As healthcare technology advances, so do the many pervasive and complex threats for Healthcare Delivery Organizations (HDOs) and their patients.

Bad actors are increasingly interested in accessing Protected Health Information (PHI) , and it’s becoming challenging to safeguard patient data contained in Internet of Medical Things (IoMT) and other connected devices. Between 2009 and 2021, over 4,400 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services (HHS) and included the loss, theft, exposure, or impermissible disclosure of 314,063,186 healthcare records. So how can HDOs keep up with an ever-changing threat and risk landscape?

One of the key best practices is by addressing vulnerabilities associated with connected devices in the network. These vulnerabilities can be exploited by threat actors and used to gain unauthorized access, run malicious code, install malware, steal data, or even move laterally within a network. 

Proactively identifying vulnerabilities and assessing their severity level helps security teams prioritize and respond to issues before data loss occurs. A solid vulnerability management program enhances the overall security posture of the organization, protects patient data, prevents unauthorized access, and reduces risk. 

But implementing vulnerability management best practices is easier said than done. In this post, we’ll explain what vulnerability management is, how it works, and what you should look for in a solution.

What is Vulnerability Management?

Vulnerability management is the continuous process of identifying, analyzing, classifying, addressing, and reporting on vulnerabilities found across organizations, within operating systems, applications such as electronic medical records software and medical devices such as network connected infusion pumps, and MRI machines. 

Security teams constantly track vulnerabilities and the severity of these vulnerabilities (typically via common vulnerability scoring systems (CVVS)) to identify potential risks in real-time as part of the vulnerability management process. The best organizations identify and prioritize the highest priority vulnerabilities and close existing security gaps before they are exploited. Operating at that level requires robust tools and well defined techniques.

Agent-based solutions and vulnerability scanning software are some of the most frequently used tools for vulnerability management with the ability to identify known vulnerabilities across various systems in the environment. However, these tools have limitations when it comes to the connected devices such as IoMT, IoT and OT devices that nurses, doctors, caregivers, and patients depend on daily. Many of these devices cannot accept agents and cannot be scanned for fear of impacting operations. HDOs need special connected device security solutions to monitor those devices for vulnerabilities and protect them from threats and exploits.

Any vulnerable device connected to the network can put patient safety at risk or impact care with delays to services.

Protect Vulnerabilities from Exploitation

An exploit is an attack that takes advantage of a vulnerability within a system. Bad actors look for software vulnerabilities, exploit them to gain entry into a network, and then employ methods to steal, destroy, or encrypt data or disrupt services . For instance, a cyberattacker might exploit a vulnerability in a medical device to gain access, and then install a ransomware. A threat is something that will exploit a vulnerability. And risk is the likelihood that a threat can exploit a vulnerability.

Security professionals aspire to minimize risks, threats, and exploits at all costs. Vulnerability management is one way to mitigate the risks to an organization. But security teams can take several other measures, such as:

• Training employees: All healthcare workers should know their role in helping to keep the organization secure and understand cybersecurity best practices. They should always use strong passwords when logging into their electronic medical record (EMR) system, lock any computers or tablets between patients, and log out of any connected devices or machines after use. Organizations should also provide regular awareness training and keep their cybersecurity policies up-to-date as a resource for employees who aren’t sure what to do in a compromising situation.
• Implementing traffic filtering and scanning: Filtering and scanning web activity increases a security team’s visibility and gives them a chance to stop suspicious traffic from entering the organization’s site. 
• Segmentation: Through proper segmentation, infected networks can be closed off, effectively quarantining a risk within a system.

Translating these high-level best practices into actionable steps is an easy way to mitigate vulnerability risks.

The Vulnerability Management Process

There are five stages in the vulnerability management process. Below, we cover each one in detail.

1. Discover and classify devices

Every network connected device should be accounted for — from infusion pumps and imaging devices to tablets and smart speakers. The number of devices like these in a healthcare setting ranges in the thousands, and it can be difficult to see an organization’s entire connected footprint. Visibility of the number of devices, device type, operating system, where they’re located, and how they’re used are critical details needed for vulnerability management. Accurate classification of these devices, down to the make and model, exact operating system version, and other software details can help Healthcare Technology Management (HTM) professionals maintain a list of potential vulnerabilities.

Knowing where these devices are and how they are typically used can make locating and patching vulnerabilities easier. Knowing what devices are in your network also allows you to identify the scope of your vulnerability management program – for example, there may be specific types of devices that will not be scanned for fear of disrupting services, such as an MRI or imaging device . 

2. Identify vulnerabilities

Undetected vulnerabilities put organizations at risk of security breaches. There are a few techniques to identify vulnerabilities on a network, including active and passive scanning.

Active scanning can help you proactively identify and close any gaps with network connected, managed assets such as laptops. This type of scanning involves a software agent that is deployed on devices to test them and collect data on potential vulnerabilities. Agents cannot be deployed on many IoT, IoMT, and OT devices so you need specialized connected device security solutions to identify vulnerabilities on those devices.

Passive scanning reaches out from the server to network assets, and does not require the agents that active scanning does. This eliminates the need for additional software on devices. However, agentless scanning could impact device operations so it is not an option for many connected medical devices.

In order to prevent the impact to critical devices that could impact patient care, passive techniques are needed to gather device, operating system, and software details. This way, IoT, IoMT, and OT are not impacted while the make, model, OS, and patch level details of each is identified.

3. Prioritize vulnerabilities

The goal of an efficient vulnerability management process is to identify the most relevant, high-risk vulnerabilities in order to prioritize security efforts and address them. As part of the vulnerability identification step, each new vulnerability should be prioritized based on its potential risk to your organization and your patients. 

Thankfully, you won’t have to do this manually — there are many solutions that provide vulnerability risk rating capabilities. While this information is helpful, it’s much more valuable when combined with specifics about your organization and environment to understand the true priority.

The highest-risk vulnerabilities should be prioritized and tackled first. 

4. Ownership assignment 

Ownership across different device types can be complicated for HDOs: different teams may be responsible for medical, IT and facilities devices, including devices as varied as infusion pumps, nurse call stations, laptops, printers and HVAC systems. Organizations need clear ownership definitions and a process to identify owners which may be based on details such as region, location, cost center, department, and business criticality.

Make sure your vulnerability management system notifies device owners including IT personnel and security engineers whenever a new vulnerability is assigned, and consider creating reports to show what vulnerabilities each person is responsible for. Many vulnerability management platforms allow you to assign custom tags to each staff member, making it easy to assign and group vulnerabilities. Once vulnerabilities have been assigned to appropriate staff, they’re patched accordingly.

5. Verify remediation and compliance

The final stage of the process is verifying that vulnerabilities have been addressed through remediation or by applying the proper mitigations. Engineers should follow proper testing protocols to ensure remediation is completed successfully and track each vulnerability’s status over time to document their progress. You should also pull reports of vulnerabilities on devices that cannot be patched. For example, manufacturers may provide patches on a regular release schedule, and you may need to segment or quarantine these affected devices until that update is available. 

By adhering to these steps and adopting modern vulnerability management software, organizations can ensure that critical vulnerabilities don’t fall through the cracks during continuous monitoring. Make sure that your vulnerability management system can run organization-wide reports for governance, too. It’s critical that you adhere to reporting for regulatory bodies, and comply with frameworks such as ISO 27001 and HIPAA. Otherwise, your organization could face consequences like federal fines.   

