Ordr Recognized in Gartner Market Guide for CPS Protection Platform Read more here!

The last of the seven-part CHIME Medical Device Security Webinar series focused on building a business case for next-gen medical device solutions. In our wrap up webinar, we delved into the featured topic with two special guests.

  1. Matt Dimino: VP of Operational Technology and Security at First Health Advisory. Mr. Dimino’s professional credentials include CEH, CISM, CISC, and HCISPP.
  2. Chuck Christian: With over 40 years of experience in healthcare IT, Mr. Christian, is VP of Technology and CTO of Franciscan Health and a Life Fellow Member of both CHIME and HIMSS.

We began Episode 7 with Mr. Dimino briefly refreshing us on the unique challenges, risks, and threats associated with medical devices, and the burgeoning marketplace for cybersecurity tools to address them. The formidable obstacle in any major organizational initiative is often simply articulating a compelling case to executives and departmental management to decide upon an actionable plan. There is a perception cybersecurity drains funds and is among the foremost detriments to one’s case for next-gen security tools. Adding his insight to the discussion, Mr. Christian comments, “At a lot of the places I’ve seen over time, medical organizations look at security as an expense that can be avoided, and that they can ‘roll the dice’ and accept the risk.”

Successfully persuading budget-conscious decision-makers requires recharacterizing device security as an investment rather than an expense; building value through not only avoiding costs in risk reserves and hedging, but recovering unrealized revenues by correcting operational inefficiencies as well.

Emphasizing integration capabilities is critical in building your case. Healthcare Delivery Organizations (HDOs) frequently have a patchwork of partial security solutions across varying departments. For instance, Healthcare Technology Management (HTM) or Biomed may have a Computerized Maintenance Management System (CMMS), IT manages a Configurations Management Databse (CMDB), and the maintenance techs work out of spreadsheet. With the right vendor, an Medical Device Security (MDS) or discovery and monitoring tool can be integrated into the existing enterprise architecture, and constructed into a unified, streamlined system that fills the gaps of under-connected personnel and departments, enhances the utility of existing security tools, and provides a centralized hub of organizational intelligence and coordination. More often than not, implementing a complete next-gen solution is not a scorched earth or start-from-scratch ordeal. Instead, it is identifying and inserting the missing piece of the medical device security puzzle.

Illustrating the numerous vectors from which returns on a security tool investment are expected is equally essential to its rationale. Mr. Christian and I examine some of the use cases Franciscan Health considered during the process of selecting an MDS tool. For example, workflow management reflects the potential for procedure data revealing OT capacity configurations that optimize device utilization. Fleet management attempts to quantify how granular network visibility produces superior intelligence for capital planning and lease-or-buy decisions. The microsegmentation use case estimates the value of HTM and IT labor, which in the absence of having to manually segment devices, can be assigned to other priorities.

A sincere thank you to all who attended this webinar series, the guests who contributed their invaluable expertise, and to CHIME for allowing me to design and host this series. All seven archived episodes of the Medical Device Security webinar series are available to stream for CHIME members or for purchase on store.ignitedigital.org.

Continuing an ongoing theme explored throughout the CHIME Medical Device Security webinar series, the central subject of Episode 6 discussion and analysis was the necessity of device monitoring and discovery tools (aka medical device security or MDS) and a computerized maintenance management system (CMMS) to adequately protect a clinical network from the serious threats that are now a reality faced by managers of critical infrastructure across countless industries.

Either tool on its own is only a partial solution, and a true next-gen technological approach is an integration of both into a unified system.

Mayo Clinic has been pioneering exactly such a solution in its HTM Cybersecurity Program. Today, I was joined by two pivotal members of HTM leadership at Mayo Clinic.

  • Keith Whitby, MBA, CHTM, is the Healthcare Technology Management Section Head and has 20 years of experience in IT and HTM service experience.
  • Kurt Griggs, CRISC, CISA, MCSE is a Senior Manager of HTM and has over 28 years of experience in IT and IS risk management and information security.

Previously in Episodes 4 and 5, we discussed Mayo’s selected vendors of both tools, Ordr and Nuvolo respectively. Today our discussion turned to the finer details of their integration in the live environment.

