Ordr Recognized in Gartner Market Guide for CPS Protection Platform Read more here!
Northern Maine Medical Center. Fort Kent, Maine.

Fort Kent is a town of just over 4,000 residents abutting the Canadian border in rural Aroostook County, Maine. Fort Kent is famous for being the northernmost terminus of U.S. Route One, and infamous for its long, harsh winters. It is also home to Northern Maine Medical Center (NMMC), a 10-bed hospital that has seen services cut in an effort to lower operating costs.

Maine Public Radio recently reported from a public forum held in Fort Kent’s town hall after the hospital announced plans to close its maternity ward. Residents fear NMMC will soon close; and if it does it will be part of a growing trend. The American Hospital Association (AHA) says that 136 rural hospitals have closed since 2010, and according to a recent report by the Center for Healthcare Quality and Payment Reform (CHQPR), there are more than 600 hospitals across the country in danger of closing due to financial pressures. Of those, more than 200 are in immediate danger of shutting down. That means that hospital mergers and acquisitions (M&A) are likely to continue as a trend identified by Chief Healthcare Executive magazine, which reported there were more than 50 hospital M&As in 2022, with more expected this year.

The Good and Bad of Healthcare M&A

When larger hospitals acquire smaller–and especially rural–hospitals, it can have a positive effect on access to quality of care for the communities they serve. The AHA said that nearly 40% of hospitals added services after being acquired, and that operating efficiencies helped to lower costs by an average of 3.3% after an acquisition. But along with the benefits associated with healthcare M&As come security risks. Security Magazine reported that ransomware attacks on healthcare organizations have doubled since 2016, and because rural hospitals struggle with financial and staffing constraints, they are often more easily breached by threat actors.

In her testimony to the Senate Homeland Security & Government Affairs Committee during a hearing on cybersecurity threats to rural healthcare organizations, former North Country Hospital (Vermont) CIO/CISO Kate Pierce said, “[An] alarming trend that escalated in 2022 was cyber attackers shifting focus to small and rural hospitals. While most larger health systems have implemented advanced cybersecurity hygiene to thwart attacks and are employing large cybersecurity teams with sophisticated defenses, small facilities continue to struggle.”

[An] alarming trend that escalated in 2022 was cyber attackers shifting focus to small and rural hospitals. While most larger health systems have implemented advanced cybersecurity hygiene to thwart attacks and are employing large cybersecurity teams with sophisticated defenses, small facilities continue to struggle.” — Kate Pierce, former CIO/CISO, North Country Hospital

The Lurking Threat of Acquired Risks

The dynamic nature of connected devices operating in a network complicates security and IT management issues. In healthcare, these challenges are magnified because patient safety is affected when operations are compromised. Some findings from our most recent Rise of the Machines, Enterprise of Things Adoption and Risk Report (keep your eyes peeled for our 2023 edition soon), show the dangers present when Internet of Things (IoT), Internet of Medical Things (IoMT), and operational technologies (OT) proliferate in a healthcare environment.:

  • 86% of IoT and IoMT deployments have 10 or more FDA recalls.
  • 15%-19% of connected devices run on obsolete/unsupported operating systems.
  • 10%-15% of devices connected to the network  are unknown or unauthorized.
Compromised Medical Devices put Patient Safety at Risk

When a larger hospital makes an acquisition, it takes on the legacy cyber risks that previously beset the smaller one, including the technology assets used to run the facility and support staff in delivering care. In the best cases, hospitals and other healthcare delivery organizations (HDOs) rely on connected medical devices that are likely vulnerable to cyberattack. And once a piece of medical equipment is put in service, it may end up running with obsolete or unsupported software for years, or new vulnerabilities may be revealed that cannot be patched quickly due to patient safety concerns.

Even when a large hospital with “advanced cybersecurity hygiene” takes over the IT and security operations of a smaller hospital, it can take time to assess and mitigate the risks associated with integrating the new organization’s IT estate. And if any of the acquired systems were compromised prior to acquisition, a lurking, undetected threat actor may be able to use the smaller hospital’s IT infrastructure as a kind of Trojan horse from which to move laterally into the new owner’s systems, much like when hotelier Marriott was breached after acquiring Starwood Hotels in 2014.

Mitigate M&A Cybersecurity Risks

With these challenges in mind, a best practice approach to cybersecurity during an M&A event involves three critical steps:

1. Discover every asset in the network

You can’t protect what you can’t see, and so the key to addressing legacy threats and vulnerabilities inherited through the acquisition of other organizations’ technology estates is to be able to discover and classify every asset. That includes all the connected devices in operation: IoMT, IoT, OT, and more. This comprehensive asset inventory may also be useful to determine duplicate systems and reduce redundancies as both organizations in the M&A consolidate their assets.