Vulnerability Management Solutions

While modern technologies can revolutionize the way we work, they can also put our organizations and patients at tremendous risk. Comprehensive vulnerability management can maximize security and minimize the threat of exploitation. Establishing a thorough vulnerability management process and deploying extensive employee training are a good start. But what organizations really need is software like Ordr.

Ordr is an AI-powered platform to discover all connected devices, identify their vulnerabilities, assess risk, and provide capabilities to improve your security and ultimately the protection of your organization and patients. Unlike traditional vulnerability scanners or agent based tools, Ordr works passively to protect the IoT, IoMT, and OT devices connected to your network. This limits the potential impact and disruption to those devices while improving your security. 

Ordr works with your traditional vulnerability management solution to ensure that there is a seamless strategy to manage vulnerabilities in managed and unmanaged devices across the whole hospital. For example, healthcare organizations today may have parts of the network with medical devices that are not scanned at all. Ordr enables tools such as Tenable and Rapid7 to have visibility into parts of the network that were previously not included in scans, along with detailed inclusion and exclusion details. This enables comprehensive vulnerability coverage without risk of disruption.  

As we stand at the threshold of a new year, it’s time to reflect on the crescendo of achievements, growth, and unwavering commitment to innovation that defined Ordr’s remarkable journey through 2023. Join us in revisiting the symphony of passion, a customer-first philosophy, and excellence that set the stage for an even more promising 2024.

Passion in Progress: A Year of Growth

The heart of Ordr has always pulsed with unbridled passion for progress, and 2023 was no exception. With year-to-year growth in annual recurring revenue of nearly 250%, Ordr surged forward, reinforcing its leadership in healthcare and expanding its influence across diverse industries. The passion to embrace digital transformation and fortify against evolving risks drove our enterprise partners to recognize the significance of safeguarding every connected asset. Ordr emerged as a trusted partner, ensuring that enterprises transform and do so securely.

Customer-First Spirit: Orchestrating Security

At Ordr, the mantra of “customer first, customer last” is a guiding principle woven into the fabric of our daily operations. Our support team, fueled by the indomitable spirit of dedication, ensured that our customers felt the warmth of our commitment. From yearly SOC2 audits and penetration testing, to periodic security bulletins, every action was a testament to our customer-first approach. We provided white-glove service to marquee clients and worked with all of our customers with supreme care to ensure the security of each. We frequently got in front of our customers and listened to their comments, experiences, and suggestions and used that input to improve our products and help them to be successful in their security maturity journeys.

Excellence Unveiled: Product Evolution

Ordr’s commitment to excellence was unwavering in adding features that continuously kept us ahead of the competition while addressing and anticipating market demand. The symphony of innovation and R&D translated into 13 software releases, featuring over 100 new enhancements released at a cadence of every two months. The harmonious introduction of unique features, collaborations with industry giants, and addition of many major new integrations showcased Ordr’s dedication to staying ahead of the dynamic threat landscape. Ordr now has robust, bi-directional integrations with several major players in areas like endpoint detection and response (EDR), mobile device management (MDM), vulnerability management, threat intelligence feeds, security information and event management (SIEM), IT service management (ITSM), network access controls (NAC) and firewalls, network infrastructure management, data center, cloud, endpoint management, medical devices, computerized maintenance management system (CMMS), and more. Our product line enhancements are reflected in our technological prowess and a commitment to protecting mission-critical equipment and services for our customers.

A Year of Recognition: Industry Accolades and Partnerships

Ordr’s capabilities echoed far and wide, resonating through accolades and strategic partnerships. With our ServiceNow integration, we ensure our customers’ asset inventories are always accurate and up-to-date. We also work closely with Crowdstrike to secure every asset for our customers—agentless and agent-based. Segmentation and Zero Trust continue to be key strategic projects for every one of our customers, and we have had long term partnerships with Cisco, Aruba and Fortinet on these.

With the GE HealthCare CARESCAPE network, we help provide customers with enhanced self-management capabilities for their critical patient care devices. And with Sodexo Healthcare Technology Management, we enable the creation of a new managed healthcare technology management (HTM) services. Our expanding network of partners around the world further ensures that more enterprises will be able to protect their assets and networks with Ordr.

These efforts have raised our profile significantly. Ordr was recognized in Gartner Market Guides and Hype Cycles, underlining our expanding influence across all industry sectors. And many trade publications recognized us as a startup visionary, digital innovator, vanguard vendor, and IoT security leader, adding to the chorus of affirmations for our passion and excellence. During 2023 Ordr was:

• Named to the 2023 Startup 50, recognizing innovative technology companies solving real industry problems.
• Named a “Leading Security Visionary” in the annual Enterprise Management Associates (EMA) Vendor Vision Report.
• Named a 2023 Intellyx Digital Innovator Award winner by research firm Intellyx.
• Named among the 10 Coolest IoT Security Companies: The 2023 Internet of Things 50 by CRN.
• Named a 2023 Vendor on the Vanguard by ChannelPro.
• Named a Soonicorn on Tracxn’s “Internet of Things Infrastructure Startups 2023” list of top IoT companies to watch.

Building a World-Class Team: Talent Ready to Rock

The backbone of Ordr’s success lies in its world-class team. In 2023, the roster was fortified with C-level additions like Chief Healthcare Officer Wes Wright and Chief Revenue Officer Kevin Arsenault. We also expanded our customer success and field teams to leverage the massive opportunities in markets like financial services, manufacturing, government, bioscience, higher education, and healthcare. These additions bring Ordr deep industry experience and strategic vision to propel our business performance. The dedicated and richly talented Ordr team has translated to results in the product and market, including:

• 13 software releases, including Ordr 8.2, FIPS release, and bi-monthly patching.
• 100+ new features, including GUI enhancements, business intelligence analytics, parsers, and customer-specific implementations.
• 20+ new integrations in various categories, including MDM, EDR, firewall, maps, cloud asset, vulnerability assessment, CMDB and service graph connector, and more.
• Proof-of-concepts with major financial services, healthcare, educational, manufacturing and other organizations around the world.
• Annual SOC2 audit and pen testing.
• Migration to new threat intelligence feeds.
• Publishing security bulletins for emerging threats like MOVEit, Wayze Cameras, Cisco products, and more.

AI Driven Approach: Device Classification and Zero Trust Policies

Traditional policy-based management is becoming obsolete, giving way to AI-driven policy recommendation engines. We want to make it easy for our customers to gain accurate insights to reduce their attack surface and secure every asset, enforced on the networking and security products they’ve already invested in.

Ordr’s policy recommendation engine harnesses an extensive collection of device intelligence and behavioral models amassed in the Ordr data lake over many years. This curated knowledge base leverages machine learning and empowers Ordr to effectively categorize, compare, and analyze millions of devices operating in similar environments. Key capabilities of our Policy Recommendation Engine include:

• Behavioral Analysis: Analyzing vast datasets to identify patterns, anomalies, and trends in device behavior.
• Context-Aware Policy Generation: Generating context-aware policy recommendations tailored to the specific needs of a customer’s environment.
• Continuous Learning and Adaptive Policies: Adapting insights from ongoing network activities to manage policies in real time.
• Scalable Policy Comparison: Efficiently analyzing and comparing policies across millions of devices in real time.
• Proactive Anomaly Detection: Identifying deviations from established norms to enable policy adjustments before potential threats escalate.
• Threat Intelligence Integration: Applying information from threat intelligence feeds to enhance the engine’s ability to identify and respond to emerging threats.

