Why Healthcare Delivery Organizations Struggle with Vulnerability Management

Ordr protects three of the top five healthcare organizations in the U.S., and thousands of hospital sites all over the world with our connected device security platform, powered by our device knowledge base of millions of devices. We are a healthcare-first company and continue to innovate to help our customers address their connected medical device security challenges. Today, we’re excited to launch Ordr Clinical Defender 8.1, with a Full-Lifecycle Vulnerability Management Platform. This release is based on feedback from our healthcare customers, and is specifically optimized to enable HTM teams to see, prioritize and address all connected medical vulnerabilities and clinical risks.

Why is this a priority?

Quite simply, when you secure your devices, you secure patient care. The more efficient HTM teams are at managing and addressing vulnerabilities for healthcare devices, the better the organization is at delivering safe, connected care. But vulnerability management in healthcare is challenging. The exploding growth of connected devices, coupled with increasing vulnerabilities, a rise in cyberattacks and limited resources introduce various complexities.

In this blog, I discuss why this is a monumental challenge for many organizations, how Ordr is solving it, and the best practices you should consider. Here are the key topics, for those who want to skip to the sections important to them.

1. Vulnerability Management in Healthcare is Complex
2. Medical Device Full-Lifecycle Vulnerability Management
   • Device Classification
   • Vulnerability Identification (for the Whole Hospital)
   • Ownership Assignment (using a Centralized Platform)
   • Clinical Prioritization (to Improve Patient Care)
   • Compliance and Remediation (With maximum ROI)
3. Best Practices and Ordr for Healthcare Vulnerability Management

1. Vulnerability Management in Healthcare Is Complex

At the healthcare organizations Ordr work with, we see medical devices with a wide variety of make, model, and modalities from multiple manufacturers. Hospitals have at least about 2000 unique medical device types with 20 possible operating system variations. Each of the OS embedded has numerous variations with different levels of patching. It is not uncommon to see the total number of vulnerabilities as a multiplication of the number of device types and the associated vulnerabilities for each to amount to tens of thousands. This is a huge challenge unless a robust program (combined with technology) tackles it efficiently with the right prioritization methodology.

Moreover, growing ransomware attacks and the recently introduced cybersecurity bill indicate an urgency for quickly and efficiently tackling device vulnerabilities. However, this can be daunting for Healthcare Technology Management (HTM) professionals tasked with managing and maintaining the vast assortment of hospital tools and devices.

2. Medical Device Full-Lifecycle Vulnerability Management

2.1 Device Classification

It is critical that every device connected to a hospital environment is accurately accounted for and monitored 24×7. Ordr’s passive technology using packet captures and deep packet inspection provides the most comprehensive and granular inventory of devices in a healthcare environment. No other platform can confidently track and monitor 100% of every single connected device in a hospital. Other tools like Vulnerability Scanners only know about the devices they scan, and endpoint agents only know about the devices they are installed on. Ordr moves this process from a one-time activity that happens periodically to continuous monitoring of devices connecting to the network and continuous tracking of new vulnerabilities published daily.

Ordr has comprehensive and accurate classification methods to understand a medical device’s make, model deeply, and modality (how it is configured and deployed in a specific hospital) and then accurately understand the underlying OS down to its patch levels. Once a device’s OS and patch level are determined, Ordr’s vulnerability matching engine compares that to publicly available vulnerability databases, FDA notices, manufacturer’s declarations, etc., to get a complete list of all vulnerabilities. This is one of the most challenging aspect of vulnerability management that Ordr simplifies for HTM users.

2.2 Vulnerability Identification for the Whole Hospital

Vulnerability management starts with visibility. It is critical to be able to gain granular visibility and complete asset inventory for every device in the hospital.

• Medical devices – The complexity of vulnerability management with most hospital equipment is trifold.

