Securing Medical and Hospital Devices on GE Healthcare’s CARESCAPE Network

If you’re a security or IT leader for a large medical facility or hospital network, you know how hard it is to see the thousands of medical devices and more in your environment. This poor visibility is caused by two inherent limitations of traditional asset inventory and endpoint security products.

The Device and Network Security Approach

First, these products were made for a world of conventional computers, laptops, and servers, not for sophisticated connected medical devices. These devices can’t host agents, which leaves them invisible to traditional agent-based asset inventory and endpoint security products. Second, manufacturers often require medical devices to be deployed on network segments that keep them isolated from other devices in the environment. Segmented networks are a solid approach to securing specific devices. However, sometimes this creates a blind spot for IT and security professionals.

One example is GE Healthcare’s CARESCAPE Network. The CARESCAPE Network is designed to deliver real-time, reliable communication of critical patient data from GE patient monitors and telemetry systems to the medical staff right when it is needed. GE creates and manages two VLANs in this deployment model: one for mission-critical data (MC) and one for non-real-time data (IX). These VLANs are separated from the hospital network by a dedicated gateway, which helps protect devices and data from crossing the same path as ordinary connected devices. But because GE Healthcare manages these networks and not the hospital, it also prevents IT and security teams from identifying, tracking, and securing the medical devices that reside within them.

Armis Sees Devices on the CARESCAPE Network

As a leader in medical device security, Armis is purpose-built for devices and deployments like this. Our integration with your existing infrastructure enables Armis to see devices on the CARESCAPE network, providing you with the visibility, security, and control your IT and security teams need, while still supporting segmented networks and all the benefits they bring.

Once integrated, Armis agentlessly and passively monitors device traffic, including data passed from the CARESCAPE VLAN through the dedicated gateway and on to the hospital Intranet. There is nothing to install on the devices, and no scans to disrupt them or tip them over. Armis can discover the GE medical devices in your environment, including those that use the proprietary RWHAT protocol. Armis can identify device information like type, manufacturer, model, FDA classification, MDS2 details, and more.

Armis connects to the GE CARESCAPE network to identify devices

Beyond just identifying a device, Armis tracks medical device status and behavior, helping you maintain an accurate, comprehensive inventory of medical and hospital assets. And, if you already have an IT asset management platform or CMMS/CMDB, Armis can integrate with it to keep records up-to-date with the latest and most complete information available.

View of CARESCAPE Patient Monitor in the Armis Console

Armis can also track the location of equipment as it moves throughout your facility, so you know where clinical staff may have moved mobile equipment like crash carts, dialysis machines, and infusion pumps. Armis can also help you determine how many of a particular type of device you have available and whether or not equipment is off-site or at another facility within your network.

Our platform’s visibility into GE Healthcare’s CARESCAPE Network is just another of many tools we use to ensure we help hospitals and all healthcare delivery organizations secure their medical devices to ensure the continuous delivery of patient safety.

Learn more about what Armis can do for your healthcare environment at

Have our blog posts sent to your inbox.