I'm actually gonna dive into Microsoft's blue keep vulnerability today and I'll share with you a little bit around what health care organizations need to know and how to prepare for future exposures around the blue keep vulnerability a little bit about myself my name is Ben Pierce and I run our product marketing but I also run our technical pre-sales I've actually been working in this health care industry for a number of years my wife is a clinical engineer my mom's a nurse my sister's a respiratory therapist so I I've lived in breathed healthcare my whole life and so I'm excited about this topic it reminds me of the wanna cry vulnerability came out a couple years ago that's why I wanted to bring this topic to the table and share what I know about it discuss with you all what it is and some of the things you can think about anything about protecting the medical devices within your hospitals as well so when we think about hospitals and the challenges that you're faced with and you know I've spoken with over a hundred hospitals over the course the last few years that includes big large service you know service providers that includes OEMs that includes also even health systems that span to the entire country not just in the US but also internationally and what happened when we want to cry release couple years ago as you saw this sort of finger pointing right you saw you know it is the OEM is the manufacturer of the medical device responsible for providing the hospital to patch the work around the whitelisting procedures right to actually protect that medical device or the service providers that you've outsourced to are they responsible for providing that providing that support of the medical devices that they Eve outsource to them under contract to maintain and print protect ultimately in the end it's the hospitals that are holding the responsibility in the end and that's so that's the answer I've gotten from CISOs from the IT leaders from the HTM organization was they're like we're putting our patients on these devices it's our responsibility in the end to make sure that these medical devices are protected and secured well the challenge in that case is well what devices do you have that are one vulnerable that are running that operating system that are running to have that particular threat available to it that's on your network you know where are those devices that I mean we have one of our customers is going through a process of locating tens of thousands of medical devices to address this particular vulnerability right and how do you fix them what's the procedures to fix them so these are some of the challenges are getting back to the ownership and accountability and how do hospitals and health care organizations address making sure that they are protected and now like I said we certainly are still talking to met the manufacturers side we have manufacturer health care manufacturing customers we have health care service provider customers so we're wanting to encourage them as well to look at this address this and take ownership of this as it relates to their medical devices they're selling to the hospitals and supporting within the hospitals but in the end the HTM organization and the site of the IT security organization ultimately within the hospital is accountable to make sure that this is taken care of again if you have questions use the question on the right hand side apologies you didn't hear me earlier so if you want to ask questions there is a question option on the right feel free to drop in questions as we go throughout the session today so first of all what is blue key what is this vulnerability that was just disclosed on May 16th this year so because this is this is being considered a serious threat and who does like I said it does remind me of of wanna cry and so that's why I wanted to bring this topic to the table so what this is this is the common vulnerabilities and exposures number for you if you want to look this up but this what this is is if you're running a legacy operating system a legacy Windows operating system specifically that has a remote desktop protocol if you're not for me whether what remote desktop protocol is it is a protocol that allows you an IT administrator for example or a helpdesk administrator to be able to remote desktop into supporting a PC right so allows them to see the screen it allows them to remotely control the screen but it allows a lot more the port number is three three eight nine specifically so that's the threat there is that you're running a legacy operating system with this particular port and this service RDP turned on that's the threat and the reason this threat is so serious is that it requires little to no tech and security expertise it's uh it's fairly easy to exploit specifically there's lot of videos out there on YouTube if you guys they want to take a look of people exploiting it and showing exactly how simple it is using a command-line to exploit it and run remote code on the vulnerable operating system in this case it could be a vulnerable medical device right and that's what we're talking about this today so why is this so bad right why is this bluekey vulnerability such a bad issue a bad item within a hospital the first thing is its resident is this threat is resident in these older unsupported operating systems right these older unsupported operating systems you know aren't being patched by Microsoft and in some a lot of cases aren't even being patched by your medical device manufacturers they may have gone you know end-of-life may have gone end of support because you guys are running medical devices for ten to fifteen to twenty years within a hospital well past the life of a Windows supported operating system and patched operating system right so that's the first point the second is it's pre authentication what that means is the the hackers the attackers they don't even need stolen credentials so if you guys have you know password restrictions and you have very strong password requirements within your hospitals especially for your medical devices that's irrelevant and and attackers don't even need those stolen credentials to actually exploit this vulnerability they Snead access to a medical device on your network that is running this legacy operating system with this particular RDP port active and open right and then the thing about it is it can spread quickly and and it's gonna spread horizontally so if once one device gets affected they can crawl device the device sort of land and expand device the device within your hospital and find other vulnerable medical devices or other devices that have the same threat that is available to it so once it gets into your hospital it can spread device to device as well what it also can do is again install software on the device so it has read and has read you can read mall where for example under the device without admin or other credentials so they say it has full access to your medical device just by you