March 9, 2022: IoT Security is increasingly complex with the rise in connected devices and cyber attacks. Here to help is Claroty and Medigate. Samuel Hill, Director Product Marketing and Kierk Sanderlin, VP of Customer Success at Medigate join Bill live from ViVE 2022 to discuss The Powerhouse for Securing the Extended Internet of things (XIoT). Combining Medigate’s leadership in delivering unmatched visibility, protection & threat detection for medical devices with Claroty’s leadership in doing the same for industrial OT devices, has created a powerhouse for security of the Extended internet of Things (XIoT) in healthcare. Organizations can now confidently connect their IoMT, OT, IoT and IT assets with a single, best of breed solution.
00:00:00 - Intro
00:02:10 - Medigate helps give visibility to all of your devices that are connected and then gives accurate data
00:02:50 - We take a passive network scanning approach
00:06:10 - Am I worried about compliance or am I worried about security?
00:10:15 - What is the maturity framework that you look at?
Claroty and Medigate: The Powerhouse for Securing the Extended Internet of Things (XIoT)
Today on This Week Health.
Medigate has the clinical understanding of how medical device communicates on the network and what ports and protocols are needed. We can push that into your access control delivery engine in order to do that in an automated fashionlright, here we are from Vive:lright, here we are from ViVE:
Yes Director of Product Marketing.
Director of Product Marketing. People might wonder why you're you're here and why I'm not just talking to him, but
It's a good question. And it will be a well question we'll ask. And yeah.
No, but anyone who knows Samuel. Samuel really understands the space, knows the markets. So we are going to talk about IoT security, which is a pretty timely topic. Anything security right now is a timely topic. Things that are going on. So for those who aren't familiar with IoT security and why it's important, who wants to field this question? Why? Why is it important? Why are our health systems taking notice now? And maybe haven't taken notice three or four years ago?
Yeah, it's been this progression over the last four or five years. We've always had a ton of devices all over. And I remember when I was a patient care tech, I would have to go look for these devices and find them somewhere in the hospital. These devices are actually really critical to the patient outcomes and to delivering care, but it's really difficult to manage them, to secure them and they they're doing really important work.
And so the challenge has become, what's out there. What is it doing? And what can we do about it as an IT organization, as a security organization? And that's where Medigate comes in, is we help to give the visibility to all of those devices that are connected and then give accurate data. So you can make really good to decisions for security of these devices, for operational effectiveness, for risk management, all the things that are really key on a CISO.
When I first became a CIO, finding devices, my sound to somebody who like, what do you mean? You lost a biomed device? How can you possibly lose those biomed? Well, there's so many of them and they're moving around and and actually to be honest with you, we've we saw some of them went up on eBay.
Yeah. So it's, it's not uncommon for these devices to just walk, literally walk off. And so you guys are, you tackle it, you start there. Yes. But how do you find them? How do you find those devices?
Well we take a passive network scanning approach where we listen to the traffic that's coming across the network. And because we've invested so heavily in the languages that these devices speak, we understand what they're saying, and we can actually open up the packets of these vice traffic to get really granular information about the device itself. So we see all of the traffic on the network. We understand all of it. And then we can report to you what the devices are doing. So our, our visibility is really unparalleled to be able to understand the sheer width and breadth of the devices that are connecting. And then you get to have the actionable data to make better decisions about it.
Yeah. I'm going to come to you here, so. I'd love to know what you're you're hearing. So from this perspective, finding them was one thing. The second thing for me from, from a biomed device and the devices we had all over the network was keeping them current. Right. I mean, we had Windows XP devices, we had all sorts and we were constantly getting requests to update those because you have to keep them current and you have to keep them secure and those kinds of things. Talk a little bit about how we address that with.
Yeah. As Samuel was talking to the first challenge is visibility. Being able to discover all of the devices and then it's the. Right. Here's all of your devices. Very accurate detection, right? 96, 97% of the Mac addresses we aim to map on my team, on the customer success side of health.
So we actually have, here's your assets? What do you do now? And to your point, all of the outdated operating systems there's also critical risks. We can identify actually compromised devices on the network. And so interacting with your existing CMMS data set, being able to generate tickets, prioritize based off of Medigate data is what we really help to do.
