Healthcare IoT Security 2020
Great Options in an Emerging Market (A Decision Insights Report)

“During our proof of concept, we identified value from the appliances right away. The vendor led us through some investigations that we would not have had visibility into without Armis. The solution demonstrated value right away. The original use case was for inventory medical devices, but we really liked the visibility the solution gave us into everything. I want to say the primary use case now is visibility into our network. The 100% visibility is what we love about the product. We don’t have east-west visibility, so that is the main driver for having the product.” —Security manager

“We looked at Armis. We had several demos from Armis. They did not make our initial cut because they had a lot of features in development. Their salespeople loved to pitch those features to us, but then the technology people would kind of pull them back during the presentation to clarify that the features wouldn’t be ready for a few months. The product seemed a little too fresh at the time that we looked at it. . . . We also didn’t want a vendor that was too generic and wouldn’t really know the medical device space because we also have a lot of IoT devices.” —Security manager

“When I asked what the vendor’s future plans were, Asimily gave me a strong answer. Asimily is trying to put together a program where we would buy a piece of equipment and have them give us a security assessment before buying it so that we know what the faults are going to be before bringing the device online. That process would help us make better-informed purchasing decisions.” —Security manager

“Asimily’s product seems to do a pretty decent job. A couple of my peers use the product, and they are very happy with it. The vendor seems to be responsive. But they are a small start-up, and I am not sure how far they have come or whether they have continued to evolve. The CEO seemed to be driving most of the engagements. The vendor’s tool set seemed promising.” —Clinical engineering director

“CyberMDX seems to be best at profiling devices. They have lots of detailed information. We have validated that with our testing. MDefend can see from an IP address that a device is a Siemens 64-slice scanner. It knows what operating system it has and what hardware platform it is on. It can see where the device is located. The system can also profile nonmedical devices. It is very capable of managing those devices. CyberMDX has a broad range of people, some of whom came from auditing backgrounds. Their policies are driven by that variety. It is a strength for them. CyberMDX is responsive and engaged, and they know the right questions to ask.” —Clinical engineering director

“CyberMDX was just so new. They know how to do security better than anyone. I did a deep dive with them. The problem was that they were too new in how they were doing things. There were too many gaps in their delivery model. CyberMDX was too small. Their product wasn’t intuitive. It required some learning and education. The vendor didn’t have the optimization piece totally figured out; they were just building it, and that was a key piece that I wanted. The vendor was figuring out how to get all of the different biomed vendors into the system, but the vendor that we selected had all of them already.” —Security director

“My overall process was really intensive. We were looking at different initiatives and started hearing from a company called Cylera. One of the vendor’s chief security officers is a very respected individual in the cybersecurity sector. I was able to meet the vendor’s entire team, and the team members are phenomenal people. We created a proof of concept, and it was absolutely phenomenal.” —CIO

“We briefly looked at Cylera, and they didn’t focus on vulnerabilities. A lot of other companies [besides the vendor we chose] were making big claims about how they could do everything and how we couldn’t live without them, but there was no real meat to what they were delivering. I haven’t come across any peers that are using Cylera’s product.” —Clinical engineering director

“We went with Cynerio because they were amazing in how they accommodated us for our proof of concept. They actually sent an appliance over, and we got it installed and configured. The vendor worked closely with us to understand and use the system. The system didn’t capture all of our network traffic, but it captured a good chunk of it. The technology was really solid, and we wanted to keep looking at it.” —Security manager

“The vendor claimed that the product had every feature, but when I asked them to show me the product, it didn’t have every feature. The vendor said they had plans for putting in features in the future. The vendor wasn’t focusing on everything; they were focusing on medical devices only. The vendor said they were working on giving the ability for organizations to detect other IoT devices but that the ability would come at an additional cost.” —Security manager

“Two things stood out about Medigate, and that is why we chose them. First, the detailed information that we received from the medical devices was deep, and the information gave us a lot of enrichment of data. That really came to light when our biomed people looked at the product and felt that they could use the information to understand the utilization of different scanners. The other big thing was the vendor’s flexibility in terms of working with our hospital directly to provide quick changes. Medigate is a young company, but they provide very quick changes to their entire system. We were almost a part of the development and strategy team as the vendor built out the system.” —CISO

“We just didn’t like the sales team. Having a good sales team is important because the sales team has a major impact on our decision to purchase the product. The tool was a little too flashy and not technical enough. It would probably work in some environments that are vendor dependent, but we have a technical background, so we didn’t go with it.” —Security director

“We fell in love with Ordr’s system. We feel pretty comfortable moving in that direction because the system really isn’t that invasive. I thought I was dreaming when I learned that Ordr’s system could do application detection and create an inventory of applications in use. We know the ports and protocols, and between us and Ordr, we could create that inventory over time using their machine learning process. The way that Ordr labels their tabs is common sense. We can tab through the different things and what they are going to do. The system can talk to an infinite number of devices, and it knows which devices are talking to each other and which devices are talking to which ports. With that information, we can establish baselines and tell the system to alert us anytime something goes outside the norm.”  —CISO

“Our decision came down to Ordr and the vendor we ultimately selected. Ordr’s product is excellent, but the GUI wasn’t intuitive. I was very blunt when we announced to Ordr why we didn’t select them. Their application reminded me of an application that was designed by engineers for engineers. It took me weeks of deep diving to figure out the logic and how to get reports. I eventually figured things out, but we needed an application that was easy to get into and easy to train on.” —IT manager

“We looked at other vendors, and they didn’t show as much promise as Zingbox did. We liked the ease of use of the tool and the easy integration with it. The tool is good and accurate. It quickly helped us with a couple of issues that we didn’t even know we had. Zingbox gave us a much better deal than other vendors did.” —CISO

“We started looking at Zingbox before the Palo Alto Networks acquisition. However, the fact that Palo Alto Networks was able to buy a huge player in the market for less than what we thought the company was worth made us shudder a bit. We thought there must be some internal things going wrong at Zingbox with money or with management. We didn’t really know, but that acquisition kind of gave us a weird feeling. When Zingbox was purchased, the people we had talked to previously were either exiting the company or shifting to different roles. Things got dropped internally. Eventually, some Palo Alto Networks people came back to us and asked whether we needed help. The Palo Alto Networks acquisition kind of soured the product, along with the shakiness of the deal itself and the support that we were receiving afterwards. We just didn’t get a great feeling about Zingbox, both in terms of the customer support and the continuing development process.” —Security manager

“We landed with Sensato Cybersecurity Solutions because they are very focused on healthcare IT security and not across multiple industries. Their business is healthcare IT security; they don’t claim to be a consulting firm that is just offering healthcare IT security as an additional option. The solution was also affordable; it was more affordable than the other vendors’ solutions that I have worked with and very comprehensive, too. The vendor does not just offer medical device security; our entire network has been monitored.” —CIO

“Sensato Cybersecurity Solutions seemed to make a big splash. My impression of them was that they were very focused on sales. They were pushing how big vulnerabilities were and how the world was going to crash, but there weren’t any real solutions or clarity as to how they would deliver the work and understand the threat. That pushed me away from the vendor. One of my peers was looking to go with Sensato Cybersecurity Solutions, and I got the sense that the peer was only looking because of a previous relationship with the vendor. Vendors need to demonstrate their merit and stand on their own.” —Clinical engineering director