The Ordr platform performs device discovery and classification quickly, and then monitors communications and tracks changes in real-time. Ordr goes beyond mere visibility to deliver deep, granular, classification of every device, from make, model, serial number, and operating system details. It also provides vital context about where a device is connected and what other systems it is communicating with. Ordr addresses one of the most common M&A challenges of overlapping IP schemas when two organizations are combined. This challenge prevents teams from easily establishing a single view of both environments and can slow risk assessment and integration efforts.

2. Identify your attack surface

The next step is identifying and measuring the attack surface from these assets. This can include devices with vulnerabilities, devices running outdated operating systems, or those with weak passwords. By baselining devices and their communications patterns, you can determine behavior that is outside of norm, that may be an indication of a compromised device.

From a deep, granular foundation of visibility, Ordr gives a complete view of the connected device attack surface and communications in real-time. Ordr identifies which devices are vulnerable or acting in a risky manner, and assigns a risk score based on the device’s known, determinative operational parameters.

3. Implement M&A cybersecurity best practices

Once you know what devices and risks you are inheriting as part of the acquisition, you can begin to implement M&A cybersecurity best practices. The most basic M&A cybersecurity best practices may be segmentation between the two networks, until access and convergence is complete. You will also want to identify or document key risks that need to be mitigated and addressed during or post acquisition.

Ordr dynamically automates the creation and enforcement of security policies. This means that organizations using the Ordr platform can quickly block attacks, quarantine compromised devices, segment vulnerable devices, and accelerate Zero Trust projects to proactively improve security.

Cybersecurity Due Diligence

Identify Risks Before Hospital Acquisition

Because hospitals and HDOs are under constant risk of attack from threat actors who care nothing of the danger their actions present to patients—and, in fact, use that danger to their advantage when carrying out ransomware attacks—there is no grace period when acquiring a smaller organization. It is imperative that the acquiring hospital include cybersecurity when conducting their due diligence. The network must be inventoried, assessed, and protected as quickly as possible, and Ordr helps get that done even before a contract is signed.

Furthermore, we operate on a philosophy of continuous improvement, expanding our integrations, leveraging the most up-to-date threat intelligence, and building our library of millions of device profiles to ensure Ordr is the most comprehensive, single source of connected device truth available. Check out our M&A solution brief for more details on how we help with cybersecurity due diligence.

The past two years have been extremely challenging for healthcare providers. The pandemic thrust healthcare providers into an unprecedented period of transformation. It increased the importance of asset management as medical devices were mobilized and rapidly deployed to deal with the surge of patients. This was followed by the hybrid workforce trend and telemedicine adoption that extended the caregiving environment (and devices) beyond traditional hospital walls. At the same time, cyberattacks like ransomware increased in frequency and severity, reverting many hospitals to pen and paper and disrupting patient care.

The modern healthcare environment now must support the proliferation of connected medical devices that are critical to patient care and operations. Healthcare providers monitor these devices continuously and keep them functioning efficiently but must also protect them against cyberattacks.

Addressing Healthcare Provider Challenges

When Ordr and GE HealthCare first began collaborating, we spoke to several Biomedical & Healthcare Technology Management (HTM) and Security teams about the top challenges they were facing.

From these conversations, we learned there is untapped potential in optimizing healthcare networks with real-time data to improve clinical productivity, enable equipment uptime, simplify troubleshooting, and maximize the utilization of clinical assets. With hospital funding challenges and workforce turnover, the more efficient biomedical and HTM teams can be, and the fewer manual processes they have, the happier they will be.

Here are some of the challenges Biomed and Clinical Engineering teams are facing and how we are helping them:

  • Locating devices and understanding utilization: Biomedical engineering and HTM teams can spend more than an hour per person per shift locating devices and patient data modules in the hospital. Often, once they finally locate the devices, they discover that the devices are in use and cannot be serviced, patched or updated.  Our new service offering helps eliminate this costly inefficiency, enabling biomed and HTM teams access to connectivity (physical or network) and near real-time utilization details for every device. They can locate specific devices for maintenance or troubleshooting, including GE HealthCare patient data modules and the bedside monitors to which they are connected.
  • Visibility into devices and flows: Manual processes to discover and manage device fleets can be inefficient.  With this service, biomed and HTM teams will benefit from automated discovery and classification of devices, visibility into device flows and connectivity, and near real-time and accurate device data that can integrate into their existing CMMS. This reduces the need for biomed and HTM teams to perform labor-intensive and error-prone tasks of walking around hospitals trying to identify devices, their serial number and where they are connected to. Behavior anomaly alerting on traffic flows can help identify compliance issues such as medical devices moving to the guest VLAN.
  • Monitoring and troubleshooting Intermittent outages: Biomed and HTM teams may not be aware of devices impacted by communications or performance issues until it’s too late. When medical devices are impacted by downtime, clinical workflows suffer. Essentially, clinicians’ ability to provide quality care is compromised If they are unable to use these devices or access the information they need to do their jobs and treat their patients. As part of the Ordr and GE HealthCare’s service offering, we have developed new application and network monitoring functionality for the CARESCAPE network. Healthcare systems can proactively identify issues before they impact clinical care. An early “diagnosis” of potential issues, along with granular insights for troubleshooting, can eliminate major failures, decrease downtime, and lower service costs.
  • Vulnerability management:  When new vulnerabilities are published by manufacturers or software providers, it can take a great deal of time for healthcare providers to determine which of their devices are impacted, slowing their response time. Lack of accurate device data (OS, software version, etc.) can make it difficult to assess risk and identify devices with vulnerabilities. Our service offering enables hospital security and biomed/HTM teams to identify and focus on specific vulnerabilities affecting clinical assets under their management, prioritize vulnerabilities with Clinical Risk Scores, and self-manage the remediation process with simplified workflows and custom tags.

