National healthcare provider relies on hundreds of third-party vendors and medical devices that share sensitive information and interact with internal systems. Protected Health Information (PHI) can be worth 1000x more than financial data to hackers, and security vulnerabilities on medical devices have the potential to cause physical harm to patients through invalid results, dependability of systems and the exploitation of reliability requirements. The IT and Risk departments determined that the impact of a data breach, or infiltration of provider’s network of devices, warranted a comprehensive and immediate need for a more robust effort to assess third party risk and monitor medical device security.
With a need for immediate action and a daunting list of vendors and devices to cover, Fortress was engaged as a partner to analyze the vendor landscape and select the most critical vendors requiring attention using proprietary technology to overcome the challenge of protracted vendor interactions. Fortress’ IT and OT monitoring capabilities, combined with expert consultation and a patented approach for firmware hashing via blockchain allowed the client to view and manage a comprehensive risk outlook.
- Identified and performed risk assessments of the most critical vendors in two primary categories: continuity of business (COB) and sensitive data access (EMR’s, etc.)
- Implemented the scanning of the majority of OT assets utilized by the provider, including MRI and CT scanners, spectrum analysis machines, heart rate monitors and more.
- Created dashboards, reporting and alerting mechanisms to allow full visibility into the status and potential risks introduced by updates, configuration changes and new installations of medical devices.
- Fortress was able to combine third party risk information and IT/OT vulnerability information in a “single pane of glass” analysis, which allowed the provider to correlate vendors to device manufacturers to prioritize the most vulnerable devices, from both a technology and third-party risk context. As Fortress was already familiar with many of the OT standards and vendors, they were able to help the provider create a prescriptive procurement process (PPP) to ensure new vendors and devices were considered from a risk perspective prior to onboarding.