Hospital deployment guide
Prerequisites
- A Linux server or appliance connected to a SPAN/mirror port
- Network access to
api.cybrium.ai(outbound HTTPS only) - A license key from your Cybrium platform admin
- Root access (required for network packet capture)
Quick deploy
# 1. Install agent + hospital sensors
curl -fsSL https://cybrium.ai/install.sh | bash -s -- cybrium-agent cysense cyguard cyprobe
# 2. Activate
cybrium-agent activate --license "YOUR_LICENSE_KEY"
# 3. Install as service
sudo cybrium-agent install-service
# 4. Verify
cybrium-agent status
Recommended sensor placement
| Network segment | Interface | Sensors | What it discovers |
|---|---|---|---|
| Clinical VLAN | SPAN port on core switch | cysense + cyprobe | HL7, DICOM, medical devices |
| Medical devices | SPAN port on device switch | cysense | Infusion pumps, monitors, imaging |
| Building automation | SPAN port on BMS switch | cysense + cyprobe | BACnet controllers, HVAC |
| IT / DMZ | SPAN port on firewall | cysense + cyguard | Servers, workstations, traffic |
Network requirements
| Direction | Protocol | Destination | Purpose |
|---|---|---|---|
| Outbound | HTTPS (443) | api.cybrium.ai | Findings sync + heartbeat |
| None | — | — | No inbound ports required |
What the agent discovers
Within minutes of deployment, the agent will:
- ARP scan the local subnet — find every device by MAC address
- Resolve vendors — "00:09:FB" becomes "Philips Medical Systems"
- NetBIOS query — find Windows hostnames
- Protocol detection — identify HL7, DICOM, Modbus, BACnet traffic
- Purdue classification — assign each device to Level 0-5
- Vulnerability assessment — flag default credentials, unencrypted protocols, outdated firmware
All findings appear in your Cybrium workspace within 60 seconds.
HIPAA compliance
The agent is designed for HIPAA-compliant environments:
- No PHI stored — the agent captures network metadata, not patient data
- Encrypted sync — all data sent via HTTPS with TLS 1.3
- Audit trail — every sync is logged with timestamp and findings count
- Hardware-bound — license tied to specific machine, preventing unauthorized deployment
- Credential separation — scan credentials (read-only) are separate from fix credentials (write)
Troubleshooting
Agent won't activate
# Check network connectivity
curl -s https://api.cybrium.ai/health/live
# Check license validity
cybrium-agent activate --license "eyJ..." 2>&1
No sensors discovered
# Check if sensors are in PATH
which cysense cyguard cyprobe
# Install missing sensors
brew install cysense cyguard cyprobe
Findings not appearing in platform
# Check buffer status
cybrium-agent status
# Check sync logs
RUST_LOG=debug cybrium-agent start