2024: Our Time to Shine

Ordr continuously invests in our AI capabilities to provide easy data access and search capabilities using generative AI techniques and the fruits of those investments will be made manifest in our product roadmap and roll-out in the coming months. That is why I look forward to 2024. The stage is set for another Ordr grand performance. Our team, fueled by passion, a customer-first philosophy ingrained in our DNA, and a commitment to excellence, will continue to deliver bigger and better ways for our customers to manage their expanding asset inventories and attack surfaces.

We stand at the right place and time, armed with the best product in the industry and a great team. Together, we embark on a journey where success is not just a goal but a certainty. Here’s to the symphony of passion, the harmony of customer-first values, and the crescendo of excellence that will define Ordr’s triumphs in 2024.

AN INTRODUCTION TO NETWORK ACCESS CONTROL (NAC)

For decades, network access control (NAC) standards such as IEEE 802.1X (which defines resources that can be shared over a network using ports) and WPA (which enforces access control and data encryption for wireless networks) have helped to protect devices and users. But organizations face a new set of challenges today, and traditional NAC strategies are not always well-suited to handle.

Unfortunately, devices comprising the Internet of Things (IoT) are not always supported by traditional NAC protocols, and the proliferation of “shadow” devices requires new approaches to NAC. This article defines NAC, explains the benefits and limitations of NAC, and discusses best-practices for optimizing NAC strategies on modern networks.

What is network access control?

Network access control, or NAC, is the set of tools, processes and protocols that govern access to network-connected resources. It is a multifaceted discipline that involves access control solutions for different types of resources, including conventional PCs and servers, and also network routers, IoT devices and more.

NAC also applies to data that travels over the network, and the resources it helps to secure may be physical (as in the case of hardware routers or servers) or software-defined, virtual resources (such as a software firewall or a virtual machine).

In addition, NAC extends beyond access control narrowly defined to include device identification, threat monitoring and policy-based management of access control for networked resources. It also addresses the security requirements of both wired and wireless networks, although, as we discuss below, NAC considerations sometimes vary between these two contexts.

When/why do you need network access control?

Whether you have a small network with just a handful of devices or a sprawling enterprise network that includes thousands of devices,  you need NAC for IoT security. Why? NAC is a critical component of your overall security strategy, and for several reasons.

Unauthorized devices

It’s easy to add devices to a network, but not always so easy to track them. As a result, organizations run a high risk of having unauthorized devices on their networks.

Employees may bring personal computers or phones to work and connect them to the network without properly registering them under the terms of your company’s BYOD policy, for example. Or, an IT team might set up devices for testing purposes and then forget about them, even though they are still running. Resources like these become “shadow” IoT devices that are connected to your network but not properly managed.

NAC helps to prevent unauthorized devices from being joined to your network in the first place, while also identifying those that exist so that you can take them offline or make sure they are secured properly.

Outsider access

Large organizations regularly work with contractors, partners and third-party suppliers, and must sometimes grant these external stakeholders access to their network. Without an effective NAC strategy, it’s very difficult to guarantee that these outside devices are properly secured and don’t become a vector for attack into your network. It’s also difficult to ensure that the devices are disconnected when they are no longer needed.

Data privacy laws

Government agencies and industry groups have introduced increasingly strict regulations and data privacy laws that govern which types of data are collected and stored by an organization. Without NAC, companies lack visibility into the types of resources that exist on their network and whether special compliance rules may apply to them.

For these reasons and more, organizations seeking to stay ahead of security challenges and regulatory issues must develop an effective NAC strategy.

NAC capabilities and limitations

NAC is a powerful component within a broader cybersecurity strategy. However, NAC is not a panacea. It’s important to understand which security risks NAC can and cannot address.

NAC capabilities

NAC excels at addressing several traditional types of security needs:

• Conventional network visibility: NAC can help identify which devices exist on your network, who has access to them and how they can share resources with each other.
• Endpoint security technology: NAC helps ensure that network endpoints—meaning physical or virtual resources that can send or receive data over the network—are secured against known vulnerabilities.
• Authentication: NAC policies ensure that users and devices authenticate properly before they are allowed to use a network by, for example, preventing a computer from joining a wireless network unless its user enters the right passphrase.
• Network security enforcement: NAC can identify instances where devices are not compliant with authentication or security policies.

NAC limitations

Despite these strengths when it comes to managing authentication for users and known devices, NAC is subject to several limitations in other respects.

Low visibility into IoT and unmanaged devices

One of the major limitations of NAC is that it is effective in managing security risks only for known devices, and devices that are associated with human users (like a PC or server). A device that is joined to the network and has no specific user or group of users associated with it, such as an IoT sensor, is more difficult to manage via NAC. These devices may not support traditional authentication protocols or security certificates due to hardware capacity limitations or a lack of user input.

As a result, organizations often default to trusting these devices blindly and excepting them from standard NAC rules.

Network access control for wired networks

While access to wireless networks is typically secured using protocols like WPA, wired networks often have no such controls in place. They often assign an IP address via DHCP and give full connectivity to any device that is plugged in (and even if they don’t assign an IP address automatically, the device or user can configure one manually).

This approach is convenient because it eliminates the need to manage access credentials for wired devices and users. Organizations sometimes assume that the security risks are low because only users with physical access to their infrastructure can plug in devices. The reality, however, is that unsecured wired networks are prime vectors for shadow devices to enter an organization’s infrastructure.

Monitoring for threats post-access

Because NAC focuses on controlling access to networks, it is effective only for protecting against threats that are external to a network. It doesn’t detect breaches after they occur, or protect against “insider” threats that originate on an already-authenticated device.

Ability to establish policies for devices

Unmanaged, non-user devices, such as IoT hardware, often rely on special communications protocols that are not supported by standard NAC authentication policies or tools. Faced with this challenge, organizations end up choosing between granting these devices an exception from NAC rules, or building very complex policies to accommodate them. Both approaches are far from ideal.

NAC use cases

Although traditional NAC is subject to certain limitations, NAC strategies can effectively support security needs for modern networks and workloads by taking advantage of next-generation tools or processes. Following are some examples of how NAC can address common challenges faced by organizations today.

NAC for incident response

Although NAC doesn’t detect threats post-access, NAC data can be incorporated into security monitoring platforms that use artificial intelligence (AI) or machine learning (ML) to detect threats. For example, by collecting data about normal access request patterns and analyzing it for anomalies, security monitoring tools can discover unauthorized devices that were mistakenly granted access to the network. In turn, the tools can generate alerts so that engineers can react.

NAC for BYOD

NAC can mitigate risks associated with BYOD policies—which allow users to bring their own devices onto a company’s network—by using a mix of policy management, profiling, and access control to safeguard networks from unmanaged devices. For instance, an NAC tool could require users of new devices to complete a form in order to register their device before it is granted access to the network. A major limitation here, however, is that this approach won’t work for non-user devices.

NAC for IoT

On IoT networks that include hundreds or thousands of devices, NAC helps to manage inventory so that organizations have continuous visibility into which IoT devices exist and when they go online and offline. In addition, NAC tools allow teams to “lock down” IoT devices by enforcing a policy of least privilege or blocking devices from the internal network until they meet the criteria of the organization’s security policy.

NAC for medical devices

Medical devices that collect data about patients or, in some cases, are implanted inside them, can be used as gateways to collect sensitive data, such as protected health information or financial systems. NAC can mitigate these threats by segmenting medical devices from the rest of the network in order to minimize the attack surface. It can also ensure that medical devices are connected only when necessary, which also helps to minimize opportunity for attack.

In short, NAC can play a powerful role in a cybersecurity strategy, but it should never be the be-all, end-all of your cybersecurity strategy. You must instead understand and prepare for its limitations, especially when it comes to unmanaged devices and devices that don’t have human users.