1. Medical equipment very often cannot be scanned like IT endpoints that run standard operating systems. An utterly passive mechanism is needed to understand their vulnerabilities based on how they operate. Since these medical devices provide patient care 24×7, any scanning attempt that intensely interrogates the devices with various deep and continuous scans can cause severe disruption in the device’s performance and more often brings down the device in the middle of providing patient care.
2. Patch Tuesday isn’t an option. Hospital IT teams cannot simply download a patch from OS providers like Microsoft. Every change in the underlying OS needs some level of retesting of the medical device for recalibration of the performance and could also trigger an FDA validation for critical compliance. Usually, manufacturers provide patches; in practice, that patch is hard to come by quickly when a vulnerability is detected. Patching is an activity that needs to be done in close cooperation with the manufacturer and is a carefully planned activity so as not to disturb the patient care workflow.
3. Medical manufacturers do not always provide a Software Bill of Materials (SBOM), Manufacturer Disclosure Statement for Medical Device Security (MDS2), and other field-deployment-related guidance on risk, which could make the vulnerability management life cycle complex in the long run.

• OT devices – While all enterprises depend on operational systems like building management, elevators, HVAC, UPS, etc., to function smoothly, the criticality is exponential in healthcare. Imagine an operating theater without power or access to elevators and an ER without the ability to admit new patients or access diagnostic systems. A hospital is a single unified inter-dependent entity where all systems need to function at the highest level of resiliency. An attack on one is an attack on all. Identifying vulnerabilities on these devices requires passive methods of understanding the OT systems. For instance. OT systems like building management systems need to be accurately inventoried and classified to understand its make/model/OS/patch levels and its associated vulnerabilities correlated to well-known vulnerability repositories like ICS-CERT.
• IoT devices (including office equipment and security/surveillance devices) – While these include everything from office equipment (printers, phones, video conferencing systems), sound bars to treadmills, vending machines, and gaming devices in rec rooms, hospital IT teams typically do not isolate these systems very well. The criticality of video cameras, badge readers, security alarms, and digital wall clocks is still high in hospitals but has the same issue as standard office equipment. Most scanning solutions do not offer the make and model details. Again, passive techniques to detect their device type make/model/OS/patch level are needed to assess their vulnerabilities accurately.
  • Combined and interconnected with other medical equipment, they pose a massive challenge as it is easy for a hacker to compromise them and move laterally. For instance accessing these insecure devices and then, quickly laterally move and take over a Picture Archiving and Communication System (PACS) server that has thousands of patient scan images would be mission impacting
  • Understanding the exact device types of IoT like make/model/OS/patches and associated vulnerabilities require various additional techniques like making direct queries to the device using protocols these devices speak to, interrogating and getting their operational characteristics and executing probes to get an accurate picture of the OS/patch level and the software installed on those devices.
• IT devices – Most scanning tools can periodically scan IT devices, understand their vulnerabilities, and generate a report. Ordr has APIs built for well-known vulnerability scanning platforms to kick start a scan, pull information from it, correlate it to devices in Ordr’s device database, and store it for management. However, IT devices need to be monitored continuously, covering the complete software stack installed on them and accurately tracking users logging on to the devices and local accounts created that are not under the control of the AD/Domain controller.

Every device everywhere (including those at remote clinics, and behind VPN/gateways)

More importantly, being unable to manage vulnerabilities for IT devices going off the grid and dialing back in from remote locations leaves enormous blind spots. This also applies to telemedicine and remote clinics. A care provider’s laptop while off grid accessing precious medical records is still a high risk one that needs to be monitored continuously. Vulnerability scanners need the device connected to the corporate network to send scanning packets to extract data based on their response. This is done both with full authentication and sometimes without authentication. But if the device is remote, there is no way to run scans continuously.

With the changing remote-hybrid work landscape, laptops connecting to insecure sites, possibly pulling malicious software, making an update or running wrong patches, and inaccurate/outdated inventory of software installed on that machine while they are off the grid pose a considerable risk. The nature of hybrid means they may not come and connect back to the corporate network any time soon and only click through VPN and other means.