Why Ordr and GE HealthCare Collaboration

“Empowering Biomedical Technicians, Clinical Engineers, and Hospital IT with easy-to-use tools aimed at improving self-managed network security, productivity, and equipment uptime is key to enhancing critical patient care.” said Alla K. Woodson, GE Healthcare’s Global GM, Patient Care Solutions – Services & Consumables. “This network performance and security solution brings together the technology and scale of our two organizations to help ensure that our customers have visibility and access to actionable insights.”

“Hospitals and healthcare facilities rely on GE Healthcare’s CARESCAPE networks to host critical patient care devices, it is of the utmost importance that these networks – and everything connected to them – remain secure and operating at peak efficiency,” added Jim Hyman, CEO of Ordr. “The deep integration of the Ordr platform with the GE Healthcare CARESCAPE network will help give healthcare organizations comprehensive clinical asset visibility, security and performance capabilities they need to optimize and protect their environment of care.”

GE HealthCare’s Service Offering for CARESCAPE patient monitoring networks that harnesses the power of Ordr platform, will be available early this year.  For more details on the offering, contact info@ordr.net.

The risks associated with a large, connected device attack surface are getting harder to ignore. In recent weeks the U.S. Cybersecurity Infrastructure & Security Agency (CISA) and National Security Agency (NSA) issued a joint advisory on threats associated with operational technology (OT) such as the industrial control systems (ICS) that many critical infrastructure organizations rely on to run their facilities. Overseas the European Union enacted two new regulations mandating stricter cybersecurity requirements for connected medical devices, otherwise known as the internet of medical things (IoMT).

Ordr has been working hard to provide the means for organizations in industries like healthcare, financial services, manufacturing, life sciences, and government to protect themselves from those threats since 2015. And we are always happy when those efforts are recognized because it means more awareness of the dangers to critical systems and of the tools available to keep them protected.

Ordr Recognized as a Leader in Healthcare IoT Security

On September 20, International Data Corporation (IDC), one of the leading information technology market intelligence advisors, recognized Ordr as a leading innovator in IoMT security solutions in their report, IDC Innovators: Healthcare IoT Security Products, 2022.

IDC describes healthcare organizations as “high-value targets for cyberattacks. As more medical devices are connected, the attack surface that bad actors can exploit has increased dramatically and a single breach can lead to a multitude of undesirable outcomes. Meanwhile, traditional information technology (IT) cybersecurity solutions are not designed to protect the wide range of medical devices used in supporting healthcare.”

As more medical devices are connected, the attack surface that bad actors can exploit has increased dramatically. — IDC

Ordr Provides Ground-to-Cloud Protection

Ordr’s platform provides protection for those environments by enabling complete ground-to-cloud visibility of all IoMT, IoT, and OT devices whether they are on-premises or remote, no matter if they are communicating locally or across complex digital supply chains. Then, we provide precise, contextual, real-time understanding of the operations and data flows of each device on the network, automating dynamic security policy generation and enforcement in the event a threat is detected. We can do this because the Ordr Data Lake is populated with detailed operational profiles for millions of devices.

When any device strays from its deterministic parameters, Ordr detects that change and automates proscribed actions to protect the device and its operational ecosystem. This is vital to preventing attacks against connected devices, containing threats by blocking lateral movement to and from connected devices, and maintaining operational resiliency for critical infrastructure targets, like hospitals and healthcare organizations, that are frequently targeted by ransomware gangs.