Optimize your NAC deployment with Ordr

NAC is one effective tool in your cybersecurity toolbox, but to get the most out of it, you need to plug the visibility holes in your network. You must be able to identify and address risks such as shadow devices that are connected to the network without authorization, devices that are intermittently connected and therefore not always visible through conventional management tools, and IoT devices that can’t be secured using traditional authentication protocols.

Ordr Systems Control Engine (SCE) provides the visibility you need to achieve these goals. Ordr SCE complements NAC by continuously identifying unmanaged, non-user and IoT devices. It fully maps every microscopic device detail and its context at massive scale, using machine learning to inspect and baseline the behavior of every device on your network on a continuous basis. Ordr also detects exposed vulnerabilities and delivers intricate risk scores for priority attention and mitigation.

These features empower organizations to address the security risks that their NAC solutions don’t detect or can’t manage. In a world where BYOD practices and IoT networks are on the rise, Ordr SCE helps to plug critical gaps in your security strategy.

Last year, we shared a number of cybersecurity predictions, most of which either played out as described or are trending that way, with results that remain to be seen. In one instance Ordr CEO Greg Murphy predicted that, “Someone in the U.S. will die as the result of a ransomware attack, resulting in increased push for cybersecurity regulations in healthcare and increased cybersecurity budgets.” Tragically, according to a lawsuit filed in September of last year, that prediction came true.

This year, we asked a number of Ordr cybersecurity experts what they saw unfolding for the next eleven months and are sharing nine of the more interesting responses.

1. Ransomware attacks will continue to increase (Pandian Gnanaprakasam)

The impacts of double extortion and crimeware-as-a-service will continue to plague businesses worldwide. The number of victims will triple, increasing from 20% to 50%, while the number of companies that pay a ransom to recover their data will increase from 10% to 30%.

Cybercriminals will drive these increases through more aggressive tactics, including data destruction, sensitive data leaks, DDoS campaigns, targeting and breaching high-profile organizations (including wealthy families), and disrupting business operations to force enterprises to pay. We will also see a concerning increase in the use of killware in attacks that once were used to sow only ransomware.

2. Organizations will adopt a more holistic security strategy to address a shift from traditional endpoints as IoT, IoMT, and OT devices converge in the enterprise network. (Bryan Gillson)

Recent attacks (i.e., Colonial Pipeline) show us that we are not thinking about cyber resilience and as a result, in the case of thousands of industrial and healthcare breaches, we see loss of services (patients diverted, pipelines shut down). This happened even though the IoT/OT infrastructure was not attacked nor compromised.

This will prompt organizations to recognize that what is needed is to embrace a whole-of-enterprise approach to security that encompasses cloud-to-ground visibility, and analysis and control of all connected assets (from traditional IT to vulnerable IoT, IoMT or OT) in order to enable true cyber resilience.

3. Third party/Supply chain attacks will continue to increase (Brad LaPorte)

2022 will be the Year of the Supply Chain Attack. Already up 430% since 2019, the growth of these types of attacks will increase exponentially and become the #1 global attack vector. As more enterprises adopt more mature cybersecurity practices, criminals will go upstream to weaker targets that can maximize their blast radius and give them an impactful one-to-many attack ratio. Historically, attacks have been spray-and-pray; now, they will become more surgical as supply chain attacks become weapons of mass disruption.

4. Attackers will begin using AI to infect multiple organizations at a massive scale (Srinivas Loke)

It has taken a few decades, but adoption of automation solutions such as AI, ML, and DL has gone mainstream and worldwide. This is great news for cyber defenders, as Gartner finds “33% of technology providers plan to invest $1 Million or more in AI within two years.” The cybersecurity industry is leading the way on this trend, but easy access to open-source AI tools is both a blessing and curse. Cybercriminals have access to the same resources, and the resulting threat is multiplied by strong ideological and financial incentives to use them. This will accelerate the ability of threat actors to conduct targeted, automated attacks at a massive scale. The war of the machines is on the horizon.

5. Attackers are going straight to recruiting insiders for advanced attacks (Danelle Au)

Organizations have focused (rightly so) on shoring up their identity and access management capabilities, and deploying multi-factor authentication within their networks. These solutions have made it harder for attackers to bypass defenses—and so attackers are going directly to insiders. With the promise of a cut of the haul in exchange for access, ransomware gangs are bypassing traditional methods and are instead working to recruit insiders to use their privileged access to install malware directly. The tactics being used by these attackers are similar to HUMINT espionage and recruitment programs. Unfortunately, this means that every security leader now needs to consider insider-originated malware as part of their ransomware protection strategy.

6. Laws or sanctions won’t make a big dent in stopping ransomware and cyberattacks (Greg Murphy)

Over the last several years, the urgency in dealing with ransomware and other advanced attacks at the legislative level has grown, as illustrated with bills like Warren-Ross, a 30-country meeting led by the Biden administration to address the threat of ransomware, and efforts by the FBI to crack down on ransomware gangs. However, political and legislative efforts won’t make a difference as long as cybercrime makes sense economically, and as long as Russia has no incentive to bring threat actors to justice. One possible—though controversial—way to reduce these advanced attacks is to eliminate the anonymity associated with cryptocurrency payments. Without an easy way to pay ransom, these attacks will decrease. Additionally, more scrutiny is needed on cyber insurance, as this practice facilitates easy payments for threat actors, and has the adverse effect of fueling more cyberattacks.

7. Security teams should expect significant Zero Day vulnerabilities (Pandian Gnanaprakasam)

Software development has roared forward for decades without enough thought given to security implications, and we’re suffering the consequences. That was evident to security teams in 2021 with the emergence of vulnerabilities like PrintNightmare in Q2/3, and Log4j in Q4. Similar revelations will continue throughout 2022 and beyond with the evolution and use of malicious, automated scanners leveraging tools like Cobalt Strike to find and exploit new vulnerabilities. In response, software developers should emphasize security best practices, especially when working with open-source software. Manufacturers should also disclose their software bill of materials (SBOM)–nested inventory for software, a list of ingredients that make up software components–to better inform customers and users of the possible security implications of using their products.

8. Telehealth and telemedicine are here to stay. And healthcare organizations need to keep those systems secure. (Darrell Kesti)

The COVID-19 pandemic brought telehealth and telemedicine into the mainstream, and they are not going away even after the threat of the virus abates. For most healthcare organizations, the popularity of telehealth visits versus physical visits will be dependent on insurance providers, and whether they will pay the same amount for virtual versus physical visits. In the UK, telehealth visits are gaining in popularity because of the reduced number of physicians and the long wait time when it comes to scheduling visits. From a cybersecurity perspective, a lot of telehealth/telemedicine environments connect directly from the patient to the specific telehealth vendor, and therefore there is a lack of security visibility into these visits. That needs to change for the sake of patient and organizational safety.

In the U.S., Mayo Clinic began offering hospital-at-home care for patients with non-life-threatening conditionsduring the pandemic, and saw success from the strategy; not just for patients but also for freeing up space in the hospital. With Omicron and future variants being inevitable, expect that these will also be included in telehealth and telemedicine at-home care, with corresponding medical devices that also need to be secured.

9. Cloud infrastructure will be one of the leading attack vectors in 2022. (Brad LaPorte)

Everything is moving to the cloud—including cybercriminals. According to Gartner, by 2023, 70% of all enterprise workloads will be deployed in cloud infrastructure and platform services, up from 40% in 2020. Through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end users. In addition, 96% of third-party container applications deployed in cloud infrastructure contain known vulnerabilities. And 63% of third-party code templates used in building cloud infrastructure contained insecure configurations. Threat actors know this, and they are working hard to take advantage. To say that cloud security needs to be a top priority is the understatement of the year.