Ordr “whole hospital” approach enables visibility for every device connected to the healthcare network – medical devices, OT devices, IoT devices to traditional IT systems. Clinical Defender 8.1 introduces our Ordr Software Inventory Collector. This feature uses features available in each device’s  OS to send reports of software inventory of those systems along with the latest OS patch level for continuous monitoring. This enables visibility for Windows, MAC, and Linux devices connected via VPN even if they are offline.

Utilizing Vulnerability Scanners Effectively in a Clinical Environment

Unleashing any scanner in a hospital environment can be a dangerous move. The chance of knocking down a clinical device is exceptionally high. Unfortunately, vulnerability scanners do not have good visibility into the type of device and tend to scan all the devices broadly in a sweep in a specific subnet.

The Ordr platform provides the orchestration layer to send scan jobs to the vulnerability scanners with a list of IPs that excludes critical medical devices for scans and then pull those reports for storage in the Ordr platform.

2.3 Ownership Assignment Using a Centralized Platform

Consolidating vulnerabilities

The need for a central platform to be a repository of all devices and their associated vulnerabilities is paramount now, given the increase in attacks and the complexity associated with vulnerability management in healthcare settings.

Vulnerability scanning platforms typically produce a report each time they scan using a set of IP addresses. When vulnerability scans happen every quarter or six months, during which the IP address of devices changes, there is no way to correlate two consecutive scan reports from a vulnerability scanner to understand the progress made in vulnerability management.

Ordr is the only platform that correlates these IP addresses to MAC addresses, and then the device makes/model/type to help prioritize and understand clinical business risk.

Assigning ownership

Sometimes ownerships cross the device type boundaries and can be complicated. An HTM department may own almost all medical and office-connected devices in a building that even includes phones, printers, nurse call stations and endpoints in clinical diagnostics. It is not a simple case of assigning ownership based on device group or type. A flexible, scalable, and easy transfer of ownership based on region and location is essential. Also, asset/CMDB data like ownership, cost center, and business criticality need to be considered while assigning ownership. Each department within a hospital that takes ownership of the vulnerabilities must assign further these vulnerabilities to each person responsible for those devices to prioritize and focus the  work accordingly.

Enhancements to Ordr Data Shaper allow each HTM user to focus on the devices and insights that align precisely with their specific business function group and role. For instance, vulnerabilities are prioritized and assigned to individual HTM personnel based on device type, hospital ID, department, cost center, etc. Ordr Custom Tags help improve workflows, for instance moving the vulnerabilities from one person to another, adjust severity, add comments, and track state change.  The product customizes itself to show only those vulnerabilities on the front dashboard to track progress and provides summary management reports at many levels.

2.4 Clinical Prioritization to Improve Patient Care

With hundreds of thousands of devices reporting hundreds of vulnerabilities, organizing and prioritizing becomes daunting. A disciplined approach is needed to prioritize them according to business impact and assign them to the right owners inside the organization.

For risk prioritization, the CVSS is an excellent proxy for understanding the severity of vulnerabilities. Still, it is also essential to look at other frameworks such as ANSI, AAMI, NIST, ISO, FAIR, Risk IT, or JGERR, for supplemental guidance and a more comprehensive understanding to recalibrate them, going back to the foundational principles of Integrity, availability, and confidentiality.

Since healthcare organizations have complex organizational boundaries based on clinical and patient care and not according to the IT needs of a typical enterprise, organizing the data according to ownership is essential.

Ordr’s deep and comprehensive visibility of devices, their operating context, and traffic flows provides a number of key indicators to answer the following considerations for prioritization. Ordr insights can be used as a way to flexibly assess the risk score of a device. Risk score customization helps to prioritize and assign resources to work on the most pressing vulnerabilities.

