One hospital campus. One Wednesday. 312 devices found.
A Fortune 500 healthcare system ran SpacesIQ on a single hospital campus, starting Wednesday morning. By Friday the inventory had returned 312 unmanaged or unidentified devices, 47 of them missing from the asset register entirely, and 11 traced back to unmanaged switches behind contractor drops. The pre-audit reconstruction project that the GRC team had scoped at six weeks collapsed to a four-day evidence-pack review. Engagement anonymized at the customer's request.
The setup
The customer is a Fortune 500 healthcare system with a national footprint. Multiple hospital campuses, regional medical groups, ambulatory surgery centers, and a research arm with federally funded grants. Inside the standing portfolio of compliance obligations: HIPAA Security Rule, HITECH breach-notification thresholds, PCI 4.0 (cafeteria, pharmacy, gift shop), SOC 2 for the patient-facing platform, NIST CSF for the federally funded research unit, and Joint Commission Environment of Care reviews on a separate cycle.
The GRC team had spent the prior two audit cycles producing the same artifact: a per-floor reconstruction of the device inventory, drawn from procurement records, deployment tickets, biomed inventories, vendor-managed-firmware lists, and on-the-floor physical walkthroughs. Each cycle ran 5 to 7 weeks. Each cycle produced a document that was already partially fiction by the time it landed with the audit team, because the network had moved underneath it.
The ask: produce something defensible without spending a quarter on the project.
Why CybrIQ
The Director of GRC and the CISO had reached the same conclusion from different directions. The asset register was structurally wrong. The wire was the only source of truth that could keep up with the network, and nothing the team owned could read the wire at Layer 1 with the precision the audit needed. NAC, EDR, and asset-management tooling each saw a slice of the problem and stopped where the agent stopped.
The decision criteria were narrow:
- Non-invasive deployment. Patient care could not be disrupted. No agents on monitored endpoints, no changes to switch configuration that could cause outages.
- Audit-defensible per-device evidence. The artifact had to be one the audit firm took at face value, dated to the second.
- Time to first inventory measured in days, not quarters. The scoping conversation needed to result in a real inventory by the end of the same week.
- Framework portability. The same record had to map to HIPAA, PCI, NIST CSF, and Joint Commission EC without rebuilding each time.
The engagement
The engagement scoped one campus to start: the flagship hospital and an adjacent ambulatory surgery center sharing a network fabric. The deployment was placed on Wednesday morning. SpacesIQ ran continuous Layer 1 fingerprinting against the agreed scope, with no agent installed on any monitored endpoint. The CISO's team and the customer's biomed lead joined the daily standup; the GRC director joined twice that week.
What the wire showed
- 312 devices identified as unmanaged or unidentified. The asset register listed roughly two-thirds of the population. The remaining third was on the wire, fingerprinted, and dated by Friday.
- 47 devices missing from the asset register entirely. Procurement had no record. Biomed had no record. The wire had a record.
- 11 unmanaged switches behind contractor drops. Each one creating downstream ports that the IT team had not commissioned and that NAC was not seeing as separate endpoints.
- 3 vendor-managed devices the IT team had no visibility into. Cleared paperwork, cleared serial check, cleared software validation. The Layer 1 fingerprint identified them as vendor-managed devices not in the customer's biomed inventory.
- 1 imaging modality whose firmware version did not match its asset record. Replaced under an RMA the previous quarter; the swap was not logged. The Layer 1 signature caught it.
The outcome
The GRC team had been holding a six-week reconstruction project for the next audit cycle. After the first sweep delivered the per-device record, the project was retired. The team reframed the audit-prep work as a four-day evidence-pack review against the platform's continuous output. The audit firm received the new evidence shape and confirmed it as a stronger artifact than the prior reconstruction.
Twelve months later, the customer expanded SpacesIQ across the rest of the campus footprint. ComplianceIQ now runs alongside it, with the audit firm working from CybrIQ's continuous output as the underlying fact base for HIPAA, PCI, and the federally funded research unit's NIST CSF program. The audit category that produced the most findings on every prior cycle, "asset inventory completeness," has not produced a finding since.
"The reconstruction project never produced a number we trusted. CybrIQ produces a number we can defend."
Director of GRC, Fortune 500 healthcare system. Quote anonymized at the customer's request.
Why this engagement is the reference
This deployment is the reference engagement we cite across the rest of the site for two reasons. The numbers are specific, dated, and verifiable inside the customer's GRC program. And the use case generalized cleanly: every customer we have run since has produced a similar shape of finding in the first sweep, with the specific counts varying by environment.
The 312 / 47 / 6 wk → 4 day numbers are this engagement's. The pattern, in our experience, is the rule, not the exception.
Reading list
- The asset register lies. Why the spreadsheet drifts from the wire on day one and never reconciles.
- "Looks good" is not Layer 1 evidence. What an environmental dashboard tells you, what it does not.
- Five reports, one truth. Mapping a single Layer 1 record to HIPAA, PCI, SOC 2, NIST CSF, and CMMC.
Bring one campus. Walk out with the inventory the next audit asks for.
The 30-minute working session. One environment. The deliverables stay with you whether you convert the engagement or not.