So it's taking it from overwhelming amounts of data and then helping you use the tool to prioritize your work efforts, to reduce the risk.
How do you get to the 97%? We all have systems out there that are monitoring devices. We're monitoring the workstations and desktops. And you guys, aren't looking at the desktops. You're very focused on, on one area of the world right?
No we'll see the desktops as well.
You'll see them, but that's not what you're mapping.
Our secret sauce is the medical devices, because those are the real weird things that typical IT tools don't necessarily scan and manage and understand.
All right. So help me understand it.
Well, so it's, it's, it's more than just being able to see the devices themselves, cause you won't be able to put a passive listening technology at every corner of your network. There's also integrations that we'll do with other vendors that are in your tech, tech stack or customers to increase that.
So we could do an integration your DHCP services and get additional ingests, additional information. We can get it from active directory. We can get it from a host of other SNMP engine tools where we're importing that data directly into Medigate to, to fill in some blanks and give you more of a holistic view of your asset inventory and making it more accurate because one tool isn't going to be enough for your entire network.
It's a combination of the integrations that we have along with our passive listening.
So am I worried about, am I worried about compliance or am I worried about security? I mean, which, which one should I be more worried about right now?
Well that's a, that's a tricky question. I've been in cybersecurity space for 24 years. I'm a big believer in being worried about security rather than a compliance framework. A compliance framework is a good place to start. But you should be doing better than that, but
We're, talking about medical devices. So compliance does matter. I mean, these, these updates are, are very important.
If you're just speaking about yes for sure. Yeah, absolutely. You cannot patch a device. That's not a. You can't find.
Or it might not have a patch available. I mean, these devices can have a software development cycle for years, three, four years. And by that time you might even be off cycling them as part of your asset inventory. So what do you do with this device when you cannot put a patch on a known vulnerability or exploit?
Well, what segmentation strategies should be put together for that device? That's the next best step we have to take. So we can see that we know the software levels of the device, and we can say this is an effective device. Patch is not available yet. So here's this recommended segmentation that we should be applying across that device category.
That's that's, that's happening a lot more now. That's like the second phase of maturity. The initial one is, Hey, what can we do quickly to patch devices, integrate with CMMS and, and have the biomed team block. The second phase is we need to segment these devices because there's no other patching or anything available.
So that's where we'll work with our customers on those segmentation projects and they can wrap ACL's around their medical devices. So they're only speaking the protocols and the ports that they should.
So, okay. Talk to me. We haven't done any pre-work here. So talk to me about automation. So one of the things I'm talking about CIOs, I'm like, look, I have trouble getting staff. I have to do more with less. Trying to figure out. I can't put tools in place that aren't going to integrate with some, some of the things we already have and give me a certain level of automation and those kinds of things. So talk to me about the automation layer and the integration there.
In the net world where network access control world say like a Cisco eyes, you have the ability take Medigate generated security rules and dynamically, push them into a Cisco ice for your NAC and forth projects.
So Medigate has the clinical understanding of how medical device communicates on the network and what ports and protocols are needed. We can push that into your access control delivery engine in order to do that in an automated fashion.
Really. So you're seeing it, you see the need to update or segment that device. And it's, it's just becomes an automated.
We see where the device is. We see what a switch it's connected, which wireless access point it's connected to, we can then make a recommendation for the access control list. Upload that into the NAC engine and you can have automated protection for them. Wow. This is, this doesn't happen like overnight.
It's not just like you flip a switch and it happens. This is our team and customer success works very closely with the customer over a project timeline. Devices that are less impactful to patient care, work on those and then we'll, we'll deliver it across the entire enterprise.
Until people feel more comfortable as you, as you move along.
And programmatically we're on calls every week with a customer where they're, they're seeing risk reduction over time, because all of the percent of devices that have enforcement on them increases and you can see your risks going down over time. It's really the biggest needle mover because to the earlier point we can't patch enough medical devices so we have to be able to do the segmentation projects with, with NAC enforcement vehicles. And it's really the way to get the biggest bang for your buck.
