed to one of the reasons there is a 25 percent increase in attacks from Q4 2019 to Q1 2020 and a 715% year-over-year increase in detected – and blocked – ransomware attacks and the average payment  increased by 33%.
The distributed nature of the ransomware developer and the affiliates makes it more lethal than ever.
Ransomware developer: Who creates custom malicious code, and capabilities like lateral movement tools and scripts, and including exploit code that is sold to a ransomware affiliate for a fee or share in eventual ransom after a successful attack.
Ransomware affiliate: Starts a hosting site with custom exploit code. Identify targets and send the exploit code typically by phishing email or as an attachment.
Victim: Falls victim to the exploit code.
RaaS Infection Lifecycle
There are several RaaS types identified by security experts. Some examples are Sodinokibi, Ryuk, Mamba, Phobos, Dharma, Snatch, etc. It is worth noting that in the actual ransomware code is usually the last piece dropped in the infection life cycle giving hope that this can be prevented. The infection usually starts with Trojans like Trickbot, will go through the baking process where the RaaS affiliates monitor and map out the network and any existing vulnerabilities and then drop the actual ransomware code.
Ordr recommendation for defense against RaaS:
There are several recommendations given by security experts. Ordr compiled the Mitigation plans and policies from the CISA advisory and others, mapped it to the NIST cybersecurity framework.
Fig-2: NIST cybersecurity framework

Identify

Insightful asset management: Asset management of all the network connected assets is the first step towards defense against any threats. Insightful asset management is not about maintaining a list of IP addresses or serial numbers but a very detailed inventory containing – What the device is, where it is located, Operating System details etc. Ordr passively detects all the network connected devices creates a database with make, model, OS, location and other detailed information.
Continuous monitoring: Continuous monitoring is key for any good asset management and security programs. With the proliferation of IoT devices continuous monitoring is key to the protection of the entire Organization. A device that is not supposed to be in the network need to be detected right away and appropriate action need to be taken. Ordr detects a device the moment it is active in the network and records the same. Ordr can quarantine or disconnect a device from the network with a click of a button.
Knowledge of what is in your control and more importantly what is not: Organizations usually maintain the inventory of the assets that they control. What is largely missed are the assets that are not “owned” by the organization but still uses the critical resources of the organization – third-party managed network, vendor devices, devices and software under vendor qualification etc. Ordr detects all these devices and gives a very easy way to identify these unmanaged devices with ease.
Asset criticality: Knowing and protecting critical assets is a critical part of the security program. For healthcare Ordr provides Clinical risk metrics that helps prioritize and secure the most critical assets.

Protect

Security awareness: Awareness is key to any security program. This process should cover topics from identifying malicious emails to social engineering risks. Make sure that Security awareness campaign is an ongoing process.
Understand vulnerability threat posture: Understand the existing vulnerabilities of all the devices and software in the network. Most of the ransomware damage is done using the existing vulnerabilities. One of the vulnerabilities identified as a major exploitation vector is CVE-2020-1472. Ordr identifies devices that are impacted by this vulnerability. Ordr in combination with any popular vulnerability detection software like Tenable or Rapid7 provide a complete picture of IoT specific and application vulnerabilities. With the combination of critical infrastructure score, organization knows how to prioritize the never-ending patching programs.
Bring unmanaged devices under compliance: In almost all deployments Ordr found devices that the security teams never knew existed. These range from someone plugging in some device into the corporate network, contractor/vendor devices to third party managed networks. Ordr can easily identify these devices so that appropriate action can be taken to bring these devices in compliance.
Understand active threat posture: Active threats are different from vulnerabilities. Ordr has an inbuilt IDS engine that can detect East to West threat propagation. Understanding the criticality of the device along with the evidence of vulnerability exploitation is very critical. Typical Firewalls don’t catch East to West threat propagation. Ordr detects and reports the East to West threat propagation that reduces the threat response time.
Monitor active communications: No one wants their device to talk to the bad websites. Ordr detects these activities right away and triggers an alarm.
Backup and encryption: As a standard practice, perform regular backup and encryption.
Be proactive: These new attacks try to understand the network and the connectivity details to cause maximum damage. Microsegmentation is a sure way to protect the network from the ransomware attacks as the threat exposure is minimized. Ordr makes microsegmentation easier and a reality.

Detect

Make sure standard security practices are up-to-date: Make sure that all the security measures you have in place like end-point protection software and threat feed information are up-to-date. Provide continuous security education to all the users including vendors and contractors.
Logging: Make sure that you have the logs of all transactions. Ordr records all network transactions over the network. This will help immensely for any forensic activities.
User to device mapping: Its critical to understand who is using what devices and what they are doing with those devices. Ordr helps map user to device mapping and device communication mapping.
Communication patterns: Understanding device to device communication patterns and blocking unnecessary or unexpected communication is another step towards protecting the infrastructure. One of the exploitation vectors for the recent ransomware attacks is the open RDP port 3389. Ordr provides an easy way to identify devices that are communicating over port-3389. User can then decide if this communication is expected or not and if the RDP port itself need to be changed.