mean by having that direct access and installing that software on device that's the threat there and like I mentioned earlier strong password management doesn't do anything to reduce the risk it just leverages that open port leverages that vulnerable operating system to be able to gain access to that medical device with full access it also requires very little hacking experience to exploit this variety requires just access to an RDP enabled device and public knowledge of pre authentication security gap which is now widely available and as I mentioned you can go out to YouTube you can watch people running their command lines running this attack against the device you can see how it does not require any authentication to actually do it and it can run a payload meaning it you can run application run an ApS script against your particular device so what happens is the hacker sets up this static virtual channel and this the it's named MST 120 on a channel other than 31 and that leads to a heap memory corruption and remote code execution in the end what that means is they can remotely install and run code without any access controls to those devices and then the code required to do this is like I said primitive even novice hackers can do this type of hack that's why that's why you're seeing in all the posts around the concern and it's why Microsoft themselves stepped up and I was very pleased to see that and provided patches for even their out-of-date unsupported on patching previously operating systems because of their their concern for this vulnerability so what is our DP I shared a little bit about what Remote Desktop Protocol is again it allows that remote user to take control of the device if you've ever called it to a call center and then the person on the other end of the call center has remoted into your PC and drove your mouse to fix something on your computer that's RDP that's what they're using to actually gain access it's designed traditionally for laptop confuted laptops and desktop computers traditionally and it's traditionally used for my usually a support perspective IT support typically uses this protocol to remote into the PC right to be able to support and troubleshoot servers laptops desktops etc like I said it's that IT administrator that's usually where this comes in but in some cases this is enabled and installed and active even on medical device because it's running in under the hood still a Windows operating system which can have Remote Desktop Protocol turned on even on a medical device for remote support so what are the vulnerable operating systems so these are the five that are vulnerable so it's Windows 2003 it's Windows XP it's Windows 7 Windows Server 2008 Windows Server 2008 r2 all out of data operating systems from a Microsoft standpoint but like I mentioned Microsoft does have patches now for all of these operating systems available on its website and I'll point you to that link once we get done today so why is health care particularly vulnerable it's the same reason that health care was particularly vulnerable when we thought about one a crime exact same reason is the 70% of devices and health care organizations are running in a lot of cases unsupported operating systems this projection right now by 2020 of January just just around the corner here a 70 or 70% of medical devices in healthcare organizations are gonna be running an unsupported operating system so and I know that it's already at a high level just because the nature of medical devices as I mentioned running for 10 15 20 years most operating systems from a Windows perspective are only supported in some cases up to 5 years you know 7 years in some cases but now we're nowhere near what a medical device is gonna run within a hospital right operating systems of healthcare kind of look at the mix you know and the statistic is 59 percent of medical devices are running Windows operating systems in health care 41 percent are running a variant of other operating systems whether that be a Linux operating system and embedded firmware operating system some other form of of operating system as well Android OS so those in some cases there's a variant but most are Windows within a hospital organization so that's the challenge so patching in a healthcare environment it is challenging right it's not as easy as you know your traditional you know corporate environment right where I have pcs and desktops and servers that's easy right and I ran a patch management a team actually when I worked in aerospace and defense as well and that was actually fairly easy to patch we had tools and software like Microsoft SCCM and or SMS or even Windows you know wsus Windows Update server so you had multiple options of quickly deploying patches but the challenge in healthcare right is you guys all probably know is you know in cases of you know healthcare give a lot of operating systems the statistic I polled was forty percent healthcare deployments they were running the there have over twenty different operating systems in their environment so it's fairly complex in terms of just a number of operating systems medical devices drives them a lot of that complexity you also have the luxury of caching like you do in a traditional corporate environment right patching medical devices requires a lot of cases getting patches from the main manufacturer or manually physically touching the device itself to provide those patches onto the medical devices directly because traditional patching tools aren't allowed and rightfully so you don't want to immobilize rebooting in the middle of day because Patch Tuesday hit all right all right so another statistic is thirty percent of healthcare deployments had more than a hundred device vendors so you're now dealing with also the complexity of just the sheer volume of vendors a met of manufacturers within a hospital as opposed to a corporate environment where you have you know one or two or three maybe ten but nowhere near the amount of sheer vendors you get a support right whether it be you know your Siemens or GES your Philips your toshiba's and Louis goes on right and now as medical device is more and more getting connected to the network I've actually heard statistics somewhere around fifteen to twenty percent of medical devices are IP enabled and connected to the network I know that's only going up that number I heard was last year so it is driving more and more devices to be addressed especially customers and healthcare organizations that have tens if not hundreds of thousands of medical Isis that they are now supporting right if we look at you know for example did the if you look at that number of metal device eighty-five percent of medical devices running a Windows operating system had SMB turned on and when it's often unnecessary so this is just another statistic that allows that remote applications and users to access files on the device this is just one example that you know because this SMB vulnerability was turned on its