Ransomware an Ever-Present Threat

“Ransomware is an ever-present threat and can be particularly devastating in the healthcare sector, where even a few minutes of downtime can have deadly consequences. Protecting connected medical devices, many of which were not designed with security in mind, is now a top priority for IT and biomedical engineering departments. Medical IoMT security products provide much needed ‘context’ about devices and how they are being used so that smart decisions can be made to reduce their cybersecurity risks,” said Ed Lee, research director, Internet of Things and Intelligent Edge: Security at IDC.

Medical IoMT security products provide much needed ‘context’ about devices and how they are being used so that smart decisions can be made to reduce their cybersecurity risks, — Ed Lee,  IDC

In addition to this recognition from IDC, Ordr was named a healthcare IoT security market leader for an unprecedented third straight year by KLAS Research, recognized as a member of the CyberTech100 most innovative and pioneering companies that are helping financial institutions combat cyber threats and fraud, and is trusted by leading healthcare organizations like Cleveland Clinic, Dayton Children’s Hospital, Mayo Clinic, Freeman Health, and many more.

If you want to see for yourself why Ordr continues to earn kudos and customers, get in touch and we can provide a demonstration or answer your questions.

A little background on why I’ve agreed to do this guest QA blog for Ordr:

In my role as CTO at CDW Healthcare, I talk to former healthcare peers, in an advisory capacity, to help them protect patient safety and resources with the best cybersecurity technology solutions. Prior to joining CDW, I was CIO of Halifax Health where we deployed Ordr for our medical device security needs

I’ve been at CDW for slightly more than two years, after more than two decades in the healthcare trenches, most recently as the former CIO of Halifax Health. I decided on a different role at CDW to bring best practices and cybersecurity technologies to my CIO colleagues who are on the forefront of fighting the cyber war. If the healthcare industry could more effectively collaborate and share security expertise to mitigate cyber-attacks, we would stand a much better chance against the cyberattacker army working together against us every day!

What is your primary goal as the CTO of CDW Healthcare Division?

To bring awareness to our healthcare customers on the importance of bringing modern IT tools into healthcare organizations to optimize patient safety and hospital resources. With Ordr’s cybersecurity solution there are many ways network visibility helps hospitals beyond, of course, ransomware, but also what’s happening with device utilization, what’s happening with compliance and what’s being communicated externally. There are several important use cases we want to advise our customers about to develop a proactive plan before something bad happens.

Why is IoT and connected device monitoring and enforcement so unique for hospitals?

There’s a problem with biomed devices and it’s not going away. There will always be biomed devices that have outdated and unsupported operating systems. In the beginning, when first purchased, they were of course running mainstream and perhaps even state of the art operating systems, but now these operating systems are no longer supported by the manufacturers. As a result, O/S patches are no longer available to address vulnerabilities, even though these devices are still within their useful lifecycle and are still viable, delivering strategic care for patients and revenue to healthcare organizations.

Why weren’t patches performed on outdated operating systems on biomed devices?

Unfortunately, this is due to the biomedical industry. As a medical device design engineer for ten years, I may have helped cause the problem, although we thought it made sense the way we did it back then. We would buy an off the shelf computer and put it in a cabinet or a device we were creating, and it would run it. The computer we installed ran whatever the latest operating system was at the time. The issue back then was per the FDA 510k rules for class two, and three medical devices once the device was tested, it could never be altered.  This included the operating system on the off the shelf computer.  So, the manufacturers never changed them or patch the OS because they could not!

Can you patch today?

In 2016, the FDA reversed their guidelines and said you can patch devices now because it is important to upgrade operating systems. But it was a guideline, it was not a mandate. Because it was a guideline and because it is hard for biomedical manufacturing companies to transition to have a global patch program for all the devices they sell, they do not do it. And they do not want to release the product to an IT team to open it up and obviously, upgrade the operating system or patch it due to inherent risk on their part, because it might make their system not work properly.

Bottom line, the problem is going to persist because biomed devices will continue to outlast the useful life of their operating systems and CFOs do not want to replace a $4M imaging device that makes the hospital money every day only because it has a security vulnerability.

If you don’t patch what can the CISOs and security leaders to do?

They are stuck, because now they have a known vulnerability in their system, and they must do something about it. This is the reason I was introduced to Ordr.

How did you select Ordr for addressing the patching issue?

“To get the security and network teams to completely agree on something was amazing.”

Our first step was to do a POC (proof of concept) by my IT security team. A few weeks  later, my network and security team had a meeting with IT leadership to show the results of the POC. We were all blown away. I’ll never forget that moment because everyone was happy, even joyous which doesn’t normally happen with software in general.

To get the security and network team to completely agree on something was amazing, because normally, they have a little contention just due to their job functions where one wants data to flow, and the other one wants to control data.

Once deployed, did you meet your objective?

“One of the major tenants of cyber security is to understand your landscape. And that includes all devices connected to your network. Are they patched? Or are they outdated and unsupported?”