“A true next-gen technological approach is an integration of tools into a unified system”

As thoroughly explored in previous episodes, Mr. Whitby starts by summarizing the inherent risks of medical devices:

  • Dispersal of ePHI
  • Low granular visibility amongst all IoT
  • Inventory challenges
  • Coordinating IT and HTM remediation responses
  • Real-time incident identification
  • Diverse hardware and software specifications
  • Extended lifecycles of high-capital legacy devices.

At the outset of Mayo’s journey to build a comprehensive solution to these problems, the first step was constructing a framework for the project’s objectives and guiding doctrine of security. Mr. Griggs elaborated on the influences of the Program’s foundational thesis, which includes the NIST Cybersecurity Framework, and the AAMI publications Medical Device Cybersecurity: A Guide for HTM Professionals and Technical Information Report 57: Principles for Medical Device Security – Risk Management.

Having completed the MDS and CMMS vendor selection, installation in facilities, integration and incorporation into the overarching enterprise information system, Mayo entered the most exhaustive and prolonged phase of implementation; that of gradual refinement of the technology itself and organizational processes and procedures through careful analysis of feedback and intelligence. A core concept of the Program is the Security Lifecycle Profiles (SLPs), defined by Mr. Griggs as “living profiles” of devices. Mayo committed to fully leveraging the capabilities of the solution from the start, and the fully automated, dynamic, and real-time device records and analytics of SLPs is a testament of that steadfast persistence of recalibrating the system until its operationalization capabilities are completely optimized. For an investment of this scale, and for the scale of the risks it mitigates, it is essential that the HDO recognize the vast, unrealized potential caused by taking half-measures and making compromises. I feel like “Mayo is living the standards that have yet to be set.”

“Mayo is living the Medical Device Security standards that have yet to be set.”

Be sure to attend the conclusion of the 7-part CHIME Medical Device Security Webinar series, A Business Case for Next Gen Medical Device Solutions. If you missed an episode, you can view my recap here and register for the entire series.

Episode Five of the seven-part CHIME Medical Device Security webinar series aired last week, with the featured topic of discussion being Operationalizing, Standardizing and Contextualizing. As the host of webinar series, I was joined by two senior executives at Nuvolo. Tony Bailey is the Director of Product Marketing for OT Security, and Dustin Smith is a Senior Solutions Consultant and formerly the Director of Central Support for Healthcare Technology Management at Intermountain Healthcare.

In the episode we delved into the security solutions for medical devices available to Health Delivery Organizations (HDOs), including what they do, why they are necessary, and potential integrations between them. As the guest speakers both represent Nuvolo, the OT Security module of their integrated workplace management system (IWMS), branded as the “Connected Workplace”, is used to demonstrate how device data is transformed into meaningful and actionable intelligence. Operational Technology (OT), as defined by Mr. Bailey, are non-IT assets in a medical facility that have the ability to connect to a network. This includes medical devices and facility and laboratory equipment. OT is distinguished from IT by being directly utilized in healthcare operations and is mission-critical to the organization, necessitating a heightened level of security. Traditional IT security tools are unable to provide the contextual data of a device’s operations, and a detected vulnerability or anomaly can consequently cause a communication schism between departments. Once discovered, IT personnel attempt to identify a remediation that does not disrupt operations or mishandle a device with Healthcare Technology Management (HTM) personnel, who as of then were unaware of any problem. An OT cybersecurity tool, as an extension of a computerized maintenance management system (CMMS), resolves this problem by providing a single inventory of devices, utilizing a common data model, and uniformly distributing remediation workflows to IT and HTM personnel.

Of course, an OT Security solution such as that offered by Nuvolo is only as effective as the quality of the incoming network and device data it relies upon to generate workflows and strategy. Mr. Bailey emphasized that integration with a passive monitoring and discovery tool is vital for optimizing the benefits of the OT Security module. For this reason, Nuvolo has partnered with providers of complementary systems such Ordr and simplified the integration process for a seamless and efficient implementation and operation of a combined cybersecurity solution.