Those are our thoughts on what’s in store for the cybersecurity landscape in 2022. We’d love to hear yours.

Overview

Enterprises are a complex mix of devices, applications, and data, and the speed at which they are changing is growing exponentially. Look just about anywhere in the modern technology estate and you’re bound to find connected devices that either didn’t exist or weren’t designed to connect to the network even five years ago. Modernization and digital transformation are major factors that have driven the demand to connect more things to networks in an effort to collect and exchange data and enable new services. And as innovation continues apace, we can expect to see further escalation in the numbers and kinds of devices that connect to the network.

With all the benefits of connected devices comes a slew of new challenges when it comes to managing and securing them, especially when you consider that many operate undetected by IT operations. Ordr’s own analysis of environments in which our technology has been deployed shows that as many as 15% of devices discovered were previously unknown by the enterprise. That is a significant visibility gap that equates to a significant risk gap. As we hear over and over again from CISOs, “I can’t protect what I can’t see, but I’m still responsible for it.”

One Big Challenge

What can IT and security leaders do to meet the challenges and keep their enterprises safe from cyberthreats? Automation is key to keeping pace with the speed of growth and change because automation helps organizations scale and keep up with demands. The key is not just in maintaining scale, however, but in collecting and analyzing quality data in real time. This is especially true when it comes to security. Without complete and accurate data, automation is arguably useless. Rather than paving the way to precise and timely action, bad data creates speed bumps and even roadblocks that require manual verification and thus impede rapid decision making.

One big challenge to ingesting accurate, timely data is in discovering and keeping track of everything that’s connected to the network. In a self-serve IT paradigm, many devices connect outside the view of IT management. Many devices are not capable of being monitored and managed with traditional methods such as active scanning and agents. Sometimes devices can get lost when changes or updates render their agents obsolete or ineffective. And as organizations grow, these issues compound.

Legacy monitoring and tools are not designed to meet today’s challenges because you can’t take advantage of automation if you can’t trust your data. Therefore, it is essential to acquire the means to see, know, and secure every connected device, collect the data associated with each device’s operations, and use that data to generate the security and operational intelligence needed to maintain fast, safe, and efficient operations.

How Ordr Helps

IT and security leaders require a purpose built tool to ensure they have the complete and accurate operational data they need to fill in the blanks left by legacy tools that depend on agents or active scanning. This all starts with the ability to discover the millions of unmanageable network-connected devices in operation in today’s industrial, medical, retail, financial, and other environments. That’s where Ordr comes into play. The Ordr Connected Device Security Platform is engineered to automatically discover, identify, classify, monitor, identify vulnerabilities and assess the risk of every device connected to the network. Here’s how.

Connected device discovery starts by analyzing network traffic. If it connects to the network Ordr will find it, and once we do, we keep it in view. But it’s not enough to simply know a device is there. You need to know what it is going beyond merely collecting its MAC and IP address and instead gain detailed information about the device, the role it plays, and how it is expected to operate under normal conditions to deliver services. Ordr maintains an extensive library of millions of different device types–the Ordr Data Lake–with detailed information on each. That information includes deep insights into known vulnerabilities, FDA recalls, and other data critical to understanding the device’s risk profile and to recognizing when conditions change that put the device and the enterprise in danger of exploitation.

The value of the information Ordr has in the Ordr Data Lake, and that we collect from devices in real-time, is maximized by our extensive list of technology integrations that enable bi-directional data feeds to support other critical security and operational functions. That includes our tight integration with ServiceNow’s Service Graph Connector, configuration management database (CMDB), IT service management (ITSM), and our latest integration with Vulnerability Response. The real-time operational data we collect is used to populate the ServiceNow CMDB and enable workflows in ITSM and Vulnerability Response platforms to ensure the most accurate IT operations automations possible. And from a cybersecurity perspective, maintaining a closed loop of data flow with ServiceNow Vulnerability Response ensures an organization’s security team maintains visibility and status of the attack surface, including any vulnerabilities associated with devices operating in the network.

Closing Visibility Gaps

The bidirectional Vulnerability Response Integration with Ordr, certified by ServiceNow Engineering and available in the ServiceNow Store, closes visibility gaps and provides vulnerability insights for all connected devices including those not supported by endpoint agents or active scanning. Using passive methods, Ordr collects operating system and software details, and vulnerability details including severity for all devices. This information is sent to ServiceNow Vulnerability Response so teams can leverage accurate data to optimize and accelerate vulnerability management tasks and reduce risk.

Combined with Ordr collected device context and vulnerability data from multiple industry and threat intelligence sources, the Ordr-ServiceNow integration delivers a complete, rich, and single view of device vulnerabilities and risk, while providing the data needed to automate dynamic policy creation and efficient enforcement of mitigations as well as rapid incident response actions. Here’s how it works:

• Ordr automatically identifies and gathers granular details including vulnerabilities for every managed and unmanaged device connected to the network.
• Ordr uses passive methods and does not impact device services to identify every device and collect granular details including vulnerability information for every connected device.
• Ordr Software Inventory Collector, gathers details of applications and application patch levels for all devices including unmanaged devices.
• ServiceNow Vulnerability response pulls vulnerability information from Ordr for all managed and unmanaged devices.
• Vulnerability status is maintained across both platforms leveraging bidirectional integration.

This complements other Ordr integrations with ServiceNow to provide ServiceNow customers with comprehensive and accurate details of all managed and unmanaged devices in their environment to enable organizations to take full advantage of ServiceNow automation and orchestration capabilities.

• ServiceNow Service Graph Connector – to enable the exchange of granular and accurate device data at scale between the Ordr and ServiceNow platforms.
• ServiceNow CMDB – for a centralized, comprehensive, accurate, and up-to-date asset inventory.
• ServiceNow ITSM – to enrich and accelerate IT workflows with accurate and up-to-date asset details.

ServiceNow VR + Ordr Means Less Risk

Because the Ordr integration with ServiceNow Vulnerability Response enables organizations to fill in visibility gaps with comprehensive device vulnerability details and combine device data from multiple sources, enterprises are safer from threat actors actively working to exploit weaknesses in enterprise security. And because we use passive methods, device performance is not affected, meaning even an organization’s most sensitive and critical devices are protected with no impact to services or patient safety.

To learn more about Ordr’s integration with ServiceNow Vulnerability Response, Service Graph Connector, CMDB, and ITSM solutions, check out ServiceNow on our partners page.

IoT devices present great opportunities to improve business efficiency and productivity. But they also present novel challenges, such as securing the sensitive data they transmit, preventing device sabotage, targeting by threat actors, and ensuring that IoT devices don’t become part of botnets that commit malicious acts.

An organization with IoT devices on its network must make IoT security a priority. Many organizations aren’t even aware of all the devices connected to their networks. “Shadow IoT” refers to unmanaged and unseen devices—such as employees’ cell phones or smart watches, or devices set up for testing and then forgotten—connected to the network that can present a huge security risk. As many as 20% of all connected devices may be shadow IoT. This article explains what IoT security means, the main IoT security challenges businesses face today, and how to protect IoT devices against security threats.

What is IoT?

The Internet of Things, or IoT, refers to the billions of non-traditional computing devices that use the Internet to exchange data. These devices range from soil condition monitors, to Internet-connected refrigerators, to “smart” traffic lights. What they share in common is that they can monitor and/or control critical systems and have access to sensitive data.