back to that wanna cry example this is how wanna cry got in SMB was turned on on medical devices when it wasn't necessarily needed for the device to function and what happened was wanna cry leverage that SMB server message block vulnerability it's another protocol just like RDP is a protocol it let this this this protocol obviously is different with RDP but this one want to cry leverage the same sort of attack method as as as we're dealing with here today so I just want to share a little bit of statistics around that and again like I said this is the threat that's what I'm gonna discuss for today so why are we hosting this webinar you guys this is you know this is part of our business what we do we we sell software in healthcare so we feel it's where we have an obligation to educate healthcare community and we also have a solution to help address some of this as well although get into a demo here in just a second so the gap does exist between vulnerability scanning products so traditionally IT has their scanning tools and healthcare environment but the challenge is that they don't necessarily know what they find an IP address they find a threat I find an out-of-date Windows operating system I find that it isn't it's running and as RDP port open on it it's not patched they typically don't know is that a medical device or not I know it's IP I know it's Mac I know subnet all that but I don't know it necessarily know it's a medical device so simply identifying and cataloging all connected medical devices can be a challenge right knowing what your inventory is and what state is it in and the details about it is really the foundation you have to lay to be able to know what state you're you're in right if you think about it you know what medical devices are connected to your network do you know the details about those medical devices and that's the question I usually ask when I want to sit down and talk to a hospital in a lot of cases it's no I don't and that's that's the challenge are faced with again do you have any automation to remediate those vulnerabilities in your environment a lot of cases they don't exist or it's manual so the other pieces are really around more of those details right so do you have enough information to say where is this device what Department owns the device is it under warranties is supported by a service provider right who's responsible for patching it is HTM is it the bender is it right is it IT and some of those vulnerabilities and devices may not be connected at that time when you do that initial scan so it has to be an ongoing process right so if it's in a cleanroom if it's in you know get out for repair and may be unplugged right and maybe one of your spare closets right and so you may not catch it during that initial scan so things to think about so if owner abilities scannings like only part of the solution right so if we look at this this report for scout put out so you can certainly look this up they provide recommendations on how organizations can develop and implement an enterprise-wide security and risk management strategy and that's absolutely something you if you aren't looking at you should look at is looking at how you have an actual strategy around your your medical devices risk management and how you're driving that strategy across how you're maintaining how you're managing how you're tracking those medical devices across your hospitals so it's not just sufficient to simply detect the device has an IP address you need to also know all of its additional details its purpose its owner its security posture right how do I respond if there's a if there's an attack on those devices and having a plan in place for that so you can read more on that it is a good report out there you can certainly take a look at from for scout all right so just diving a little deeper into the traditional method we think about sort of the the legacy ways of detecting if there's a vulnerability if there's a threat and do I know what to do right so this is kind of the alcoholic kind of the legacy way of running things and nothing against is just kind of like said this is somewhat of a newer threat as we think about more and more of these threats attacking and going after medical devices in the last few years but traditionally what we saw was in the left-hand column here there's vulnerability scanning systems you have these network security and monitoring systems at the bottom they're out there monitoring your networks they're monitoring your subnets the devices connected to the network and they're able to get information so let's say there is a security event when it does occur and one of these systems detects it and these are your IT teams typically running systems a lot of times they're able to get some detail right there's a security event that occurred there's this vulnerable device on my network right and but all I get back is an IP address a MAC address of this affected device and the IT organization looks at this and sees that this came into their security operations console well is this a no T or operating technology as a medical device right what kind of device is it you know what manufacturer what model you know where is it at where physically is it I was they could trace down to a port they could physically you know figure out where that device is but what department owns it who do you contact and how do you remediate this can this threaten this concern this is the legacy ways of looking at looking at the challenge that you're faced with and we look at new Volo this is kind of one of the roles that we play in this and I'll talk more about this so now with no bolos cybersecurity module and this ties into our CMMS and it all has a medical device CMMS that allows you to track your inventory and then we've added is a module for OT cyber security that allows you to do automation I'll talk more about this so now on the left hand side there's vulnerability scanning systems right now there's new ones out there you're partnered with pretty much every one of them so zing box cloud post or a simile Medicaid and cyber MDX and kind of list goes on there's a lot of them out there now that are specifically focused on medical devices so when they're scanning the network they're scanning they're able to now when they detect a manufacturer model a detail on your network they actually can correlate that against new volas inventory we have a direct integration to all of those providers and it's bi-directional integration so what happens now is I find a vulnerable medical device right I have some detail I'm gonna check with the bolas integration our cybersecurity module against what device is it great it's one of your medical devices we found it we matched it against the MAC address the host name of the device we matched against the key details that we have within our inventory and then from there we enriched that data we've set up and we put additional data back into Nouveau lo for you know what's its its current IP