Respond

Incident response: Develop a plan to respond to an incident. Ordr helps identify the blast radius, understand the impacted applications and users to come up with an effective threat incident response plan.

Recover

Restore: With the backup and encryption mechanisms in place, restore the data.
Verify: Make sure that the suspect hardware software is not used in the future. Ordr continuous monitors the network for the devices and will let the user know about any vulnerable devices coming back into the network.
Report: Report the incident to appropriate authorities as designated by response and discloser policies.
In summary RaaS has no prescriptive solutions. This can be prevented by following the recommendations by Ordr and other authoritative sources. In the battle between good and evil always good triumphs – We just need to know the exploitation vectors, vulnerability posture of the organization and the active threat posture of the organization. We hope our recommendation will help organizations to continue their business and discourage bad actors from doing malicious activities.
For more information on how Ordr can help you identify and manage vulnerabilities for any connected device, please contact info@ordr.net.

Hospitals see patients with viral infections on a regular basis. Most of the time, however, doctors can only treat the symptoms of the virus, and not the virus itself – that’s a job for the patient’s immune system to handle.

Similar to biological viruses, computer viruses that infect medical devices often cannot be treated directly. Once a virus creeps into the hospital system, it’s up to the system itself to fight it off. Due to the outdated nature of many of these healthcare devices, these exploits or infections are often catastrophic – causing healthcare IT and clinical/bio-meds departments to lose millions of dollars annually and putting patient care in jeopardy.

Below, we have listed a few common questions we’ve heard from our customers about the plague that is currently sweeping through healthcare IT.

Why is this even happening?

Let’s say your credit card gets stolen. You can call your bank, request a new credit card, and get whatever loss you sustained refunded, all within the same day.

If your healthcare records are stolen, you can’t deal with it as easily. A person’s health record contains highly private and sensitive information that provides a lifetime of opportunity for target exploitation. Healthcare records are up to 10 times as valuable as credit card records, making them a juicy target for opportunistic hackers.

Why can’t we sit back and let it run its course?

Every single day there are press articles on how WannaCry devastated a hospital, or a new ransomware caused operational disruption resulted in hospital rerouting ambulances to the nearby hospitals. The symptoms of these viruses can result in the loss of millions to the healthcare industry, and be causing widespread confusion and slow down of processes in areas where quick thinking and careful treatment is necessary.

Why can’t we make our IT immune system stronger?

To bolster the “immune system” in hospital systems, IT professionals can upgrade and patch vulnerable systems and fend off the attacks and give these devices better protection. However, upgrading and patching are incredibly difficult.

Unlike the auto-upgrades you may see on your laptop, medical device upgrades require a lot more individual attention. Manufacturers have a hard time rolling out patches for millions of units in the field because medical devices are embedded systems with a multitude of software components with potential security vulnerabilities and also have to go through an usually long FDA approval process.

Bringing equipment back to its original operating condition and guaranteeing that it is ready for patient usage is an arduous, expensive, and time-consuming process that has no guarantee of actually working. Protecting precious medical devices is a never-ending race. They will always lag behind the computer industry for a good reason and be always vulnerable to hacking if left unattended.

Why can’t we go into full quarantine?

We live in a connected world where each and every device needs to record and report vital patient data to the healthcare management system without manual intervention. Hospitals rely on cloud-based offerings, from enhanced radiology services to thermostats that monitor and preserve medical specimens stored in freezers.

In addition, because of the high costs of equipment, many hospitals lease or rent on a regular basis. Even the people employed by a hospital are often hired contractually, and hospitals have countless visitors that cannot be screened.

With remote clinic or telemedicine-based delivery, and countless mergers and acquisitions, healthcare IT staff are always challenged to offer the best patient care.

The Vaccine or Preventive Cure:

The recommendation from the manufacturing community calls for

a) segregating network access (segmentation)

b) block internet connectivity

c) go back to standalone mode.

This is no different than what NIST recommends, or HIPAA imposes on hospitals.

We at Ordr are trying to help on all the recommendation here on this issue. We call our technology a “virtual-patch”. A virtual-patch provides compensating controls for the medical devices by simply programming the installed base of switches, routers, and wireless access points to

a) reduce the exposure of devices spreading malware inside the corporate IT networks

b) to control the type and amount of external traffic from/to this medical devices and

c) protect the precious medical devices in real time as soon as an issue arises.

Even better, as the word goes “prevention is better than cure” Ordr allows IT to put preemptive controls that prevent malware and ransomware gaining control of these medical devices.

It all starts with simple diligent everyday hygiene. Having accurate inventory and visibility on what is connecting to the network day in and day out is the key. Continuously monitoring for malware exposure or vulnerability exploits and apply preventive measures is an absolute must. Watching internet communication and restricting it to a narrow set is even more critical.

Please stop by our booth at HIMSS 2018 to get a demo of our product that could help you along this journey. Together, we can make a change in the current landscape, much desired and way overdue. Let us stop this hacking trend once and for all and we are excited to be part of this great mission.