What is IoT security?

IoT security is the proper asset inventory, visibility, and control of devices that are internet-connected to a system of computing devices, mechanical and digital machines, or objects that allow for the exchange or collection of data.

In some ways, IoT security mirrors the strategies associated with traditional network security, but the sensitivity of the data that IoT devices collect, and the systems they manage, means that the stakes of IoT security are greater. An IoT device that can shut down a power plant or collect video of a family inside its home demands greater security controls than a traditional PC or laptop.

https://youtu.be/Ip-E3mkP0dc?feature=shared

How are IoT devices managed?

IoT security is especially challenging because IoT infrastructure consists of multiple layers, each of which must be secured. IT security teams must ensure that the software that runs on IoT devices themselves is free of vulnerabilities and is updated properly. They also must protect against vulnerabilities in the APIs that IoT devices use to communicate with each other in order. IoT networks, too, must be monitored for intrusions. Finally, the data that IoT devices collect must be stored securely, whether it is retained on the IoT devices itself, or offloaded to a data center.

It’s possible to centralize some of these security processes. For example, a security operations center (SOC) can manage IoT device identification and software updates. Other aspects of IoT security, however, such as testing APIs for vulnerabilities and ensuring that data is encrypted both at rest and in motion, require additional tools.

IoT management roles

The different responsibilities related to IoT device management generally map to different types of teams.

• IT is responsible for device deployment and general management.
• The security team focuses on managing vulnerabilities and designing IoT architectures to be resilient against attacks.
• Device end-users, too, play a role in keeping devices updated, changing default access credentials and so on.

While this division of responsibilities for IoT device management is unavoidable in most situations, it adds to the complexity of IoT security, because it requires coordination between multiple stakeholders to ensure that best practices are followed and enforced.

IoT security challenges

IoT devices are subject to inherent security challenges and vulnerabilities that, as noted above, don’t always exist on conventional hardware.

“Shadow” IoT devices

One major IoT security challenge is the risk of “shadow” devices, or devices that are connected to an IoT network but are not authorized by or known to the network owner. Shadow devices could be added to the network by users who simply don’t know any better, such as an employee who brings an IoT temperature monitor into the office. Or, they could be deployed by malicious parties, such as attackers seeking to carry out industrial espionage via unsecured conference room phones or smart televisions.

A recent whitepaper, Rise of the Machines: 2020 Enterprise of Things Adoption and Risks Report, notes that a significant percentage (10%-15%) of devices in Ordr deployments are unknown or unauthorized. The most memorable instance of this was a Tesla connected to a hospital network; after some investigation, the security teams found that the Tesla belonged to a doctor who connected to the network from his car in the parking garage.

Shadow IoT devices also are prone to infection by malware because, often, they are not properly secured. This is, in part, how botnets like Mirai and Dark_nexus have spread.

Lack of reliable software updates

Often, IoT devices are not properly updated to protect against new security vulnerabilities. First, IoT devices typically are small and deployed in remote locations. An organization may have thousands of IoT devices to manage, so it can be easy for organizations to deploy IoT devices and forget about them. Also, many IoT devices depend on users themselves to update the software, and many users don’t bother to do it, or don’t know they are supposed to do it.

API vulnerabilities

Because exchanging data over the network via application programming interface (API) is part and parcel of what IoT devices do, vulnerabilities within the APIs are a major IoT security risk. If attackers find a flaw in an API, they can use it to intercept data via Man-in-the-Middle (MITM) attacks, or take control of devices in order to launch Distributed-Denial-of-Service (DDoS) attacks.

And because there is no universal IoT API—on the contrary, there are dozens of IoT APIs from different providers, and you can also write your own—there is no single set of API vulnerabilities to track. Security teams should be aware of all potential risks in all APIs that they use.

Default passwords

Many IoT devices ship with default passwords that give users access to the software environments inside the devices. If users don’t change these passwords—which many fail to do—attackers with lists of default IoT passwords can use them to gain unauthorized access to a device and its network.

Implementation of standards

Just as there is no single IoT API, there are no unified standards to govern the design of IoT devices, the types of software they run, or how they exchange data. Instead, there is a litany of competing approaches that evolve constantly along with IoT hardware and software.

From a security perspective, this makes it more difficult to secure IoT devices because there are so many variables at play. There is no single security strategy that can protect against all threats on all IoT devices or networks.

What industries are vulnerable to IoT security threats?

The IoT security threats described above apply to any company or individual who uses an IoT device. However, the risks are particularly great in certain industries due to the potential fallout from a breach, or the sensitivity of the data that IoT devices collect:

• Healthcare: Internet of Medical Things (IoMT) devices collect personal health data and, in some cases, may even be implanted into human bodies. The harm caused by a security breach in this context could be enormous.
• Hospitality: While 76 percent of hospitality companies have IoT initiatives, security risks posed by IoT are a top concern for them, due to the damage to their brands’ reputation that could result from an attack.
• Government: When governments rely on IoT devices to collect data or control physical infrastructure—such as dams or highways—attackers may breach their IoT networks in order to access privileged information or disable critical systems.
• Manufacturing: A breach in a manufacturer’s IoT network could disrupt operations, leading to downtime and significant financial loss.
• Retail: IoT devices can help retailers protect against theft, manage inventory and more. But unsecured IoT devices may also allow attackers to steal customers’ information or disrupt critical business systems.
• Transportation: Transportation networks that rely on IoT devices can be easily crippled by a breach of those devices. If buses require IoT devices to operate, or a plane relies on the IoT to navigate, security problems with those devices may lead to critical damage.

How to protect IoT systems and devices

Many stakeholders play a role in guaranteeing IoT security. Device manufacturers must design device hardware to be resistant against attack. Software developers must write secure code to run on the devices. Engineers who deploy and manage IoT devices must take steps to mitigate security risks. End-users who access data or systems via the IoT must keep the devices secure and avoid giving access to unauthorized users.

While the roles of each of these groups in IoT security vary, they can all use a common set of guidelines to help assess and address potential IoT security issues.

Discovery

All stakeholders should strive to discover unauthorized devices that appear on an IoT network. These include ephemeral assets that may go offline at any time and then reappear in a new physical and network location. It is vital to have accurate information in order to understand and classify these devices.

Understand behavior

Once a security team discovers all devices on an IoT network, it needs to know the intended role of each device in order to interpret and predict the device’s behavior patterns: which kinds of data it will generate, when it will come online and go offline and so on. Look for anomalies within these patterns to identify potential breaches.

Risk assessment

Not all IoT devices pose the same level of risk. A medical device that controls a patient’s heart is higher-risk than an IoT device that controls a lamp. To assess risk accurately, stakeholders must develop risk profiles for each device on their networks. Then, they can prioritize security incidents appropriately, and know which devices to update first when a security vulnerability is announced for a device they manage.

Generate policies

Following the identification and classification of all devices on the network, IT and security teams can establish segmentation policies to protect high-risk, vulnerable, or mission-critical devices from the rest of the network. Segmentation policies also can control how each device communicates, manage access to other resources on the network, and ensure that every new device is evaluated and secured in real time.

IoT security: final thoughts

In order to capitalize on the benefits of IoT devices, organizations must acknowledge and address the security risks posed by IoT hardware and software, and take steps to protect their devices, their networks, and their data.

These steps include: proper discovery and classification of all IoT devices on a network; continuously tracking device behavior; performing risk assessment; and segmenting vulnerable and mission-critical devices from others.