Next, Mr. Smith demonstrated an integrated Nuvolo system. He presented an overview of the user interface, as well as its capabilities to automate policy-making and coordinate remediation responses among HTM, IT, and “boots-on-the-ground” technicians. Equally important is the tracking of vulnerabilities across device categories and manufacturers, identification of trends and correlations, and prioritization of remediation resources according to risk level and threat severity. One function of potentially overlooked importance is the detection of unknown devices through passive network scanning by the integrated monitoring and discovery tool. When these mystery devices not in the CMMS’s centralized inventory suddenly appear on the network, it can reveal valuable insights into operations and personnel activity occurring in the facility. For instance, a flurry of unknown devices could be short-term equipment rentals, indicating a re-evaluation of the in-house device fleet may be prudent, as a buy-or-rent analysis could reveal long-term cost savings in adjusting inventory levels. Alternatively, unknown devices may be the consequence of improper onboarding due to technician oversight or an unreliable asset onboarding process, or instead it may be a clinician using trial equipment without notifying HTM. Regardless of the cause, discovery of unknown devices can be a worthwhile prompt for further investigation, which is vastly simplified by the resources available through the Nuvolo dashboard.

Check back for Episode Six featuring Mayo Clinic and how they have leveraged Ordr and Nuvolo to create Next Gen Tools for Medical Device Cybersecurity.

If you missed an episode, you can view my recap here, or register for the entire series at https://store.ignitedigital.org/product?catalog=medical_device_security_webinar_series.

In episode three of the seven-part CHIME webinar series, Public-Private Partnerships to Secure Medical Devices, I am joined by five guest speakers representing three public-private initiatives addressing current issues in the healthcare ecosystem.

  • Mike Powers, MBA: Representing the Legacy Devices task group within the Healthcare Sector Coordinating Council (HSCC) Joint Cybersecurity Working Group. Mr. Powers is a Clinical Engineering Director at Intermountain Healthcare and a member of the AAMI Healthcare Technology Leadership Committee.
  • Samantha Jacques, PhD: Dr. Jacques is also from the HSCC Joint Cybersecurity Working Group and is the Vice President of Clinical Engineering at McLaren Health Care, vice-chair of the AAMI Healthcare Technology Leadership Council, and a fellow of the American College of Healthcare Executives.
  • Alex Wolf: Another representative of the HSCC Joint Cybersecurity Working Group as the Model Contract Language task group leader, Mr. Wolf is a Cybersecurity Specialist at Cleveland Clinic.
  • Jim Jacobson: From the National Telecommunications and Information Administration (NTIA) Software Component Transparency work group, Mr. Jacobson is the Chief Product and Solution Security Officer of Siemens Healthineers, and Mr. Amusan is a Principal Cybersecurity Analyst at Mayo Clinic.
  • Tola Amusan, MBA: Mr. Amusan is a Principal Cybersecurity Analyst at Mayo Clinic and also a member of NTIA.

Our first topic was addressed by Mr. Powers and Dr. Jacques on their projects at the HSCC’s Legacy Device work group. Officially, legacy devices are defined by the International Medical Device Regulators Forum as simply those that cannot be protected against current cybersecurity threats. In contrast to this vague description, Dr. Jacques elaborated on how clinical engineers of Health Delivery Organizations (HDOs) alternatively define them as devices no longer supported by the manufacturer, necessitating reactive strategies like microsegmentation and network monitoring to keep them secure. The task group’s upcoming publication will provide guidance on the core practices, challenges, recommendations, and HDO and Medical Device Manufacturers (MDM) perspectives. One critical area of contention it aims to resolve is the difference between “end of life” and “end of support.” To an MDM, “end of life” may potentially be initiated to justify terminating post-sale technical support, instructional material, and/or patch availability to incentivize replacement. From an HDO perspective, an unsupported device may still function perfectly, and prematurely relegating it to end-of-life status is often infeasible or cost prohibitive. As Mr. Powers concisely summarizes the distinction, “It’s end-of-life when I push the ‘ON’ button and it doesn’t turn on.”

“It’s end-of-life when I push the ‘ON’ button and it doesn’t turn on.”

Mike Powers MBA, Clinical Engineering Director at Intermountain Healthcare

Next, Mr. Jacobson and Mr. Amusan presented their work on Software Bills of Materials (SBOMs) at the NTIA. An SBOM is the list of “ingredients,” or the individual components of which a device’s software is composed. Explained by Mr. Jacobson, the task group has been creating a proof-of-concept SBOM since 2018. Their goal is to provide standardized and automated formats for use by manufacturers. Mr. Amusan highlighted the various use cases of how HDOs may utilize SBOMs across Healthcare Technology Management (HTM) functions ranging from procurement, asset management, risk management, vulnerability and patch management, and device life-cycle management.