address right what's what's the threat and even doing automation and the top automating work order creation right maybe I want to kick off a work order clinical engineering to address it and that's where Nivola comes in as well so now you've got your facility's team you get your clinical team that's automatically and get work orders based on the details and even finding out where are these devices physically located and I'll show that in a demo I'm going to show in just a second I exactly how we tie in with even things like your real-time location services in your hospital to pinpoint exactly where the devices are even right now even I t's aware now I T now has the data as well we can push data right into your IT security operations console so they know this is a medical device they know the details of the medical device and they now know here's the work order that of the clinical engineer in the HTM Department that's actually taking action and working on that device so we're able to get that full additional details from a medical device within your inventory i'ma pause for just a second are there any questions for maybe the folks on the call before we dive in until the brief product demonstration okay all right well great hopefully again this has been very informative for you so let's let's dive into a demo here really quick and just show you a little bit about what we're talking about so this is by the way the Microsoft patch right here I'll come back to that here in just a second all right so what we've done within the bolo is we've added so that we have our own CMMS so on the left hand side here we have our clinical engineering can operate with their devices and I'll dive into that here in just a second with your inventory your work orders all of that we have a modern CMS for your organization what we've done is add a cybersecurity solution on top of it that integrates with all of those cybersecurity products I mentioned earlier and we can do is not only know now what medical devices are on your network what operating system are they running what active ports are running on those devices so if there is an out-of-date operating system that hasn't been patched that has an active RDP port open on it we can automatically generate the notice right here an alert coming inbound right here for that medical device let's go and bring up this alerts actually take a look at it so here's an alert that came in for the blue heat vulnerability for a medical device that was vulnerable you'll notice does include a link so this actually links me out to the actual patch for this particular vulnerability you'll notice this was a Windows XP device and here's all the patches for that so I have the ability to download that patch for this device I can see the affected assets so this was actually an infusion pump that was affected by this particular vulnerability I can also see the related work order that I auto created based on the security event so here's the blue key vulnerability here's the medical device that was affected by it there's a work order that I assigned over to clinical engineering and of the technician that's all automated right so we are able to find the medical device that's vulnerable we have our vulnerability for blue key right here and we could see all the other medical devices that are also affected that also affected by this same vulnerability so we can correlate a vulnerability against your inventory and auto-generate work orders for devices that match that vulnerability we can also generate security incidents as I mentioned over to your IT organizations so they're aware of it too here's the blokey vulnerability there's a medical device that was affected and we also tie it back to the work order so you see basically that full life cycle of device that's affected on in from medical device Auto flagging it as as Boehner will Auto creating a work order to your clinical engineering department and in your security IT security organization so you can actually track that full history and when it's fixed and really remediated you know the state based on the ticket status with an org order and the security incident so that's one area I wanted to show you one of the other areas I want to show you is when our inventory so let's say for example we have our device inventory so I have my device inventory I have one here I have a number of these that are out of date operating systems you have some that are on learning Linux some that are running XP let's take a look at this XP device here actually let's take a look at this one and let's actually bring up where this device is locating so I actually want to find out where this device is is within my environment we have the ability to pull up a floor map and as I mentioned earlier we tie in with real-time location services or our TLS within your hospitals as well so if you're running Stanley Aero Scout or send track or arista flow or many many others we've integrated with a lot we actually can show you where that device is right now so if I need to physically get out to this device and find where it is I can do that quickly and easily maybe I want to know where all my windows XP devices are within my environment so let me take off this idea of this device let me actually search for all my windows XP devices couple ways I can do that can either filter it right down here at the bottom some UI want to right-click on my operating system and showing all my XP devices here they are and here's the rooms that they're sitting in so I can literally find all of the medical devices running Windows XP on my actual floor plan now I can do this floor by floor I can do the site by site you can get more expansive depending on how far you want to search but this is gonna speed up your time especially if you're looking for hundreds of medical devices trying to locate where they are and based on the details that we're bringing in from these the security systems that you have we now know these devices are running the affected operating system we need to physically get out there and get these patched in up-to-date we have technology to help you do that and that's where our floor mapping capabilities and being able to pinpoint tying in with your RTLS systems for your mobile devices we have that functionality as well so with that I'm going to go ahead and wrap up this session will be recorded as well by the way so you will all have access to the recording after the session feel free to send this to the rest of your folks within your organization's or other peers you thought this be in use 'full - hopefully this was informative and helpful for all of you if you want to reach out Senate sent an email either to myself Ben dot person at Nivola comm or sales at Nivola comm is our direct contact we'd love to talk more about this with you or any other topics you'd like us to dive into glad to as well I appreciate one's time today I want to thank you all for joining the session today thank you have a great day