In healthcare, Vulnerability Management (VM) platforms are used to minimize the vulnerabilities

posed by the medical (IoMT) and non-medical assets (IoT) that connect to clinical networks. These

solutions employ different types of device scanning capabilities to proactively assess connected asset

defense weaknesses. The best solutions not only stay up to date with the signatures of new exploits

(CVEs), but are capable of simulating the effects of potential vulnerabilities to constantly assess

connected landscapes for susceptibility to attack.

Rapid7 delivers such capabilities via InsightVM, a market leading platform. Importantly, InsightVM's

capabilities are distinguished, as they overcome the well-known risks associated with scanning both

medical and non-medical devices in a clinical setting.

For example:

1. Medical devices involved in delivering patient care that are scanned could have their operations disrupted. Historically, there hasn't been a definitive way to assess the true

status of the device (connected to the network versus currently in-use/connected to a patient).

Determining the location of increasingly mobile medical devices confounds this problem, as

"eyeballing" a device or group of devices, as a solution, is next to impossible.

2. Medical devices are generally more fragile than standard IT equipment. Scanning requires interrogating devices in ways that can stress already fragile processing units (e.g.,

multiple login queries or simultaneously communicating on ports that aren't designed for such

purposes). Put simply, IoMT and IoT devices generally have less robust computational power

as their specialized designs are built for highly specialized use-cases. That means, non-

standard communications can trigger a reset or even cause damage.

Managing Vulnerabilities in Clinical Networks

Solution Brief

More About the Problem First, in many cases VM systems cannot discern whether the device targeted for scanning is

medical or non-medical. This problem is even more severe when the device's manufacturer, model,

or app version requires a tailored scanning plan as part of its warranty provisions.

Second, the results of vulnerability scans cannot drive appropriate security action if they lack the

right clinical context. Essential information is often missing. For example: the device’s full identity is

probably not known (i.e., type, model, and specifications, such as OS version, app version, and

serial number). As stated, its current status, location and maintenance records may not be readily

available. This level of context is required, as it informs a range of potential security decisions. Is a

patch the right thing to do? What are my options for compensating controls? If I want to segment

the device, what should the security policy be and what are my best options for enforcement?

Third, vulnerability scanners do not comprehensively cover CVEs specific to medical devices. VMs

are designed to scan and manage common connected devices and work across industries.

However, as stated, medical devices differ from their counterparts. They often run embedded

operating systems and communicate over proprietary protocols. This means it is harder for VM

platforms to provide the same level of coverage to medical devices in their vulnerability databases

and scanning procedures.

The Solution Rapid7 and Medigate have partnered to provide hospitals a way to effectively address these

challenges and eliminate security tradeoffs. The solution integrates Medigate with existing Rapid7

InsightVM and Nexpose vulnerability management systems. It provides an "identity-based"

scanning solution that truly changes the game for scanning administrators, as they gain fingertip

access to a fully profiled, dynamically risk-scored inventory of all assets, inclusive of each device's

security posture, status and location. The underlying data are delivered in context to InsightVM,

enabling both passive and active, instantly correlated vulnerability assessments.

The integration is bi-directional, as in turn, Medigate imports the results of scans performed by

Rapid7 and incorporates the updates into the clinical risk score it calculates and manages for each

device held in its inventory. This allows scanning data to be orchestrated for the benefit of the entire

ecosystem.

How It Works

1. Medigate leverages Deep Packet Inspection (DPI) techniques to passively fingerprint all

connected medical devices. Each device is fully profiled. Details include Make, Model,

Firmware, OS and app versions, serial numbers, location, status and security posture.

2. Medigate exports these device profiles to InsightVM, using custom tags and custom attributes

for each asset.

3. Medigate then maintains these asset groups within InsightVM so that default inclusion and

explicit exclusion lists (i.e., medical devices that should not be scanned) are always available

and up to date. Among other benefits, this enables the safe scanning of mixed network

segments, as well as highly targeted scanning (e.g., to scan Windows-based radiology

devices for a certain vulnerability).

Medigate’s Scan Orchestration Page: defines scan target groups and their scan policies.

Scans sites as defined above, which were created via the integration with Rapid7’s InsightVM

4. Medigate imports vulnerabilities and exposures from InsightVM from all discovered devices.

Medigate then incorporates the CVEs into the Clinical Risk Score its platform dynamically

calculates/maintains for each device. While this allows Medigate to serve as a single pane

of glass for cybersecurity risk assessment and management of all connected devices, it also

means that the same data can be orchestrated to other benefitting systems.

The Result: Superior Clinical Risk and Vulnerability Management The bi-directional integration delivers unprecedented asset coverage, dramatically improving how

asset risks are assessed and managed.

1. Informed risk management: Medigate’s visibility data combined with Rapid7’s vulnerability

findings allow security teams to identify all IoT and medical devices, their network location,

and their organizational owners to clearly map the distribution of risk across departments

and manufacturers.

2. Safe and comprehensive scanning: the detailed device identifications provided by

Medigate, allow InsightVM’s scanning process to be configured to minimize patient and

asset risks while efficiently testing for all relevant vulnerabilities.

3. Drive action from insights: the insights delivered via the integration can be directly

translated to remediation activities such as coordinating patching with the device

manufacturer, segmenting the device on the hospital's network, and establishing

appropriate security policies (for example, port and protocol restrictions) through Medigate’s

NAC and firewall integrations.

About Medigate

Medigate provides award-winning cybersecurity for

connected devices in hospitals. The platform combines a

deep understanding of manufacturers’ protocols and clinical

workflows with cybersecurity expertise to deliver comprehensive

and accurate identification, contextual anomaly detection,

and clinical policy enforcement. The resulting automated,

rule-based clinically-driven security policies keep patients,

networks, and PHI safe.

Email: contact@medigate.io Visit: medigate.io