In the final segment of the webinar, Mr. Wolf presented an overview of the HSCC’s Model Contract Language task group. Its foremost objective is establishing shared cooperation between MDMs and HDOs in regard to security, compliance, management, operation, and security of MDM-managed medical devices. The task group has been working a contract template for organizations of any size, which simplifies cybersecurity requirements and expectations between parties, and aligns with existing standards like NIST and the FDA Post-Market Guidance. A point of particular emphasis in the delegation of compliance responsibility and liability between parties. Security breaches to devices are an inevitability, so clearly establishing the duties and obligations ensures the HDO and MDM are prepared to recover, and to prevent. To quote Mr. Wolf, “In the event that something goes wrong, both parties are aware of those expectations and have a good understanding how to work through those issues.”

Episode Four blog of the CHIME’s Medical Device Security webinar series is up next. If you missed any of the previous episodes, you can view my recap here, or register for the entire series at https://store.ignitedigital.org/product?catalog=medical_device_security_webinar_series.

I am honored to work with CHIME on the seven-part Medical Device Security webinar series to educate the community on healthcare cybersecurity. We’ll be sharing takeaways from this webinar on the Ordr blog.

I kicked off and hosted the first episode on July 6th featuring a panel of thought leaders on the topic of medical device cybersecurity. Episode One’s expert panels included the following:

  • Greg Garcia, Executive Director of the Healthcare and Public Health Sector Coordinating Council (HSCC)
  • Jessica Wilkerson, JD, Cyber Policy Advisor of the All Hazards Readiness, Response, and Cybersecurity (ARC) team of the FDA’s Center for Devices and Radiological Health
  • Rob Suárez, CISO of Becton Dickinson (BD) and chairman of the Medical Device Innovation Consortium’s (MDIC) Cybersecurity Steering Committee and the Advanced Medical Technology Association’s (AdvaMed) Cybersecurity Work Group
  • Dr. Jeff Tully, MD, physician and anesthesiologist at UC San Diego Health, and hacker activist and co-founder of the CyberMed Summit
  • Dr. Christian Dameff, MD, Assistant Professor, emergency physician, and Medical Director of Cybersecurity at UC San Diego Health, and hacker activist and co-founder of the CyberMed Summit

The challenges of device security was a central area of discussion. One particular concern the panelists brought up was the limited attention that is generally dedicated to security by clinical staff in hospitals. As noted by Dr. Tully, “for the average clinician, cybersecurity awareness is limited to the pesky, mandatory annual training modules we have to do to maintain our privileges at a hospital.” This is an example of “security by compliance”, as Ms. Wilkerson put it, which is precisely what the future regulatory framework aims to avoid. Patient safety is a top priority for all doctors, though the potential adverse impact to patients of neglecting cybersecurity standards is not always apparent. Promoting an industry-wide culture of vigilance towards device security and building recognition of the very real, tangible threats that exist is paramount to hardening the U.S. healthcare system against malicious attack.

An even more formidable obstacle is the capability of healthcare delivery organizations (HDOs) to implement the necessary or mandated cybersecurity solutions. “There are hospitals that are ‘cyber-haves’ and ‘cyber-have-nots’, and they’re going to be like that for a very long time,” said Dr. Dameff. He continued, “There are hundreds of hospitals in this country that don’t have two nickels to rub together,” explaining the dilemma faced by many rural critical-access hospitals. Struggling just to pay staff during the pandemic, these HDOs will likely be unable afford security technologies like multi-factor authentication, immutable backups, and appropriate network segmentation. Yet another resource constraint is the deficit of cybersecurity professionals in rural America needed to implement, operate, and support new systems and practices. As concurred by Mr. Garcia, this is a problem that necessitates support and incentive from regulators as opposed to penalization for noncompliance. In other words, more carrot and less stick.

Legacy devices and their inherent vulnerabilities were discussed by Ms. Wilkerson and Mr. Garcia, both of whom are familiar with the difficulties of crafting policy and standards governing the security of antiquated technology. Mr. Suárez emphasized the importance of being proactive with device cybersecurity, as securing fifteen or twenty-year-old devices is a very expensive endeavor. Today’s technology will be the legacy technology of tomorrow, so futureproofing for tomorrow’s threats is essential for mitigating the same predicament our healthcare system is experiencing currently.