The Ordr asset inventory management platform gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk and automate action for every network-connected device in the enterprise. One of the differentiated actions with Ordr is that security and IT teams can proactively create microsegmentation policies to only allow sanctioned communications for every class of device

Incredibly complex problems cannot be solved without first establishing a baseline of understanding the elements of the problem in very fine grain detail. In the medical community, for example, development of targeted therapy for many serious diseases was comparatively ineffective before the mapping and sequencing of more than 3 billion nucleotides in the human genome. The Human Genome Project, a 15-year collaborative effort to establish this map of human DNA, has enabled the advancement of molecular medicine at a scale that was once impossible. Similarly, IT, Security and Business leaders cannot address the myriad challenges of the hyper-connected enterprise without fully mapping the device flow genome of each network-connected device and system. There are millions of connected devices, from simple IoT devices to multi-million-dollar functional systems, in a Global 2000 corporation, major healthcare system, retail chain or large industrial enterprise. The global volume of non-traditional network-connected devices – IoT devices – is doubling every few years and will exceed 20 Billion by 2020, according to experts.

This challenge is enormous, because it requires complete understanding of both the fixed characteristics of each device, as well as the constantly changing context in which it operates. To do this at scale, you must be able to apply sophisticated machine learning to accurately classify each device and baseline its dynamic behavior along with the context of your network. If you can do that, you can immediately identify potential ‘mutations’ in the genome – devices that are not behaving the way they should – and mount an appropriate response to ensure business continuity and prevent catastrophic downstream consequences. At the time, you can leverage artificial intelligence to define and implement actionable policies that prevent future recurrences. That’s the only reliable way to protect critical assets and deliver true closed-loop security in the hyper-connected enterprise. And that’s exactly what we set out to do when we founded Ordr a few years ago.

There are solutions on the market today that seek to “fingerprint” devices, discovering their IP address, using MAC address lookup to identify the device manufacturer, and applying other rudimentary techniques to build a generic profile of the device. Fingerprinting allows you to answer some important but very basic questions: How many devices are connected to my network and to which ports and VLANs are they connected? How many of these devices are from Manufacturer X? Gathering more specific information has typically required agents installed on each endpoint. That is simply not possible in the hyper-connected enterprise, as the scale and heterogeneity of these devices quickly breaks traditional IT and security models.

Instead, by fully mapping the device flow genome automatically, without any modifications to the device or the existing enterprise infrastructure, within hours, Ordr identifies and enables you to act on critical information:

• 5 of your critical manufacturing systems are running software other than your standard configuration, with known vulnerabilities;
• 2 devices have been infected with Wannacry ransomware and are actively attempting to connect to peers;
• 3 of your X-ray machines are being used at 90% capacity while 2 are only operating at 40%;
• 6 of your heart-rate monitors are models are subject to an FDA recall;
• Your elevator control system is attempting to contact your internal HR application;
• 80% of your security cameras are still using the manufacturer’s default password;
• All digital signage on your network communicate with the manufacturer for updates and patches, but one of them is also communicating with a suspicious server in Kiev and appears to be exfiltrating PCI data.

Mapping the device flow genome allows Ordr to provide these types of actionable insight across millions of devices within the hyper-connected enterprise. This requires comprehensive real-time collection, correlation and analysis of vast amounts of information about each device:

• Device Make, Model and Modality – Classification and grouping of similar device types at a hierarchical level to facilitate efficient administration and regulation of those devices requires, specific information on the manufacturer, device type, model, modality and even the serial number.
• OS and Software Versions – Device operating system, including current OS patches, all software components installed (software bill of materials), anti-virus software etc.
• Known Vulnerabilities – Detection of potential port exploitation, results of vulnerability scans, and correlation of all known vulnerabilities from the device manufacturer and third-party sources (national vulnerability database, FDA recalls, etc.).
• Network Parameters – Complete information on network connectivity, switch port, wireless access point, VLAN/subnet (and comparison of each device’s VLAN/subnet membership relative to similar ‘peer’ devices).
• Device-Level Session and Flow Data – Data on connection attempts, number of sessions, data rate, location, ‘last seen’ time and location, usage patterns, etc.
• Flow-level Conversation Patterns – Ability to assess conversation at the flow-level communication to baseline normal behaviors compared to its peer group and to its own and detect anomalies.
• Internal Communications – Accurate detection of devices propagating malware, using well-known signatures like the one that looks for reconnaissance
• External Communications – Real-time comparison of external communication patterns to the permitted external/internet sites for each device profile (for software updates, etc.) is needed to defend against external attacks and identify communication with hostile sites with poor reputation scores like phishing sites
• Applications and Users – Full understanding of applications running on each device, as well as the users on the device
• Servers – Data on all the servers to which each device connects

The purpose-built Ordr Systems Control Engine is the only software product with the capability to perform this real-time mapping at massive scale. The unique Ordr SCE architecture is specially designed to collect and analyze device and system data – at line speed – from multiple sources within the enterprise, including:

• Full packet capture data from backbone core routers that include all the file transfers, http sessions, peer-to-peer traffic, client-server traffic, and application-level interactions.
• Network infrastructure data from switches, routers, WLAN controllers, NAC solutions etc.,
• Device probes like SNMP for inherent device information from various MIB repositories
• Protocol decodes of proprietary protocols like DICOM, Modbus and Patient Monitoring systems
• Parsing results from well-known data plane signatures from security vendors
• User and location information that includes Active Directory users with roles and privileges, and location feeds, etc.
• Ingest network device Information like Netflow
• On-demand vulnerability scans for onboarding as well as information collected from other periodic vulnerability scan reports information like provide open ports
• Network layer control plane protocols like DHCP
• Utilization and performance data like frequency and duration of operation and connection attempts.

Accurate mapping also requires integrating information from IT Service Management, Enterprise Asset Management, location information, and threat information from national level exchanges.

Ordr SCE takes all of this information and applies sophisticated machine learning with ANN (Artificial Neural Network) training models to classify and profile everything on your network. That gives us a full understanding of each device – what it is, how it’s configured, and what behaviors it is supposed to exhibit – with unprecedented granularity. Once that is done, it becomes possible to detect anomalies and come up with actionable policies, using AI techniques, to regulate and protect your devices and critical data assets, in real-time and at scale.

This level of intelligence with depth that you’ll never be able to get from simple device fingerprinting. Customers using SCE’s device flow genome have been able to:

• Correctly identify a SIEMENS AXIOM-Artis X-Ray Angiography medical device rather than label it as Tyran Computer Corp system due to the OUI from the embedded network interface card
• Reveal devices connected behind gateway systems from vendors like Capsule Datacaptor.
• Rationalize inventory with other systems that do not have knowledge of MAC or IP addresses, and instead use serial numbers
• Find an uncontrolled user device from the IT side talking to a factory OT control system
• Spot non-standard software in a camera that was reaching back to get updates from a site in a questionable geography
• Accurately finding WannaCry infestations and enumerate every compromised device and the source of the problem

Mapping the device flow genome is incredibly complex, but it’s exactly that complexity that makes it so useful, and we’ve taken great care to present this detail to you in its simplest, most usable form. We make the incredibly complex incredibly simple.

The only effective way to address massively complex problems is to have an intricately detailed understanding of the elements of the problem. That’s the only way to develop treatments that improve human health and longevity. And that’s the only way to take control of the hyper-connected enterprise.

In 2019, Verizon reported that ransomware already accounted for over 70% of successful cyber attacks on healthcare organizations. Since 2020, there’s been a 45% increase in attacks against healthcare providers. Beyond the financial impact to hospitals, the resulting device and system outages have had devastating consequences for patients — diverting ambulances to faraway hospitals, relocating at-risk patients, and rescheduling essential surgeries.