• How widely does this vulnerability affect the device population of an enterprise?
• What is the level of business criticality concerning cost or other metrics?
• What is the impact to hospital brand and service if impacted – send ambulances to nearby hospitals and postpone elective surgeries?
• How well is the vulnerability exploited in healthcare – like the MAUI ransomware from Korea was targeting healthcare very closely?
• How open these systems are to the external world from a firewall policy perspective?
• How open these devices are to other device in the network with respect to isolation and segmentation perspective?
• How much PHI/PII these devices, that includes medical workstations and servers have? the more they serve as a central server, the more priority they need to get to resolve their vulnerabilities quickly.
• How tightly these devices are configured with respect to open ports?
• How well they are managed with domain controllers; If the device is not part of the domain controller scrutiny should be made more closely on those devices?
• How well they follow data encryption standards and how well they use strong ciphers while transferring data?

Clinical risk assessment

In the hospital, the risk is derived from various device related factors and operating conditions. While understanding the cyber threat is foundational, the clinical context in which the device operates in a patient care setting is a critical consideration. Business impact needs to be quantified on how quickly and broadly these risks affect the operational resilience and how well one can safeguard the devices carrying PHI/PII data. Without this clinical risk-driven prioritization, patient care availability and safety cannot be guaranteed.

Ordr Clinical Risk Scores deliver the following details about devices and clinical risks, and can be customized by every organization:

• Aggregate Cyber Risk (vulnerabilities, external access to phishing/C&C type sites), Internal Communications (access from unprotected non-medical devices, the criticality of the device)
• Environmental Risk (Polluted medical VLAN, isolated or segmented device, access thru wireless, etc.)
• PHI Exposure Risk (sending data without encryption or with weak ciphers, based on manufacturers’ disclosure, device portability, etc.)
• Clinical, Operational Risk (Physical Risk, equipment in ER vs. OR vs. stroke protocol center, is the device mission criticality of the device, what mitigations are applied, and location of the device)

2.5 Compliance and Remediation with Maximum ROI

Once healthcare organizations have a central platform with vulnerability information from different sources independent of how it is collected, workflow organization is critical.

Some of the critical capabilities essential to managing vulnerabilities efficiently can be found using the new “Business Function Grouping” feature in Ordr Clinical Defender 8.1. They include the ability to:

• Assign vulnerable devices based on hospital ID, department (HTM, endpoint, infosec, facility, etc.). Each department needs to focus and work on the devices they are responsible for and assign individuals who would work on those vulnerabilities. It is also possible to completely restrict those individual users to only those devices that they are responsible for. You also need a platform to do this much more dynamically, filtering by any business function grouping of devices.
• Create a focus group. For example, if this month’s goal is to work on all medical servers (like PACS) that house a lot of PHI data, then filter and have only those devices present every time one logs into the tool that month.
• Assign custom tags to draw attention to a co-worker, so the device passes from one person to another.
• Temporarily ignore some vulnerabilities. Often manufacturer-provided patches are unavailable immediately, or these devices are in the research department, not put into routine patient care, and are isolated from the rest of the hospital operation
• Modify risk, although the original risk per the attached CVE could be very high based on the operator’s judgment. Ability to clear vulnerabilities once patches are applied. Sometimes it is conceivable to increase the risk and priority of vulnerabilities of specific devices like CTs and ultrasounds in stroke protocol trauma centers.
• Track the status of vulnerabilities that fixed, assigned, or ope with the name of the person working on it.

Reporting and Compliance Enterprise-Wide

While manpower and budgets are a key consideration to determine the return on investment, the time it takes to remediate is also a critical as the longer there is an exposure window, the greater the chance of a breach.  Resources need to be applied in an intelligent way to remediate critical vulnerabilities and get maximum return on investment.

Ordr offers an ability to keep a close watch on progress using various metrics and reporting as follows:

• Generate reports on-demand. For example, the flexibility to run select region, hospital, department, ownership, OS, and device type allows running reports on the fly.
• Customize reports for senior management visibility.
• Provide APIs that send data to a central corporate-wide tracking database.

Ordr makes reporting and customizations easy with a customizable risk score to adjust the weight ages for vulnerabilities, executive reports to provide summary insights into vulnerable devices, and a dedicated vulnerability report highlighting the impact of new open vulnerabilities on the organization.