Among the other topics covered by the panelists was the communication of known vulnerabilities to clinicians and patients. However, as noted by Dr. Tully, cybersecurity literacy of the audience must be considered when deciding how and when to inform them of vulnerabilities in devices with which they interact. Medical device manufacturers (MDMs) inevitably are vital to disclosing vulnerabilities and disseminating that information to doctors, whom in turn educate their patients. Unfortunately, clinicians often neglect to communicate device vulnerabilities to patients. According to his research on patient preferences, Dr. Dameff found that patients overwhelmingly desire to be informed of vulnerabilities in the devices they use or have implanted, even if there is no realistic threat. “Cyber Informed Consent” is the terminology he used to describe the responsibility of clinicians to effectively articulate vulnerability information in a meaningful way. Ms. Wilkerson further reiterated this point, as the FDA discovered the same sentiment in their own patient surveys. In her own words, “It should not be the FDA, or the manufacturers, or anyone else deciding what the patient wants, or doesn’t want, to know. That is for the patient to decide.”

Be sure to mark your calendars for our recap of the second episode of CHIME’s medical device security webinar series Aligning Healthcare Cybersecurity; we will recap the episode in a guest blog next week. The second episode featured Julie Chua, Director of GRC within HHS, and Erik Decker, CISO at Intermountain Health, who both lead the HHS 405(d) task group, and Rob Suarez, CISO of BD and lead on the MedTech Joint Security Plan. We discuss two publications released by health industry public-private partnerships that have impacted Medical Device Security more than any others.

Watching the Fireside Chat: Medical Device Security is a Joint Effort webinar from American College of Clinical Engineering (ACCE), with Michael Brilling of Dartmouth Hitchcock and Benjamin Stock of Ordr, I found the following information about Dartmouth Hitchcock’s IoT security journey helpful.

The Healthcare Challenge: IoMT, OT and IoT

Internet of Medical Things (IoMT), Operational Technology (OT), and Internet of Things (IoT) can all be challenging to secure. Organizations have thousands of devices, each with unique systems, and limited ability to patch.

Dartmouth Hitchcock’s key drivers for developing their security plan were gaining knowledge of what was on their network, accurately identifying what each of those devices is doing and what is on those devices. Collaboration is key to protecting IoMT devices, see how Dartmouth Hitchcock used it to develop their security strategy.


Medical device security planning requires collaboration between network, security, HTM Biomed, and leadership teams. Leadership must ensure all connected devices are secure, and make financial decisions when it comes to security solution and device procurement. Security and IT teams need to gain visibility into devices, understand how devices communicate, create segmentation and security policies to properly secure every device. HTM Biomed teams should focus on IoMT devices, keeping track of devices, their vulnerabilities, and any recalls or updates from vendors.

Collaboration is necessary to secure all the different types of devices and mitigate their vulnerabilities. Organization should decide which teams should own each device and what security product best addresses all of their needs, and how to leverage their security tools, The Information Security team, Networking team, and Clinical Engineering (CE) teams at Dartmouth Hitchcock were all involved in the creation of an IoT and IoMT security plan, overseen by a Health Information Technology Officer. Clinical Engineering and HTM Biomed personnel at Dartmouth Hitchcock influenced the creation and implementation of connected device security policies, but allowed security personnel to be the subject matter experts for device vulnerabilities.

By involving multiple teams in creating their security program they made future security endeavors easier. Now if something comes up in the grey area they can direct those issues to the right team.

Choosing a Security Solution

Procuring and implementing a security solution is a team effort. Ensure leadership is involved and sponsoring the project, lay out what problems each team needs to solve and what they want to gain. All stakeholders should evaluate security solutions to decide if all their needs are met by vendors.

Different teams at Dartmouth Hitchcock have different use cases for security tools. They found that Ordr supported their collaboration efforts. For Dartmouth Hitchcock, bringing in Ordr was adding to a stack of collaborative tools. Having previously invested in Cisco tools, Ordr’s familiarity with Cisco was a differentiator. Ordr was able technologically support their existing infrastructure without needing them to change firewall tools or protocols.


In implementing their IoMT security program they were surprised by the amount of communication their medical devices required and the amount of personal devices on their network. They had not expected to find as many unique smart speakers. These devices have a lot of network traffic and could potentially compromise HIPPA with their recording capabilities. With device visibility from Ordr, Dartmouth Hitchcock was able to find these issues and create a policy to segment smart speakers onto a guest network where they will not be able to communicate out.