I was amazed. Ordr worked and it worked well. We purchased Ordr originally because I knew I had a problem with older biomed devices running Windows XP. Before Ordr, our vulnerability scans would find them but then they would disappear because of their dynamic nature of how they connected to the network. And if we didn’t find them that very minute and physically locate them, we would lose sight of them. It was a real problem. We could not see and didn’t know our full landscape. And that is scary, because to me, one of the major tenets of cyber security is to understand your landscape. And that includes all devices connected to your network and their patch status. Are they patched? Or are they unsupported? It is not just your IT devices, it is anything that is connected to your network. As you know, in the last five years, that’s grown greatly with so many other things connecting now, and you still have these legacy biomed devices that are out there too.

How did you manage all the outdated and unsupported biomed devices you found?

When we fully deployed Ordr, we noticed a couple of things right away. First, we not only found all the biomed devices, but we also now had an inventory of them. And we were able to understand what operating systems they were running and could have a plan of what to do about it. At that time, we had three choices.

  1. Replace the device. But again, financially that might not be viable.
  2. Get the manufacturer to patch it, or to upgrade the operating system so it was no longer vulnerable.
  3. Bury it by micro segmentation. Through micro segments, you have controls around it from the internal firewall, Even though we have controls, you still need to monitor it and we used Ordr.

When I would talk to people, they understood Splunk monitors user behavior. Ordr monitors device behavior. I can now set upper or lower limits on the device itself. And if Ordr detects something odd, we can be alerted

What was the next step to managing these vulnerable devices?

“If the hacker gets in and gets to an XP device, that would be the biomed device, it takes about 20 minutes for them to own that device. If the device is connected to a server, then they can own the network.”

The roadmap was moving more towards enforcement and that sat well with me. The reason why is that hackers do not attack during the day, they tend to attack at night and on weekends. At those times, depending on what hospital you’re at, you might be relying on a managed Security Operations Center (SOC), which is pretty good. Or you might be relying on your on-call staff to fight any cyber problems in the middle of night. And there’s latency in that. If the hacker somehow gets in and gets to an XP device, it takes about 20 minutes for them to own that device. If there are any servers connected to that kind of device, then they have the opportunity to own the network. Now the world turns bad quickly. To have a system that has deep understanding of proper network communication related to strategic IoMT devices and can monitor those devices 24/7and alert us when something is wrong, is great.

Next, if I could actually enforce policy, or at least send API commands from Ordr to change the policy in my  firewall or my NAC,  these devices could shut down communication at 3 am in milliseconds.  This is much better than the time it would take the team to figure out what the problem was, based on a calls to the service.  IoT and connected device security enforcement can stop a virus from propagating

What else could you do now with full visibility of your network landscape?

Device utilization is a big deal. Ordr creates custom views per departmental stakeholders. For example, the Biomed and/or Operations team could go into their Ordr view and just look at medical device utilization. Their view doesn’t allow them to see the other aspects of cyber or network information Ordr was capturing.

I like to tell the story that if a clinician wants another ultrasound device in your hospital, but your ultrasound fleet is only being utilized 30% of the time, you do not need another ultrasound, you need to improve your processes to get better utilization of your devices. And when you do this, you save money by not buying another device while improving your processes. And so that is valuable.

For some devices, Ordr was monitoring down to the battery life level. Since we all know batteries go bad, to have an alert to the Clinical Engineering team for low batteries on biomed devices is cool and important.

The next important outcome we gained is forensic device data. Ordr collecting all device data in the cloud. When we have a potential security incident, we called the security team. The team uses Ordr to determine what device was bad and see who it was talking to and how it was talking, to see if it was doing things that it should not do. We always used Ordr during any security incident as part of our incident response toolbox. And it worked well. And even the network team liked it because Ordr does an incredibly good job of showing how everything communicates, and what it is trying to communicate and what is being blocked from communication.

To sum it up, first and foremost the outdated and unsupported biomed devices are a problem that is not going away, ever! Operating systems only have a life for so long, so you need something to address the issue. With Ordr though, you get more use cases including device utilization management, forensic data and the network team gets to see how things are communicating, outside of their regular forensic toolbox. So that’s why I like Ordr.

Please contact me if you’d like to learn more or to share stories that could benefit all of us in addressing outdated medical devices and cybersecurity resiliency in healthcare.


The Cyber & Infrastructure Security Agency (CISA) recently issued two security advisories highlighting vulnerabilities associated with connected devices made by medical technology firm Becton, Dickinson & Co. (BD). The advisories follow disclosures BD made to CISA, and describe security flaws in the company’s Pyxis and Synapsys product lines.

Among the vulnerabilities described in the advisories are the use of default and shared credentials in the Pyxis products and “insufficient” session expiration for the Synapsys informatics platform. Both flaws could leave the devices vulnerable to exploitation by threat actors who could then gain access to sensitive patient protected health information (PHI) or even affect the delivery of correct treatment.