Ordr also integrates and exchanges information with leading enterprise vulnerability scanners like Tenable and Rapid7 to provide enterprise wide reporting capability. Ordr also integrates with CMDB solutions like ServiceNow and their vulnerability management systems, allowing healthcare organizations to run corporate-wide reports for governance. Ordr collects medical and other device data and sends all the granular classification details, vulnerabilities, context, security, and operating details to these platforms.

Remediation

Based on various prioritizations, a project plan needs to be maintained, and remediation efforts tracked. Ordr provides an easy way to clear a vulnerability, change the state of the device and a comment field to add notes on the multiple steps towards remediation (called the vendor, the patch is available at this date, etc.

3. Best Practices for Vulnerability Management in Healthcare

Ordr recommends creating focus groups for each owner, with dedicated efforts on addressing critical vulnerabilities within 30 days, and with continued efforts by a few focus groups at a time. Once critical vulnerabilities are addressed, drill into high-risk vulnerabilities with the same focus group and ownership approach and remediate them within 60 days, It is always good to test the patches in a test or lab scenario before incorporating them on devices in clinical setting to reduce risks of downtime.

Ordr also recommends understanding device types and designing a strategy according to the device groups such as:

• IT systems that are not in clinical function – it is highly recommended that those devices are updated with the latest and most secure OS levels and associated patch levels.
• Medical devices that run  Windows (a large device group in a hospital) – it may be impossible to upgrade the OS versions as it might trigger calibration and certification; in this case apply all the patches within their OS level.
• Medical devices that are unique versions supplied by the manufacturer — a patch request must be made to the manufacturer; it is important to fix these vulnerabilities ASAP
• IoT and OT – since neither the IT teams nor the supplier may be available to provide patches, the best course would be to segment them into specific network segments or VLANs, and closely control their interactions with the rest of the clinical devices.

Whether patches are available or not, it is best practice to follow the following proactive prevention best practices:

• Restrict external connections and allow only those absolutely critical connections to manufacturer’s sites at the perimeter firewall
• Understand supervisory protocols like RDP that are sometimes opened for manufacturing diagnostics and closely watch and close those just as soon as the maintenance window is over.
• Watch for all supervisory protocols like SSH, Telnet, RCP, etc., and make sure they are all only allowed from admin jump servers handled by authorized admins.
• Apply zero trust policies to only allow the most crucial and relevant communications for every device at the switch level if they are wired, at the AP/wireless-controller level if they are connected thru wireless, or at the firewall level both at the perimeter and the data center.

Ordr Clinical Defender with Vulnerability Management

Ordr is the only comprehensive and integrated platform that simplifies vulnerability lifecycle management for healthcare organizations of all sizes. We introduced Clinical Defender earlier this year, addressing HTM challenges with precision focus, and have now proudly added vulnerability management as we continue to innovate and address our customers’ most critical challenges. Clinical Defender now aggregates  vulnerabilities for various device groups across all vulnerability management solutions, organizes them by hospital/department/owner, prioritizes by risk, and tracks the complete lifecycle from the initial assessment of a device to final remediation.

We are grateful to the various healthcare users that worked with our engineering and PM teams on this release.

To learn more about Ordr Clinical Defender 8.1 and how it can help your HTM team stay on top of connected device security, visit the What’s New and Clinical Defender pages and sign up for the Ordr Masterclass on September 15, featuring a deep dive into Ordr Clinical Defender 8.1 features.

Side Note: In a typical HTM department, inherent operating system (OS) vulnerabilities due to unpatched systems are the highest priority, much before tackling other security issues that may require implementing zero trust segmentation policies. This article discusses only vulnerabilities related to inherent OS/Patch levels. Check out other behavior and traffic flow related vulnerability discussions:

• Detecting Ryuk Ransomware with Ordr – Security Bulletin
• Solving IoT Security Challenges with Behavioral Analytics – Blog Post
• Ordr Security Brief and Response to Maui Ransomware – Blog Post
• Building a Better Second Line of Defense – Blog Post