It’s a fact: most medical devices have patchable vulnerabilities and they’re sitting ducks. The WannaCry and NotPetya attacks proved it by exploiting ancient vulnerabilities and hospitals were shut down. There are three possible reasons these devices were so vulnerable – which do you think is true?
A). The devices could not be patched
B). They didn’t have people to do the patching
C). They didn’t know they needed to do something
D). A, B, and C
If you’re in a similar situation as the ransomware-afflicted HDOs we can help. Let us do an audit. For free. We’ll use our AI-powered IoT Security platform to find every on-net device, access it without touching it, and give you a NIST CVSS score for one hospital or clinic.
We’ll give you the details to fix or segment the at-risk devices. You can also use this score with your HDO leadership team to give them a clear picture of your risk posture. On top of that you’ll get a detailed inventory complete with pictures, so you’ll know exactly what ‘things’ you have in your operation. And if you have critical devices that fit into the ‘critically-needed/critically-risky/can’t-be-patched category we’ll show you how to use microsegmentation to keep them working and protected.
Allow us to install our solution passively in your environment at no charge and over the course of 2-weeks we will validate the security of your medical devices an provide you an:
- Inventory all your medical and non-medical assets down to the manufacturer, model, serial number and software version
- Risk score every device based on manufacturer, CS CERT, and the FDA database as well as pointing out any observed threats or vulnerabilities specific to your environment
CloudPost validated over a score of healthcare organizations already, large and small, and everyone has been excited about the result. Here are commonly asked questions:
How is this different than a vulnerability scan?
CloudPost uses passive monitoring of communications and protocol decoding to learn information about every device in your environment, unlike Rapid7, Qualys, Tenable, and other vulnerability scanning systems. This provides much richer information about each medical and IoT devices such as model number, serial, software versions, and even what network and the switch port or wireless SSID it is using.
Are you performing a full risk assessment?
The validation provides you a complete inventory list of your devices and a risk report that the details published and observed cyber vulnerabilities and active threats. CloudPost has several partners who use the software, such as Meditology, to automate their risk assessment services, which also include gap analysis, remediation recommendations, and aid taking systemic improvements your risk management program.
What is unique about what you do?
CloudPost is the only vendor who can both identify every device down the serial and software version, identify high risk devices with a full suite of security intelligence, and then provide an easy way to keep at risk devices in operation but protect them from cyber-attack even from systems in their same medical network.
Will this impact my environment?
No. There are no agents to deploy and no changes to the network environment. All CloudPost requires is a SPAN or TAP port of the core switch in your hospital, so the sensor can be passively deployed and watch the communication flow. The entire solution runs in your environment, so there is no risk of ePHI leaving your environment.
How much effort does it take on my side?
Minimal. There is a 30-minute prep meeting. Installation usually takes under an hour with the network team setting up the SPAN or TAP port in the network. There are weekly 30-minute review meetings to review findings with the team. At the end of the engagement, there is an hour-long read-out to the executive sponsor.
What needs to be done to prepare?
Just get organizational commitment to perform the validation. CloudPost will provide a short punch list of information we need to prepare.
Why do you do this for free?
CloudPost is committed to helping healthcare organizations protect themselves against cyber-attack. We believe seeing is believing, and once you experience how our software can protect your medical and their devices, you will want to partner with us on a long-term basis.
If you’d like to learn more about our free offer, click here.