Device Vulnerabilities Put Network and Patient Safety at Risk

The disclosure of these security flaws by BD, and the subsequent advisories issued by CISA, underscores the risk to both network and patient security when vulnerable  internet of medical things (IoMT) devices are deployed within healthcare environments. Even when such devices must remain in service and cannot be patched, allowing them to continue operation without taking steps to mitigate their associated risks should be regarded as a dereliction of duty.

In this current case, BD recommends a number of steps to close the now-known security gaps, including:

  • Limit physical access to only authorized personnel;

  • Tightly control management of system passwords provided to authorized users;

  • Monitor and log network traffic attempting to reach the affected products for suspicious activity;

  • Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed; and,

  • Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts.

From an IT and security operations standpoint, these steps may be difficult for hospitals and other healthcare delivery organizations (HDOs), especially in larger organizations with no means for effecting proper asset management. This leaves questions like: Does my organization have these devices in inventory and where are they located? What software versions are installed? Are they in use and unable to be taken out of service?

Ordr can answer these questions and easily address the recommendations by BD above.

See, Know, Secure, Every Connected Device

Our See, Know, Secure approach to connected device security means our customers can find and identify all the BD connected assets—as well as other connected devices operating in the network—within minutes of deployment. Once Ordr has discovered the devices, their specific make, model, and other operational data are identified, the BD products that are impacted by this vulnerability can be  monitored for any anomalous behavior that could be an indicator of compromise (IOC).

Ordr can identify which BD devices are being accessed by which user, and track which users were logged into a specific device, at what time, duration and more.

Ordr also enables security teams to proactively segment the impacted BD devices, and to set Zero Trust security policies specific to each. In the event that a device is compromised, and we detect anomalies such as a suspicious communications pattern or other operations outside of defined parameters—our segmentation policies limit  an attack’s potential “blast radius” by isolating affected devices and network segments, and allowing security teams to take mitigating actions within minutes of a breach.

Ordr Can Help Secure Your Devices and Environment

With studies suggesting that as many as three-quarters of all connected medical devices currently in service contain at least one security vulnerability, and that half may contain two or more, it is critically important for hospitals and HDOs to do what is necessary to gain the upper-hand on connected device inventory, management, and security.  For more information about how the Ordr can assist in this endeavor, please visit our site to learn more about our security platform, or contact us with questions specific to your organization’s situation.

Tactics, Techniques, Procedures and Recommendations of How to Triage

Perspective on the increase in ransomware attacks

Ransomware continues to make the headlines as researchers warn of a seven-fold increase compared to 2019. Healthcare is a very lucrative target, with attacks increasing by 350% in Q4 of 2019 (compared to Q4 2018) and continuing to rise through 2020. The pandemic provided a significant opportunity for any threat actor looking to target healthcare providers, as the focus shifted from a holistic look at patient care, health outcomes, experience, revenue, and security to health outcomes. In addition, there has been a mass influx in connected devices deployed in facilities without the proper purview of IT and Security teams, leading to an incomplete asset inventory and clear visibility of how/where devices are communicating.

Ransomware as a viable threat to healthcare organizations has led to sophisticated attackers with complex and targeted campaigns. The recent wave of ransomware campaigns looks more like a hands-on hack than an autonomous piece of malware propagating across the network. The operators facilitating the recent ransomware attacks are heavily incentivized to make sure their malware is extremely effective at propagating diverse networks. We have seen simple pieces of malware like trojan droppers install remote control functionality and backdoors which allow these ransomware operators to then get on to the healthcare network and then run tools like Cobalt Strike to privilege escalate themselves to admin. Once admin privileges have been granted, these ransomware operators begin turning off the malware detection and incident response programs on the infected devices. We’ve seen these operators use tools like Mimikatz to dump memory and gather local admin passwords or common user passwords on systems. Once common passwords have been gathered, the network is theirs for the taking. In organizations that use Remote Desktop Protocol (RDP) on workstations and servers, we’ve seen these compromised local administrator accounts used to install and distribute the ransomware. We’ve also seen these attackers run PsExec and PowerShell scripts remotely by mounting remote shares (like IPC$ and C$) using the compromised credentials. If local or commonly utilized credentials cannot be gathered from initially infected host we’ve seen them pivot to other hosts, or use common exploits kits to propagate throughout the network. These operators are skilled and unfortunately most healthcare providers and healthcare delivery organizations are trivial to compromise once these ransomware operators are inside.

