Blog

Northern Maine Medical Center. Fort Kent, Maine.

Fort Kent is a town of just over 4,000 residents abutting the Canadian border in rural Aroostook County, Maine. Fort Kent is famous for being the northernmost terminus of U.S. Route One, and infamous for its long, harsh winters. It is also home to Northern Maine Medical Center (NMMC), a 10-bed hospital that has seen services cut in an effort to lower operating costs.

Maine Public Radio recently reported from a public forum held in Fort Kent’s town hall after the hospital announced plans to close its maternity ward. Residents fear NMMC will soon close; and if it does it will be part of a growing trend. The American Hospital Association (AHA) says that 136 rural hospitals have closed since 2010, and according to a recent report by the Center for Healthcare Quality and Payment Reform (CHQPR), there are more than 600 hospitals across the country in danger of closing due to financial pressures. Of those, more than 200 are in immediate danger of shutting down. That means that hospital mergers and acquisitions (M&A) are likely to continue as a trend identified by Chief Healthcare Executive magazine, which reported there were more than 50 hospital M&As in 2022, with more expected this year.

The Good and Bad of Healthcare M&A

When larger hospitals acquire smaller–and especially rural–hospitals, it can have a positive effect on access to quality of care for the communities they serve. The AHA said that nearly 40% of hospitals added services after being acquired, and that operating efficiencies helped to lower costs by an average of 3.3% after an acquisition. But along with the benefits associated with healthcare M&As come security risks. Security Magazine reported that ransomware attacks on healthcare organizations have doubled since 2016, and because rural hospitals struggle with financial and staffing constraints, they are often more easily breached by threat actors.

In her testimony to the Senate Homeland Security & Government Affairs Committee during a hearing on cybersecurity threats to rural healthcare organizations, former North Country Hospital (Vermont) CIO/CISO Kate Pierce said, “[An] alarming trend that escalated in 2022 was cyber attackers shifting focus to small and rural hospitals. While most larger health systems have implemented advanced cybersecurity hygiene to thwart attacks and are employing large cybersecurity teams with sophisticated defenses, small facilities continue to struggle.”

“[An] alarming trend that escalated in 2022 was cyber attackers shifting focus to small and rural hospitals. While most larger health systems have implemented advanced cybersecurity hygiene to thwart attacks and are employing large cybersecurity teams with sophisticated defenses, small facilities continue to struggle.” — Kate Pierce, former CIO/CISO, North Country Hospital

The Lurking Threat of Acquired Risks

The dynamic nature of connected devices operating in a network complicates security and IT management issues. In healthcare, these challenges are magnified because patient safety is affected when operations are compromised. Some findings from our most recent Rise of the Machines, Enterprise of Things Adoption and Risk Report (keep your eyes peeled for our 2023 edition soon), show the dangers present when Internet of Things (IoT), Internet of Medical Things (IoMT), and operational technologies (OT) proliferate in a healthcare environment.:

86% of IoT and IoMT deployments have 10 or more FDA recalls.
15%-19% of connected devices run on obsolete/unsupported operating systems.
10%-15% of devices connected to the network are unknown or unauthorized.

Compromised Medical Devices put Patient Safety at Risk

When a larger hospital makes an acquisition, it takes on the legacy cyber risks that previously beset the smaller one, including the technology assets used to run the facility and support staff in delivering care. In the best cases, hospitals and other healthcare delivery organizations (HDOs) rely on connected medical devices that are likely vulnerable to cyberattack. And once a piece of medical equipment is put in service, it may end up running with obsolete or unsupported software for years, or new vulnerabilities may be revealed that cannot be patched quickly due to patient safety concerns.

Even when a large hospital with “advanced cybersecurity hygiene” takes over the IT and security operations of a smaller hospital, it can take time to assess and mitigate the risks associated with integrating the new organization’s IT estate. And if any of the acquired systems were compromised prior to acquisition, a lurking, undetected threat actor may be able to use the smaller hospital’s IT infrastructure as a kind of Trojan horse from which to move laterally into the new owner’s systems, much like when hotelier Marriott was breached after acquiring Starwood Hotels in 2014.

