MarinHealth Stops IoT Device Malware in Its Tracks and Inspires a New Axonius Product

While they were still in their old facility, MarinHealth deployed Axonius for Healthcare IoT risk reduction technology to help the team better understand how their biomedical devices interacted with the network. “We realized that we had basically zero visibility into these devices,” Christensen relates. “We knew that in order to secure the devices, we needed to segment the network. And to effectively segment the network, we had to be able to see what was happening.” The Axonius Customer Success team assisted with the proof of concept (POC) and the initial deployment. “They were very supportive in our efforts,” Christensen says. “We had some financial constraints and did not know what scale we could bring to the deployment at the beginning. We also have a very small network and security team—two network engineers and me. The Customer Success team stayed with us and helped us onboard the product. And things blossomed from there.”

Not long after Cynerio was fully onboarded, a security incident occurred that wound up being pivotal for both MarinHealth and Cynerio. Looking at the Cynerio console, Christensen saw malicious activity coming from a specific biomedical device running on a legacy operating system. At about the same time, he received an alert about the attack from the Cynerio Customer Success team. Christensen was able to confirm the command-and-control event using logs from the organization’s Cisco Umbrella web filtering solution. “Umbrella was able to tell us that a single IP address was exhibiting anomalous behavior,” he describes. 

“But with Cynerio, we were able to see which device was potentially infected, and all network activity coming in and out of that device.” 

Using intelligence from the Cynerio Live research team, the Customer Success team worked with MarinHealth to remediate the malware. Christensen reached out to the department that owned the system and learned that it was attached to a costly medical device that could not be replaced or removed from the network without negatively impacting patient care. The device’s manufacturer was aware of the vulnerability but was unable to issue a patch due to limitations in the legacy operating system. “It turned out that the malware was very old, and was possibly a remnant of a cyber attack we suffered nearly a decade ago,” he explains.

Dealing with this event was eye-opening for the MarinHealth team. “We understood that we needed more than just visibility to protect our medical IoT devices,” Christensen remembers. “We also needed to use that information to build a micro-segmentation infrastructure.” Specifically, the team needed to create an access control list (ACL) for each device so the devices are shielded from everyone not authorized to access them. They began to work with Axonius to achieve this goal. 

The result was that Axonius quickly became a bigger part of the network planning for the new hospital, which by then was under construction. “We had to add many existing and new medical and biomedical devices to the new network,” explains Nader Zamanzadeh, senior network engineer at MarinHealth. “We designed the network for segmentation and realigned them into IP subnets so we could control our ACLs.

“The value add for Axonius is that we could look at the traffic at the packet level and see what the devices were talking to and where,” Zamanzadeh continues. “Without Axonius, it would have been difficult to tell what the traffic is. Axonius is not just looking at the system log; it is sitting on the network looking at the real traffic in real time. Plus, Axonius’s knowledge base on what devices should be doing and how they should be communicating helps us to detect behavior that is out of the ordinary.”