Utilizing Ordr

As a part of their security process, they have encrypted generic passwords that they cannot further protect and are getting more involved in the supply chain process to ensure device purchases have password policies that work for them.

Dartmouth Hitchcock has benefited from Ordr and now that they have completed their immediate security plans, they plan to expand their use of Ordr. Ordr aides in Dartmouth Hitchcock’s micro segmentation efforts, and gives them insight into devices so they can see how often devices are used and how many are needed. They plan to use this information for future procurement decisions.

Ready to try Ordr for yourself? Try the Hands-On Lab to see how Ordr will discover and classify all connected devices, profile device behavior, and automate segmentation policies.

Healthcare has been one of the key verticals for Ordr since our inception as CloudPost Networks. Over the last couple of years, we’ve helped many healthcare organizations address visibiity and security for their unmanaged and IoT devices. In turn, we’ve worked with our customers to evolve our solution and address new use cases.

As a result, we’re grateful and proud to have been named a market leader (with the highest market share) in the new KLAS Research report, Decision Insights: Healthcare IoT Security for the second year in a row. If you’re not familiar with KLAS Research, they are a healthcare IT data and insights company. One of the most unusual aspects of KLAS Research is that they actually interview real clients with questions such as “Are customers happy with a vendor’s products and with customer service?” “Do they have a positive impression of their vendor?” “Do they think their organization has benefited from adopting the vendor’s software?” KLAS is lauded in the industry for their accurate, honest and impartial research.

Market Leader for Second Straight Year 

The KLAS Healthcare IoT Security Report defined the following as key capabilities for an IoT Security solution.

In addition, KLAS spoke to more than 51 customers on which vendors were being selected and why. They had this to say in their report, “ Ordr, who has contracted with some of the largest health systems, has continued to be one of the market leaders in terms of wins and considerations for the second straight year, resulting in their current leading market share.” 

KLAS also noted that we were praised by customers for:

  • The breadth and number of devices Ordr can detect;
  • The highly granular visibility the solution provides;
  • Ordr’s culture of “flexibility and willingness to partner;”
  • Strong technology integrations that help drive value with the solution; and,
  • High customer satisfaction.

We thank all healthcare organizations who participated in the KLAS interviews. We’re excited to continue our growth with our customers, helping to discover, profile and secure connected devices. Thank you to two of our customer advisory board members Skip Rollins and Jeff Vinson,  who supported us throughout our journey and contributed to our release.

“COVID-19 has forced healthcare organizations to double-down on prioritizing security while balancing other organizational priorities and needs. CIOs need to find ways to support the business,” said Skip Rollins, CIO, Freeman Health. “Ordr is a tool we lean on not only for visibility and security of unmanaged and IoT devices, but for device utilization insights. Details about how often a device is being used helps us to optimize device allocation and support procurement decisions.” 

“Most healthcare organizations don’t realize that a vending machine may be connected to the same network as a critical life-saving device like a ventilator,” said Jeffrey Vinson, CISO, Harris Health. “We have partnered with Ordr because the company provides the most comprehensive IoT security solution that goes beyond simple device inventory. Ordr discovers all connected devices, helps us identify risks and malicious behaviors in devices, and can automatically generate segmentation policies to secure high-risk devices.” 

We are excited to continue our growth with our customers, helping to discover, profile and secure connected devices.

For a summary of the report, click here.

On Oct 28, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) along with the Federal Bureau of Investigations (FBI) and Health and Human Services (HHS) announced of an increased and imminent cyberthreat to the Healthcare and Public Health Sector. This warning comes on the heels of increased ransomware incidents in the last few months and includes information on Conti, TrickBot, BazarLoader and new Indicators of Compromise (IOCs). As healthcare continues to grow as a reliable source of income for threat actors because of the necessity to protect patient care, ransomware campaigns will continue to proliferate.
Jeff Horne, Chief Security Officer at Ordr, provides insight into the latest wave of ransomware with a series of articles:

Threat Summary

Ransomware has been around for decades and while the recent evolution in the past few years has transformed into more of a service – yes, Ransomware-as-a-Service (RaaS), it can be attributed to one of the reasons there is a 25 percent increase in attacks from Q4 2019 to Q1 2020 and a 715% year-over-year increase in detected – and blocked – ransomware attacks and the average payment  increased by 33%.
The distributed nature of the ransomware developer and the affiliates makes it more lethal than ever.
Ransomware developer: Who creates custom malicious code, and capabilities like lateral movement tools and scripts, and including exploit code that is sold to a ransomware affiliate for a fee or share in eventual ransom after a successful attack.
Ransomware affiliate: Starts a hosting site with custom exploit code. Identify targets and send the exploit code typically by phishing email or as an attachment.
Victim: Falls victim to the exploit code.
RaaS Infection Lifecycle
There are several RaaS types identified by security experts. Some examples are Sodinokibi, Ryuk, Mamba, Phobos, Dharma, Snatch, etc. It is worth noting that in the actual ransomware code is usually the last piece dropped in the infection life cycle giving hope that this can be prevented. The infection usually starts with Trojans like Trickbot, will go through the baking process where the RaaS affiliates monitor and map out the network and any existing vulnerabilities and then drop the actual ransomware code.
Ordr recommendation for defense against RaaS:
There are several recommendations given by security experts. Ordr compiled the Mitigation plans and policies from the CISA advisory and others, mapped it to the NIST cybersecurity framework.
Fig-2: NIST cybersecurity framework


Insightful asset management: Asset management of all the network connected assets is the first step towards defense against any threats. Insightful asset management is not about maintaining a list of IP addresses or serial numbers but a very detailed inventory containing – What the device is, where it is located, Operating System details etc. Ordr passively detects all the network connected devices creates a database with make, model, OS, location and other detailed information.
Continuous monitoring: Continuous monitoring is key for any good asset management and security programs. With the proliferation of IoT devices continuous monitoring is key to the protection of the entire Organization. A device that is not supposed to be in the network need to be detected right away and appropriate action need to be taken. Ordr detects a device the moment it is active in the network and records the same. Ordr can quarantine or disconnect a device from the network with a click of a button.
Knowledge of what is in your control and more importantly what is not: Organizations usually maintain the inventory of the assets that they control. What is largely missed are the assets that are not “owned” by the organization but still uses the critical resources of the organization – third-party managed network, vendor devices, devices and software under vendor qualification etc. Ordr detects all these devices and gives a very easy way to identify these unmanaged devices with ease.
Asset criticality: Knowing and protecting critical assets is a critical part of the security program. For healthcare Ordr provides Clinical risk metrics that helps prioritize and secure the most critical assets.


Security awareness: Awareness is key to any security program. This process should cover topics from identifying malicious emails to social engineering risks. Make sure that Security awareness campaign is an ongoing process.
Understand vulnerability threat posture: Understand the existing vulnerabilities of all the devices and software in the network. Most of the ransomware damage is done using the existing vulnerabilities. One of the vulnerabilities identified as a major exploitation vector is CVE-2020-1472. Ordr identifies devices that are impacted by this vulnerability. Ordr in combination with any popular vulnerability detection software like Tenable or Rapid7 provide a complete picture of IoT specific and application vulnerabilities. With the combination of critical infrastructure score, organization knows how to prioritize the never-ending patching programs.
Bring unmanaged devices under compliance: In almost all deployments Ordr found devices that the security teams never knew existed. These range from someone plugging in some device into the corporate network, contractor/vendor devices to third party managed networks. Ordr can easily identify these devices so that appropriate action can be taken to bring these devices in compliance.
Understand active threat posture: Active threats are different from vulnerabilities. Ordr has an inbuilt IDS engine that can detect East to West threat propagation. Understanding the criticality of the device along with the evidence of vulnerability exploitation is very critical. Typical Firewalls don’t catch East to West threat propagation. Ordr detects and reports the East to West threat propagation that reduces the threat response time.
Monitor active communications: No one wants their device to talk to the bad websites. Ordr detects these activities right away and triggers an alarm.
Backup and encryption: As a standard practice, perform regular backup and encryption.
Be proactive: These new attacks try to understand the network and the connectivity details to cause maximum damage. Microsegmentation is a sure way to protect the network from the ransomware attacks as the threat exposure is minimized. Ordr makes microsegmentation easier and a reality.