Mitigate M&A Cybersecurity Risks

With these challenges in mind, a best practice approach to cybersecurity during an M&A event involves three critical steps:

1. Discover every asset in the network

You can’t protect what you can’t see, and so the key to addressing legacy threats and vulnerabilities inherited through the acquisition of other organizations’ technology estates is to be able to discover and classify every asset. That includes all the connected devices in operation: IoMT, IoT, OT, and more. This comprehensive asset inventory may also be useful to determine duplicate systems and reduce redundancies as both organizations in the M&A consolidate their assets.

The Ordr platform performs device discovery and classification quickly, and then monitors communications and tracks changes in real-time. Ordr goes beyond mere visibility to deliver deep, granular, classification of every device, from make, model, serial number, and operating system details. It also provides vital context about where a device is connected and what other systems it is communicating with. Ordr addresses one of the most common M&A challenges of overlapping IP schemas when two organizations are combined. This challenge prevents teams from easily establishing a single view of both environments and can slow risk assessment and integration efforts.

2. Identify your attack surface

The next step is identifying and measuring the attack surface from these assets. This can include devices with vulnerabilities, devices running outdated operating systems, or those with weak passwords. By baselining devices and their communications patterns, you can determine behavior that is outside of norm, that may be an indication of a compromised device.

From a deep, granular foundation of visibility, Ordr gives a complete view of the connected device attack surface and communications in real-time. Ordr identifies which devices are vulnerable or acting in a risky manner, and assigns a risk score based on the device’s known, determinative operational parameters.

3. Implement M&A cybersecurity best practices

Once you know what devices and risks you are inheriting as part of the acquisition, you can begin to implement M&A cybersecurity best practices. The most basic M&A cybersecurity best practices may be segmentation between the two networks, until access and convergence is complete. You will also want to identify or document key risks that need to be mitigated and addressed during or post acquisition.

Ordr dynamically automates the creation and enforcement of security policies. This means that organizations using the Ordr platform can quickly block attacks, quarantine compromised devices, segment vulnerable devices, and accelerate Zero Trust projects to proactively improve security.

Cybersecurity Due Diligence

Identify Risks Before Hospital Acquisition

Because hospitals and HDOs are under constant risk of attack from threat actors who care nothing of the danger their actions present to patients—and, in fact, use that danger to their advantage when carrying out ransomware attacks—there is no grace period when acquiring a smaller organization. It is imperative that the acquiring hospital include cybersecurity when conducting their due diligence. The network must be inventoried, assessed, and protected as quickly as possible, and Ordr helps get that done even before a contract is signed.

Furthermore, we operate on a philosophy of continuous improvement, expanding our integrations, leveraging the most up-to-date threat intelligence, and building our library of millions of device profiles to ensure Ordr is the most comprehensive, single source of connected device truth available. Check out our M&A solution brief for more details on how we help with cybersecurity due diligence.

If Ralph Waldo Emerson had been a CISO and not a poet, he might have said, “Like life, Zero Trust is not a destination, but a journey.” And he’d be right, of course. For all the love Zero Trust has gotten from zealous marketers who promise that an investment in their cybersecurity product will deliver Zero Trust, the fact is that enterprises are far too dynamic for any one product to achieve that state. In fact, Zero Trust is not a static state, but an ideal that must be as dynamic as the environment in which it prevails.

Dynamic Environment, Dynamic Tool

When Ordr talks about Zero Trust, it is within the context of the challenges of protecting organizations that are increasingly reliant on connected devices to manage and run their operations. Devices within the domains of the Internet of things (IoT), Internet of medical things (IoMT), and operational technology (OT) are, by their nature, dynamic. They connect to and disconnect from networks often, finding a home where they are needed. They move around and increase an enterprise’s attack surface as they aggregate and grow in number. That kind of changeability and complexity requires a security platform like Ordr that has the speed and intelligence to discover, identify, and secure every device operating in the network.

According to the FBI, healthcare was the industry most targeted by ransomware gangs in 2021.

This is especially important for healthcare organizations that rely on IoT, IoMT, and OT devices to manage their facilities and provide a high level of care to patients. These devices gather data, provide diagnostics and therapeutic functions, and automate activity at all levels. But those devices also expand the attack surface of the organizations that deploy them, and threat actors have been taking advantage. According to the FBI, healthcare was the industry most targeted by ransomware gangs in 2021, affecting more than 550 organizations, compromising the protected health information (PHI) of more than 40 million people, and inflicting financial losses of $6.9 billion.