This guide explains how hospitals can protect themselves and their patients from the impact of cyber attacks, with staff education, thoughtful planning, threat detection, and incident response capabilities. Read on to learn more about the ransomware threats hospitals face and what can be done to prevent and overcome them.

How ransomware attacks have impacted hospitals

The frequency and sophistication of ransomware attacks have dramatically increased over the past several years. Originally, attackers used what’s known as a “spray and pray” method: they would send mass email campaigns and hope that at least a few recipients would mistakenly open and download malware.

But in recent years, the strategy behind launching ransomware has evolved into a more targeted and stealthy operation. Today, cyberattackers prey on users’ psychology, posing as legitimate contacts at reputable organizations asking urgently for financial information, passwords, or other confidential data.

Hospitals are a prime target for ransomware attacks. Attackers know that hospitals collect and store sensitive information such as protected health information (PHI) and will do anything to minimize disruption in service and impact on patient safety. The COVID-19 pandemic exacerbated this problem. COVID pushed hospitals over capacity with record-setting admissions. With more to care for, employees were more likely to fall for ransomware traps.

On top of that, budget cuts have limited the amount of cybersecurity professionals on staff. This not only impacted the effectiveness of any cybersecurity programs in place, it also resulted in many organizations that were slower to identify and respond to developing threats. 

Because of the imminent threat to patient safety, many organizations felt obligated to pay ransoms immediately. But this led to dangerous consequences. When hospitals paid a ransom, attackers would just ask for even more money, putting even more stress on healthcare systems. While insurance limited the impacts of high ransoms on hospitals, payouts often weren’t as high as organizations expected.

Allocating hospitals’ limited budget toward cybersecurity best practices and taking as many precautions as possible can help hospitals keep their patients, data, and organizations protected.

Stopping and preventing ransomware attacks

Thankfully, there are several proactive steps hospitals can take to prevent ransomware attacks and reduce impact to patients and the organization when attacks do happen. These steps include:

• Staff awareness: It’s critical to train hospital workers to recognize the telltale signs of phishing and other malicious emails. Typically, these emails contain an urgent request for confidential information or threaten to shut down a user’s account unless they share their password. Using real-life phishing examples in security awareness programs can bring the gravity of attacks to life and help employees identify and report them sooner.
• Collaboration with vendors: Hospitals can improve their cyber defenses by participating in public-private partnerships and other collaborative cybersecurity efforts. For example, the US federal government is willing and able to assist hospitals’ recovery after a cyber attack. Their rapid-response Cyber Action Team helps hospital staff assess and contain attacks, and  advises them on steps to recovery. The FBI updates its investigative techniques and analytic tools with every ransomware recovery, making them poised to help when attacks occur. But the Health and Human Services-sponsored Health Care Industry Cyber Security Task Force has urged hospitals to take even earlier action, and work with private vendors to bolster their cybersecurity.
• IoT and IoMT security: IoT and IoMT devices store and transmit some of hospitals most sensitive data in healthcare environments, and unfortunately, many healthcare organizations aren’t aware of all the devices connected to their networks. Connected medical devices such as infusion pumps, patient monitors, and MRI machines can be vulnerable and also impacted by the security of other connected devices such as security cameras, smart speakers, and even connected vending machines that might share the same network.. And the IoT and IoMT devices organizations are aware  of may still have risk such as default passwords, unpatched software, or unnecessary administrative access, which makes them especially prone to compromise. Maintaining an accurate, up-to-date asset inventory and implementing strict policies to control IoT and IoMT devices can curb the chances of ransomware attacks.
• Network segmentation: Applying network segmentation is a proactive way to reduce the attack surface and “blast radius” or the ability of an attack to spread. If ransomware is found on one part of a hospital’s network, it’s likely that it has infiltrated other parts of the network, causing a cascade of problems for the organization such as impacting services and the safety of patients. Network segmentation can help hospitals avoid this situation by separating networks into “sub-networks” or segments to restrict the movement of an attacker or spread of an attack.  Segmentation can also be used to respond to an attack by quarantining or isolating compromised devices as soon as they are detected to prevent further spread.

Platforms like Ordr are specifically designed to protect organizations such as hospitals from the impact of  ransomware attacks, by identifying IoT, IoMT, OT, and IT devices that may be vulnerable to an attack, detecting anomalous behavior that may be an indicator of an attack, and automating the creation of policy to respond to an incident or proactively improve security with segmentation.

What should hospitals do if they’re attacked?

Ransomware attacks are evolving at an alarming rate, and the unfortunate reality is that hospitals continue to be a primary target. Dedicating time and effort to preparation is key to a swift and effective response. Some ways to prepare include:

• Define a ransomware response plan: Having a well-documented plan can help hospitals contain and mitigate the effects of an attack. While security and IT teams may spearhead this effort, other departments should be involved in the planning process. Response plans should include sections related to legal, PR/communications, operations, finance, and human resources and everyone involved should know what to do when an incident occurs. That means hospitals must make time to practice their cybersecurity plan, just as they would for any other catastrophic event.
• Work with local authorities: Attackers don’t always behave as expected — even when hospitals do pay a ransom. For that reason, the federal government recommends that hospitals do not give in to ransoms. Instead, the recommendation is for hospitals to familiarize themselves with their local FBI and DHS offices and prepare to reach out to those agencies during cyber attacks. Some hospitals may hesitate to contact these groups for fear of hefty compliance fines for compromising patient data, but safe harbor laws protect hospitals in the event of an attack.
• Consider a cybersecurity vendor: The department of Health and Human Services (HHS) encourages hospitals to consider working with vendors who can further bolster their cybersecurity. Cybersecurity platforms can provide identification of vulnerabilities, detection of attacks, response capabilities, and may include employee training and awareness capabilities to strengthen hospitals’ first line of defense.

Hospitals should be able to instantly detect and address any suspicious behavior on any device connected to their network. They should also take measures to identify devices that may need updates to configurations, patches to address vulnerabilities, or upgrades for outdated operating systems and software to plug up existing security gaps before they are exploited. The platform they use should also be able to aid in the response to an attack by automating policy and integrating with security and network products for enforcement.

Of course, not all vendors are created equal. Some are optimized for healthcare environments , monitoring all IoT, IoMT, and OT devices across the whole environment, laying the foundation for a comprehensive, real-time threat response strategy. Unlike other cybersecurity platforms, Ordr takes a “whole hospital” approach with capabilities that span across IoT, IoMT, OT, and IT devices. 

Monitor and minimize your attack surface

The frequency of cyberattacks on hospitals and health systems more than doubled in the last five years, exposing the health information of nearly 42 million patients. And unfortunately, ransomware attacks will likely continue to target healthcare organizations into the future. 

The good news is that hospitals can avoid detrimental consequences with the right plan, tools, and prevention measures. Proper staff education, vendor collaboration, segmentation, and sound cybersecurity plans contribute to a healthy security posture. But these methods can only offer so much protection. Hospitals need to gain visibility into their security gaps, clinical risks, and anomalous behavior — cybersecurity practices that can’t be achieved manually.

Ordr is an AI-powered platform built to keep hospitals and their patients safe by providing visibility and security of  every connected device across the whole hospital. Ordr also integrates with a hospital’s existing security, network, and IT infrastructure enabling hospitals to maintain a comprehensive view of risk and focus efforts to respond and reduce threats. And because connected devices in hospitals are critical to the safety of patients, Ordr’s agentless, passive solution will provide insights and protection without impacting services.