CybrIQ
● For information security leaders in U.S. healthcare.
CybrIQ for healthcareEvaluation checklist
Implementation · evaluation

A checklist a CISO can hand to a procurement analyst.

The questions below are vendor-agnostic. Apply them to CybrIQ and to anyone else on your shortlist. If a vendor cannot answer one of them directly, the avoidance is itself the data point.

Data handling.

Does PHI flow through the vendor platform? If yes, under what BAA? Where does telemetry reside? Can residency be constrained to the U.S. or to your own infrastructure?

Device-interaction posture.

Does the vendor send packets to medical devices in the default configuration? Are active scans run against biomedical VLANs? What is required to disable any active interaction?

Collection method.

How does the vendor get its data? SPAN port? Mirror traffic? Tap? Switch-side read-only? An agent on each device? Each method has trade-offs for clinical-workflow risk, bandwidth cost, and procurement-review complexity. Ask the question directly.

Identity vs. configuration.

Does the vendor distinguish between identifying a device and assessing its configuration? Will the vendor produce in writing a list of what the product does and does not assess?

Egress paths.

Which outbound integrations does the vendor support? Are they standard (syslog, REST) or do they require proprietary connectors? Can the integration be reviewed by your network team without a vendor-specific tool?

Optional action.

If the vendor can take action on the network (quarantine, ACL, disable), is it on by default? What is required to enable it? Is the action on the network device or on the medical device?

USB and removable-media coverage.

Does the vendor cover USB attack hardware (Rubber Ducky, Flipper Zero, O.MG cables, BadUSB-class)? If yes, how? Through an endpoint agent? Through network-side detection of new devices created by USB tooling? Both?

Framework mapping.

Will the vendor produce a mapping of the product's output to HIPAA Security Rule sections, to HICP Practices, to HHS HPH CPGs? Is the mapping reviewable by an external assessor?

Contract terms.

What is the typical contract length? Are auto-renewal terms included? What is the data-portability provision if you do not renew?

What the vendor will not do.

Ask the vendor to write a paragraph listing what the product does not do. The willingness to write the paragraph is itself the signal.

Run the checklist against us first. Then everyone else.

Book a demo