Wisdom of Old CISOs

Standing up to the threat requires thoughtful investments in security tools that address the specific needs of each organization, backed by a deliberate and strategic plan that maximizes the efficacy of those tools to achieve and maintain a continuous Zero Trust posture. And as Emerson said Zero Trust is a journey, another famous CISO, philosopher Lao Tzu said the journey of a thousand miles to Zero Trust begins with a single step. Fortunately for healthcare organizations looking to protect their IoT, IoMT, and OT assets, that single step is one of five in a connected device security maturity model that Ordr has outlined in a new ebook entitled A Practical Guide: Implementing Connected Device Security for Healthcare Organizations.

Five Easy Pieces

Authored by Gartner veteran and Ordr strategic advisor Brad LaPorte, with close consultation by many of our own subject matter experts, “A Practical Guide” includes recommended actions, technical considerations, and helpful insights that complement each of the five steps of maturity for connected device security, which are:

Step One – Asset Visibility: a foundational exercise that must be launched and operationalized to discover and classify every device, and map its flows.
Step Two – Vulnerability and Risk Management: used to extend the capabilities of the organization to effectively see and know about all the devices present in the environment.
Step Three – Reactive Security: prioritization of activities necessary, such as blocking specific inbound and outbound communications to mitigate risks, risks.
Step Four – Proactive Security: establish automated policies to ensure rapid threat detection and prevention, and begin to implement proactive Zero Trust segmentation policies.
Step Five – Optimized Security: use of real time analysis and micro-segmentation to automate dynamic policy changes, scale protections reflective of an environment’s current state, and enable continuous improvement.

As you can see, each step in the maturity model builds on the previous step in sequence; there are no shortcuts. And the speed with which an organization progresses from Step One to Step Five will differ. It’s also important to recognize that, when starting from a place of no or incomplete connected device visibility, each step of the journey represents a significant improvement toward Zero Trust. And when a connected device security strategy is implemented and fully matured, it can be applied holistically across an entire organization or focused on multiple critical areas, in sequence or in parallel.

When starting from a place of no or incomplete connected device visibility, each step of the journey represents a significant improvement toward Zero Trust.

If you want to read A Practical Guide: Implementing Connected Device Security for Healthcare Organizations, you can download it here with our compliments. We’ve scheduled a webinar for January 19 to discuss the topic. Or, if you want to talk to one of our healthcare connected device security experts (or an expert in any other industry), get in touch. We’d love to hear from you.

On January 26^th the White House Office of Management and Budget (OMB) issued a memo outlining a “Federal strategy to move the U.S. Government toward a ‘zero trust’ approach to cybersecurity.” The memo is a follow-up to last year’s Executive Order on Improving the Nation’s Cybersecurity in which President Joe Biden outlined a set of priorities to improve the security posture of networks operated by U.S. federal agencies.

(You can read our original response to the Executive Order here, and to the subsequent NIST memo regarding defining OT as critical infrastructure here.)

The gears of change turn slowly in a bureaucracy as large as the U.S. federal government, and urgency to harden government networks is long overdue, especially with the discovery and exploitation of of zero-day vulnerabilities like Log4j. And as tensions rise in Eastern Europe, including the implied threat of cyberattacks against our national IT infrastructure and politically motivated “hacktivist” attacks against other governments disrupting services, the potential consequences of a lack of readiness are all too real.

Five Pillars of Federal Cybersecurity

The OMB strategy to “achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024” was developed with cooperation from senior administration officials from the OMB, NSA, CISA, and key federal IT organizations. Those goals, which CISA refers to as “five pillars,” are identified in the OMB strategy memo as:

1. Identity: Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.

2. Devices: The Federal Government has a complete inventory of every device it operates and authorizes for Government use, and can prevent, detect, and respond to incidents on those devices.

3. Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments.

4. Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.

5. Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing.

These are ambitious goals for any organization to achieve, let alone those within federal agencies, some of which operate the largest IT operations in the world. And, examining the second pillar—device inventory, management, and security—we already know that there are many connected devices operating within federal networks that are beyond the visibility of IT operations. This was made clear following the discovery of security cameras made in China and connected to networks within the Department of Defense that were found to be sending data back to their manufacturers.