Healthcare organizations that have vulnerable services on the edge of their network get compromised easily by autonomous scripts that are constantly scanning the internet. Once compromised, the script drops a payload that includes all of the tools the operators need for privilege escalation, exploitation, and lateral movement. Many healthcare organizations have flat networks, and utilize common local administrator accounts on largely unpatched systems. It is common to find legacy and largely unsupported operating systems like Windows XP running on both workstations and critical medical devices which cannot be patched and are running vulnerable services like SMBv1 that are available to the entire network. Simply put, once the initial compromise happens, it is largely trivial for these ransomware operators to infect an entire healthcare organization within a few hours.

Let’s discuss the 3 most common ransomware campaigns that are targeting healthcare providers and healthcare delivery organizations and what their TTPs are:


Brief Description:

The Zeppelin ransomware is believed to be operated by a Russian cybercrime group however very little is known about the operators. The initial infection code checks to make sure it will not infect machines located in Belorussia, Kazakhstan, Russian Federation, or Ukraine. The Zeppelin ransomware code is largely is based on a purchasable ransomware variant known as VegaLocker which is available on multiple hacking and ransomware as a service websites and forums. The initial infections of Zeppelin began in the beginning of 2019.

What does a Zeppelin Compromise typically look like (TTPs):

  1. Typically, a spam or phishing email is received by an organization that includes an infected document that download and installs malware onto the system.
    1. Some initial infections appear to be Vidar Spyware or the CobaltStrike penetration tester toolkit.
  2. Recently the Zeppelin operators appear to be exploiting vulnerable RDP, Apache Tomcat, and Oracle Weblogic servers available on the internet.
  3. Once connected to the infected system the operators will install PowerShell scripts and PsExec.
    • In some Zeppelin instances a legitimate remote desktop application called ScreenConnect is initially installed (if it doesn’t already exist). The Zeppelin operators will connect to the ScreenConnect service and install the PowerShell scripts, privilege escalation tools, and PsExec.
  4. The Zeppelin operators will run a set of PowerShell Anti-Anti-Virus scripts and turn off logging to prevent detection and subsequently dump memory looking for local accounts that can be used to either propagate throughout the network or compromise the domain controller.
  5. Typically, the Zepplin operators attempt to compromise the domain controller and once compromised they create a domain admin account to distribute the Zeppelin ransomware throughout the network.
    • The domain admin account that is typically created is called “SQLSvc”.
    • If the domain controller is difficult to compromise, they attempt to distribute the Zeppelin ransomware using compromised credentials dumped from memory of infected systems and propagate through file deployment and execution by PsExec.
  6. Once on the Domain Controller, they deploy a command to all connected devices to download Anti-Anti-Virus and Anti-Backup scripts along with the Zeppelin ransomware.
    • The Zeppelin operators utilize the certutil command on Windows to download and infect machines with the scripts and ransomware.
  7. Finally, the scripts and Zeppelin ransomware is executed on all connected devices via PsExec.


Brief Description:

The Ryuk (aka Conti) ransomware is known to be operated by Russian cybercrime group. The Ryuk ransomware was largely based on a previous ransomware codebase known as Hermes which was possibly created by a North Korean hacking group and is purchasable from multiple hacking and ransomware as a service websites and forums. The Russian cybercrime group started targeting healthcare organizations in late 2018.

What does a Ryuk Compromise typically look like (TTPs):

  1. A spam or phishing email is received by an organization that includes an infected document that drops a trojan downloader/bot that includes several tools for remote access, privilege escalation, and lateral movement.
    • The most common malware that is installed is (Emotet, TrickBot, QBot).
    • Many believe that the Ryuk operators are working with the Emotet and TrickBot deployers in order to purchase previously infected systems within large networks.
  2. The Ryuk operators gain access to the Emotet/TrickBot compromised machine typically through a PowerShell script that launches a reverse shell that connects to the Ryuk operators.
  3. Once on the infected system the Ryuk operators turn off all PowerShell logging and run Anti-Anti-Virus scripts to prevent detection.
  4. Common lateral movement, privilege escalation, and exploit kits are downloaded onto the infected machine.
    • It is common for the Ryuk operators to utilize the PowerShell Empire post exploitation kit.
  5. The Ryuk operators dump the infected machines memory looking for local accounts that are used on Workstations and Servers throughout the network.
    • If local credentials are not found, the operators will use common exploit kits.
  6. Lateral movement and infection happen either via RDP or through PsExec.
    • Typically, the domain controller is initially targeted and if compromised the domain controllers will typically be used to distribute the scripts and Ryuk ransomware to all connected users/computers.
  7. Anti-Anti-Virus and Anti-Backup/Recovery scripts are run on soon to be infected machines in order to prevent both detection and recovery from the Ryuk ransomware.
  8. The Ryuk ransomware is deployed to all machines using PsExec and a local service is created and started to run the Ryuk binary.
  9. The Ryuk operators sometimes oversee the infection to ensure that it is successful and once infected they start emailing employees informing them of the infection and to reach out to them via an anonymous email where payments are later discussed. The payment amounts typically vary depending on the size and the revenue of the organization that is infected.