And it's also something, I mean, a lot of your leaders that you work with, they got to justify what they're doing and why they're spending this money to their boards and their leadership. And this security dashboard is showing we have a certain number of devices and this percent before Medigate had a dynamic security policy applied to it. Now we have this percent and there's a lot higher and you can see the progress as you're going along to secure all these devices.
Talk to me about the, I want to hear about the maturity framework, and then I want to hear about how you're experiencing the industry right now. Are we anyway, let's start with, let's start about the maturity framework you you've mentioned now. It's like, that's the start. Is there a framework that you look at and think about?
Well, we have, we have our, our customer journey, right? So our customer journey goes from the time that they decide to choose a solution like Medigate to the implementation phase. Implementation phase goes back to that initial visibility.
And then the next phase is the maturity into the the InfoSec team, right? So we're going to use our clinical cyber hygiene module to, to, to find things that can be fixed quickly. Devices that can be patched by biomed. The next phase is
React to what's currently there.
Next phase would be the network policy management to, to reduce risk by wrapping ACL's around the medical devices. And finally in in the maturity curve, it's, it's the ROI, right? It's being able to look at your fleet of assets that we discussed. And understand are they being used properly? Are they located across the health delivery organization correctly? Do I need to buy these? Do I have plenty of those? So we then work with the customer to make sure that we're giving good data for their utilization and location of, of their assets, because then it becomes a tool that they can use to say, Hey, there, we can show money back to the organization, not just the cost for cyber.
Because we don't want, we don't want devices sitting around. Under utilized or not utilized. And a lot of times we end up bringing other devices and those kinds of things. So,
Or you have devices that you're renting, right. So we actually can report in the dashboard on you have X number of devices that are rented.
If you see them, then you can give me utilization reports on those things.
Yeah. We've actually had customers do this where they'll go and they'll have a request from whatever nursing unit that says we need another 70, 80, a hundred infusion pumps. We're able to go look at the dashboard and say, well, we have a connection of 200 just in storage. So that it's a win-win and they get to meet the need of that unit, which is what they all want to do. And they didn't have to buy more devices because they actually have better data about it.
So a lot of times when we talk about healthcare, we talk about it like it's one monolithic thing. Oh, healthcare providers look like this. The thing is though we have, we have small independents. We have regional players. Large health systems. What's the, what's the sense, small, medium, large, in terms of really starting to attack this specific problem?
Yeah. W we're seeing it across the board. I mean, from the academic that they got academics down to the critical access hospitals. Every single one of them are aware of the need, their maturity and ability to go tackle this problem is really what's in play. And we've talked a lot about staffing, shortages and talent, and that's really what we're noticing. We actually have partnerships with healthcare organizations, partner organizations that can do some assessment and either on staff OGs staff support to, to help deploy projects like this because every hospital needs it.
And every, if you've not gone, the Medigate route, you've gone. Another route, hopefully are starting to tackle this because it is a critical need. But we're finding that they all have the issue, but they may not have the resources to fully tackle the issue.
Yeah. Just add one thing to that. When we do it, With the customer on the post-sale side of the house, it's amazing how many executives sit in on these kickoff calls now? And they chime to me and basically say, Hey, I'm glad you're on because I want you to know this is one of the most important projects for costs right now at fill in the blank HDO. It is hugely important. It's this has been talked about for years right now. It's coming down to actually it's happening level of visibility for double visibility.
People are talking at conferences like this, and they're saying, what are you using? What's your success level? What do you feel about, I mean, this is a, this is a big deal where we're seeing maturity occur right in front of our eyes right now.
It's it's fantastic. Samuel. Thank you. So we're going to give you heat in the beginning.
Nice to meet you as 📍 well.
What a great conversation. I appreciate Samuel Hill coming on the show and talking to us. And we want to thank Medigate for making them available to us. I hope you're enjoying these shows from the CHIME ViVE floor. Please keep checking back. We're going to have more of them. If you're watching this on the conference channel, and you're wondering where are the rest of these? They're on the News channel. We're treating this as news. It's on the 📍 Today show and it's on the Newsday show. That's where we're going to be covering this. So head on over there, see some more of these interviews. Thank you very much.