Managing and Securing a Vast Device Inventory

How can the U.S. government achieve their Zero Trust objective for its vast device inventory? Many federal agencies have already deployed Ordr to look across their IT infrastructure to discover and identify each device—including those that are currently unaccounted for and operating in the shadows.

We’ve proven time and time again how the following best practices and five-step approach can get you to Zero Trust.

Step 1: Passively detect and identify all known, unknown, and prohibited devices without disruption or adverse effects to operations. Ordr’s agentless deployment delivers device inventory and categorization within hours of deployment, and augments device context with additional network data and threat intelligence
Step 2: Identify devices at-risk to reduce the attack surface. Ordr offers an integrated intrusion detection engine and integration with threat intelligence services, vulnerability management tools, and manufacturing databases to pinpoint the devices that are most likely to be targeted by attackers. By addressing known vulnerabilities, taking prohibited devices offline, or segmenting mission-critical devices, federal agencies can start to reduce their attack surface.
Step 3: Map and baseline communications patterns for every device. Every device has deterministic functions. Ordr can profile and baseline device behavior using machine learning to reveal and alert to the presence of anomalous communications.
Step 4: Apply appropriate Zero Trust security policies on devices. Ordr offers proactive, reactive, and retrospective policies. Ordr Zero Trust segmentation policies can be proactively and automatically (yes this means with a push of a button and without manual effort) created for devices, to only allow communications required for their functions. Ordr reactive policies applied on firewalls, NACs, and switches immediately limit exposure and mitigate risks by blocking traffic, terminating sessions, or isolating compromised devices. Finally, Ordr retrospective policies enable a time-machine view of infected devices communicating to newly announced indicators of compromise.
Step 5: Finally, federal agencies need to continuously monitor the network to identify new devices that connect, detect indicators of compromise in operation, and automatically enforce security policies when risks are detected.

(For more details, check out our whitepaper “5 Steps to Zero Trust” here.)

Success Within Reach

Given the size and scope of the U.S. federal government’s combined IT infrastructure, it may seem that the goals articulated by the White House and CISA are unrealistic within the given timeline. In fact, where accounting for and reining-in a massive device inventory is concerned, success is well within reach. Ordr is already deployed within many federal agencies where a Zero Trust device posture is in effect. We’ve proven ourselves in many environments—such as healthcare, financial services, retail, manufacturing, and more—where device security is a priority for protecting critical infrastructure and maintaining operations.

Ordr is proud to be leading the way in this priority initiative to improve national cybersecurity. And with a simple demonstration we can show your agency or organization how you can identify, inventory, assess, and protect your connected devices within minutes. Contact us at info@ordr.net.

Zero Trust has emerged in the past ten years as the foundational approach to cybersecurity for many organizations. As the name implies, Zero Trust is about removing the presumption of trust for all users, i.e. “never trust, always verify”. Instead of a one-time access decision, trust is continuously addressed and evaluated, and access is limited to least privilege.

While the Zero Trust concept is fairly mature, its application to IoT and unmanaged devices is relatively new, but growing.

New research from EMA points to IoT as one of the top drivers for enterprise interest and investment in zero-trust networking (46% of enterprises).

Figure 1: Technical initiatives that are driving interest in Zero Trust networking

The EMA report, “Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network Segmentation” based on a survey of 252 enterprise technology professionals, discovered the following:

IoT drove healthcare, manufacturing, and professional IT services companies towards Zero Trust networking, while software and retail companies were the least influenced by IoT.
IoT and other unmanaged devices present a challenge to Zero Trust networking policy design because they have no users associated with them and require an alternative way to authenticate connection requests. 38% of enterprises surveyed create tailored access privileges based on the functions and characteristics of individual devices or classes of devices. This means that 64% of enterprises establish generic access for all devices or devices are untrusted with limited access, or are untrusted and banned from the corporate network.
Establishing a generic, minimum level of access privilege for IoT and unmanaged devices, such as an IoT VLAN, is popular among government agencies (50%) and healthcare organizations (55%). However, this strategy isn’t ideal as risks can differ even among a set of similar IoT devices based on behavior, vulnerabilities, manufacturer.
The most important parameters for determining access privileges of unmanaged devices were cited as security status, device vulnerability and risks, owner of the device, and observed network behavior. This makes sense so that enterprises can use tailored policies and place devices in the right “trusted” areas of the environment.
Enterprises are more likely to succeed with tailored policies for unmanaged devices if they formed a Zero Trust networking taskforce rather than relying on formal partnerships between network and security teams.
Identifying and segregating IoT and other unmanaged devices is a top priority for healthcare organizations (55%). This is not a big surprise given the vast numbers of sensors, scanners, and other medical equipment that connect to networks in clinics, hospitals, and laboratories.
The top issue that enterprises find most challenging to Zero Trust network segmentation are the high volume of changes and exceptions straining management capacity. This points to a need for network automation.
92% of enterprises want tools that simplify segmentation, specifically to address “exceptions/custom rules”, cross-tool support, and to automate/eliminate errors — this is especially true for IoT since there are so many different types of devices and their numbers are so large that automation is critical to drive Zero Trust segmentation

