Skip to main content

Take Control: Vulnerability Control

Getting Your Healthcare Facility in Order in 2020, Part 2 of 6

Vulnerability Control

We are all vulnerable. Yes, life is fragile we can get our feelings hurt, but I’m talking more about the hospital network. Vulnerability control provides a framework to understand the IT security risks at your healthcare institution by providing a visual of the weak spots. For example, are there any equipment recalls, are any major systems running old software or are there patches that have not been implemented? And what can you do about it without worrying as much as you did last year?

Death by Pump

As a medical device maker, there is one notice you don’t want to receive from the FDA and that's the serious Class 1 type. Just last month the FDA classified a recall of about 600 pediatric drug-infusion pumps made by Plymouth-based Smiths Medical as Class 1. This is serious business in that it means that a software problem in the pumps can lead to serious injury or even death.

Smiths Medical sent a notice to customers that its Medfusion 4000 Syringe Pumps with Firmware Version 1.7.0 were impacted. Basically, the firmware problem could cause the low battery alarm to stop functioning. "If the battery alarms do not work, the health care provider using the pump will not receive audible or visual notification that the battery is shutting down. This may lead to an interruption of therapy which may lead to serious injury, adverse events, or death," according to the FDA announcement. Yikes, that being vulnerable. 

So many bulletins, so little time

Checking the FDA website for bulletins and cybersecurity vulnerabilities is time-consuming but necessary. What typically happens after an FDA recall is hospital administrators dust off the excel spreadsheet. Sometimes the spreadsheet is updated, oftentimes its not. At Ordr we can check everything in your network for you automatically. Right away we can cross-reference to tell you whether your devices are subject to any FDA recalls. We scan and review manufacturing bulletins and check the National vulnerability database automatically. Our system keeps up with all the latest changes and recommendations and we correlate all the growing list of information with what is connected in your network.

When there is necessary patching needed, Ordr can show you exactly what and exactly where these devices are. Sometimes devices may be hiding somewhere but if it does end up being connected and starts talking, we will see it right away. And when time is of the essence, why not update the IV pumps in the Emergency room before tackling the pumps in an outpatient clinic? We can do that.

Old Software Sticking Around Some Desktops and Laptops?

Some old versions of software just won't die and just seem to linger around. Eventually, however, these old software versions can leave you vulnerable so it is important to know where the old software devices are. Yes it's true, Microsoft will no longer provide security updated or support for PCs with Windows 7. Upgrading to Windows 10 is the easy part (well sort of) but finding all these older devices can be tedious. Instead, with the Ordr, we will tell you exactly where these devices are down to which port or wireless access point they are connected to in which building. Don’t be so sensitive or vulnerable. Say goodbye to the old and say hello to something more secure. 

Constant Updates for AV, We Do That

Feeling unsure if you have the latest AV software installed on every laptop? We can take care of that too providing you the visibility needed at a quick glance. We’ve actually had a customer who had a network configuration errors or “miscommunications” between the server infrastructure team who builds out the base image and the server application team. This resulted in 145 servers not having AV installed, something that our Ordr analytics engine saw right away. We are quickly able to rectify the situation and make sure things were communicating properly to Cylance. At Ordr we see the communications instantly and continuously and we can tell you specifically what is in compliance or what needs updating. And yes, it's all agentless. 

Trust but Verify

When Reagan signed the INF Treaty with Mikhail Gorbachev he quipped “Trust but Verify” something we think through as we reduce vulnerably. At Ordr we are constantly fine-tuning our platform, exponentially growing our library, reducing the false -positive rate and applying our learning to networks around the world helping to regain control over vulnerabilities. Connecting disparate devices made by various manufacturers at different times and different operating software versions means hospitals and medical centers will be vulnerable. Our analytics engine sees it all checking to see devices have been patched, making sure any recalls are all factored and making sure old software has been upgraded.  That's trust.

About the Author

Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Cisco’s multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a master’s degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.

Profile Photo of Pandian Gnanaprakasam