Make sure standard security practices are up-to-date: Make sure that all the security measures you have in place like end-point protection software and threat feed information are up-to-date. Provide continuous security education to all the users including vendors and contractors.
Logging: Make sure that you have the logs of all transactions. Ordr records all network transactions over the network. This will help immensely for any forensic activities.
User to device mapping: Its critical to understand who is using what devices and what they are doing with those devices. Ordr helps map user to device mapping and device communication mapping.
Communication patterns: Understanding device to device communication patterns and blocking unnecessary or unexpected communication is another step towards protecting the infrastructure. One of the exploitation vectors for the recent ransomware attacks is the open RDP port 3389. Ordr provides an easy way to identify devices that are communicating over port-3389. User can then decide if this communication is expected or not and if the RDP port itself need to be changed.


Incident response: Develop a plan to respond to an incident. Ordr helps identify the blast radius, understand the impacted applications and users to come up with an effective threat incident response plan.


Restore: With the backup and encryption mechanisms in place, restore the data.
Verify: Make sure that the suspect hardware software is not used in the future. Ordr continuous monitors the network for the devices and will let the user know about any vulnerable devices coming back into the network.
Report: Report the incident to appropriate authorities as designated by response and discloser policies.
In summary RaaS has no prescriptive solutions. This can be prevented by following the recommendations by Ordr and other authoritative sources. In the battle between good and evil always good triumphs – We just need to know the exploitation vectors, vulnerability posture of the organization and the active threat posture of the organization. We hope our recommendation will help organizations to continue their business and discourage bad actors from doing malicious activities.
For more information on how Ordr can help you identify and manage vulnerabilities for any connected device, please contact info@ordr.net.

In 2020 we have seen a massive rise in the number of internet-connected devices with the goal of improving patient care, organizational efficiency, speed of crisis response, and much more during COVID-19. The emergence of telemedicine, digital health records, internet-connected medical devices, patient wellness apps, and an increasing amount of third parties entering the health supply chain undoubtably has created benefits. What it has also created is a vast landscape for threat actors to exploit devices that are unpatched, have default passwords, FDA recalls, CVEs, and so many more vulnerabilities.

This week, we will delve into IT, IoT, OT, and IoMT devices and the appropriate steps to building a true asset inventory, having a baseline of acceptable device behavior in order to spot anomalies or malicious behavior, and the ability to create automated actions based on this information.

Have a True Asset Inventory

Most organizations today struggle to have a real-time, accurate inventory of the devices on their network with the context needed to understand how to manage them.

  • Detect ALL connected devices — including unmanaged, IoT and IoMT devices on your network. This can include unknown or unknown and unauthorized devices missed in traditional asset inventory.
  • Have rich context on those devices with make, classification, location, application/port usage, weak ciphers and certificates, manufacturing and FDA recalls, National Defense Authorization Act banned, and devices with regulated data including PCI and PHI.
  • Continuously analyze every device in real-time to in terms of potential risks to the organization.

Understand Device Behavior – The Good and Bad

Once a true and continuous asset inventory is established you have a clear picture of the devices but how do you sift through the devices to understand which to remediate, take offline, and utilize more.

  • Identify anomalous and suspicious communications to unauthorized networks and malicious sites and monitor devices for risks such as vulnerabilities, active threats, anomalies, and other malicious activity.
  • Compare and contrast device utilization across different facilities to identify and improve operational efficiency, schedule upgrades/patches on light usage days/hours to minimize disruption of operation, and ultimately, identify underutilized high-capital equipment to increase the utilization.

Create Automated Actions Based on Rich Device Context

After establishing both a solid asset inventory and then understanding the behavior surrounding your devices, being able to use this information is critical.

  • Dynamically generate and automatically enforce segmentation policies to isolate high-risk and vulnerable devices and only allow “sanctioned communications”.
  • Integrate with your existing CMMS, CMDB, firewall, NAC, and SIEM to trigger workflows for enforcement of Zero Trust policies.

The Ordr Systems Control Engine (SCE) can enable visibility and security of all your connected medical devices. It can discover every connected device, profile device behaviors and risks, and automate action for all medical and IoT assets in your healthcare organization.

Recently, we began an IoT Discovery Program that allows organizations to:

  • Gain high-fidelity visibility into devices that you may not know are on your network
  • Understand risks including communication patterns and vulnerabilities
  • Discover usage patterns for your devices
  • Map these devices to your Layer 2 and Layer 3 architecture
  • Identify appropriate segmentation policies to secure your devices

If you feel this program would be a good fit for your organization, register here: https://ordr.net/sensor/