Brief Description:

Sodinokibi (aka Sodin, REvil) is another ransomware-as-a-service operation which started in April of 2019 and is believed to be created and operated most likely by the same Russian group behind the popular GandCrab ransomware. In early 2019 the Sodinokibi group is believed to have hired affiliate hackers with a guaranteed payment of $50,000 USD and between 60% to 70% cut of the revenue after payments were secured from victims. The developers of this ransomware regularly post updates and new functionality to their code. Once installed, Sodinokibi ransomware initially looks for the computers language settings and will not infect if the set language is used in most former Soviet Union or Middle Eastern countries. The Sodinokibi ransomware has been seen using several TTP’s including manual and automated drive-by compromises using spam/phishing attacks, common exploits, and previously compromised passwords.

What does a Sodinokibi Compromise typically look like (TTPs):

  1. It is difficult to describe the typical attack method used to deploy the Sodinokibi ransomware as there are several which leads some security professionals to believe that Sodinokibi is being operated by multiple cybercrime organizations.
  2. Sodinokibi has been seen distributed as a spam or phishing email that is received by an organization that includes a heavily obfuscated malicious JavaScript that includes PowerShell scripts that will turn off logging, disable antivirus functionality, and ultimately installs the Sodinokibi ransomware.
  3. The Sodinokibi operators also appear to be exploiting vulnerable WebLogic and RDP servers available on the internet.
  4. After the initial infection the Sodinokibi operators drop various exploit and privilege escalations kits to laterally move throughout the network.
    • Similar to Zeppelin the Sodinokibi operators typically use the certutil command on Windows to download their scripts, exploit kits, and ransomware payload to infected machines.
  5. Once infected with the Sodinokibi ransomware, the malicious binary deletes all file shadow copies on the infected system and disables recovery mode in order to ensure that the encrypted files could not be restored from a local backup.
  6. The Sodinokibi ransomware includes several persistence and Anti-Anti-Virus and Anti-Backup/Restore functionality making the installation easy. This functionality makes it more autonomous for the operators which is why we sometimes see Sodinokibi installed in simple drive by attacks on vulnerable internet facing servers and services.

One concerning tactic that most ransomware as a service operators are starting to employ is to exfiltrate several important files from an infected organization and threaten to both publicly disclose the breach and publish the important documents on their blogs typically hosted on the Dark Web. We’ve seen many ransomware operators publicly announce and release sensitive material for companies that did not pay the ransom.

Recommendations on using Ordr to Protect Against Ransomware

  1. Discover and identify your weak points
    • Identify devices running legacy versions of Windows that are running SMBv1 (such as Windows XP and Windows 7) The Ordr IoT Discovery Program allows you to quickly identify these devices. In Ordr’s Rise of The Machines Report, we identified that 15-19 percent of our deployments had IoT devices running on legacy operating systems Windows 7 (or older).
    • Identify devices with known vulnerabilities as attackers will try to exploit them them. Use Ordr’s built-in scanner or take advantage of our integration with vulnerability management solutions like Rapid7 and Tenable.
    • Identify high-risk and vulnerable devices that cannot be patched. Using Ordr integration with winRM, you can identify device operating systems and status of patches.
  2. Enable proactive segmentation
    • Using Ordr, systems that cannot be patched need to be isolated.  Ordr allows you to easily create segmentation policies that restrict devices to only sanctioned communications required for their functions.
    • Work with Ordr and our firewall and networking infrastructure partners to enforce these segmentation policies in your existing infrastructure.
  3. Monitor for Ransomware Indicators
    • Identify anomalous communication using the Ordr Flow Genome. This can include discovery of sequential scans on the internal network, and anomalous SMB, RDP, and RPC communications utilized in lateral movement.
    • Alert on common exploits and known ransomware payload URLs used in lateral movement such as EternalBlue.
    • Alert on common C2 communications to known ransomware payload servers; when infected machines reach out to these malicious sites, the Ordr product will alert on them.
    • Track user logon/logoff activities using Ordr. Our platform provides a mechanism to pull user logon and log off activities from Active Directory and also track locally created users. This allows you to ensure the right users have access to vulnerable machines and identify any anomalous user accounts created within the network by threat actors

If you’ve already been attacked by ransomware, here are recommendations on how to deal with it, as described previously in my blog here. Note that with ransomware examples in this blog, there are no decryptors available at this time.

If you have questions about ransomware protection, please contact us at info@ordr.net. We work with a number of excellent integrators and managed security providers who specialize in protecting healthcare and other industries that are heavily invested in the use of connected devices.