As the report shows, enterprises are recognizing the need to extend Zero Trust to unmanaged and IoT devices. 50% of enterprises in the EMA survey have started Zero Trust microsegmentation in the LAN where IoT lives. To do this effectively and without manual errors, automation is critical. Ordr can help. We help enterprises discover and profile devices so they know exactly what an IoT device is at a very granular level, how it is behaving, and protect these devices at the firewall and in the network via automated Zero Trust and microsegmentation policies.

We invite you to download the report summary here. For complete visibility into what’s in your network, sign up for our IoT Discovery Program at www.ordr.net/sensor.

It’s an unassailable reality for today’s enterprise organizations: security and network teams must continue to do more to address the rapidly growing mass of devices that are being connected to their networks. And they absolutely must keep up with this increased device scale without the benefit of analogous scale to their resources, neither human nor capital. This undeniable trend is not new, but in our interactions with enterprise teams we continue to see an increased push towards a Zero Trust network topography. This comes up more frequently in meetings that our teams are having, so I wanted to share some background, common themes and best practices we are seeing around this topic. And away we go.

To start, we need to establish a clear definition. I will spare you from the endless pages of search results [and vendor-specific opinions and positions] that googling ‘Zero Trust Architectures’ will produce. I like this one from CSO Online…it’s concise and straightforward; from it you will learn that the Zero Trust concept was created by John Kindervag in 2010, and is growing in popularity.

I think that this line sums it up best:

Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.

Sounds great, let’s do that. Let’s get the CISO to implement this and report her progress during the next Board of Directors meeting.

Let’s be honest, it’s not that simple. What isn’t stated, but rings from the words in the statement above, is that you simply cannot build a trust model for ANYTHING inside or outside your network, without complete visibility of the devices in your environment. Not just mac and IP address visibility, but contextual visibility of all of the assets coming in and out of the environment. You have to know your environment and devices completely, to even start. Oh, and that isn’t a onetime visibility, it is going to have to be continuous since the environment is constantly changing and systems, devices, people are attaching to and detaching from your network at a head-spinning rate.

But simply knowing isn’t enough. The second piece of this puzzle is the verifying exactly what every device and system is before you give it access. Behavior is key. You can’t trust something about which you don’t have complete understanding. Which means it’s imperative to add behavioral context – and dynamic and continual adjustment of that context – on top of the already important continuous visibility. You have to know exactly with what devices inside and outside of your network each device communicates. More importantly, you have to know with what devices – internal and external – each device SHOULD communicate. You have to be able to do this across the campus, data center, remote offices/branches and you have to be able to do it across traditional IT, OT, IoT, medical…you name it.

So now I see the device, I understand the behavior of the device, I am always watching, learning, seeing communications, placement on the network…..etc. Now I know what I have, what it’s doing, with whom it’s doing it, and whether or not it’s operating in the way I want it to operate.

Next step – Enforce/Regulate/Control/Take Action….whatever you call it, this is the implement and control phase. This is where the rubber meets the road. This is where we don’t necessarily worry about trusting the device, this is where we basically make sure the device only does what you want it to do. That it only does what you allow it to do, no trust needed.

The good news is you probably already have the infrastructure in place to achieve this. Most organizations have invested in enterprise switch infrastructure, next generation Firewall technology, Network Access Control systems, etc. With intelligent and dynamic policy generation, Ordr gives you the power to utilize your existing infrastructure for enforcement; this is truly proactive protection for the hyper-connected enterprise.

Want to see this in action? We would love to show you.

Reach out in the comments, email me, or request a demo here.

Ordr Knowledge Base

Become A Partner