#InfosecurityEurope: UK NHS Trusts Asset Visibility Gaps Jeopardize Security Compliance
The use of connected devices in healthcare is driving innovation, offering new ways to assist medical staff. However, the adoption of the Internet of Things (IoT) has expanded the attack surface IT decision-makers in the healthcare industry have to deal with.
A new report by Armis found that many cybersecurity leaders in UK National Health Service (NHS) Trusts face a lack of connected asset visibility, which poses a challenge in meeting security requirements.
While 35% of NHS Trusts stated having an automated system to track all connected assets and 59% said they update information on all assets as changes occur, there are still many blind spots regarding IoT.
For instance, one-third of surveyed Trusts admitted having no method of tracking IoT devices and 10% said they use manual processes or spreadsheets to do so.
Additionally, 15% of Trusts acknowledged they are not tracking connected medical devices (IoMT) and one in five stated they use manual processes or spreadsheets to track these assets.
A further 19% of respondents recognize that information on connected medical devices in their inventory system is either not updated at all or only updated annually.
Resource Shortage
The main reason for this visibility shortage is a lack of resources, with 38% of Trusts’ IT decision-makers admitting that they do not have sufficient staff to meet the demands placed upon them and 23% that they do not have enough resources to deal with replacing legacy or unsupported medical devices.
These technology gaps make it difficult for NHS Trusts to compile evidence when carrying out Data Security Protection Toolkit (DSPT) assessments or remediate cybersecurity issues within the mandated two weeks, respondents told Armis.
It could have significant consequences, not only in regulatory compliance but also open the door to more cybersecurity incidents and even safety failures, Mohammad Waqas, principal solutions architect at Armis, said in a public statement: “Real-time insights on everything connected in a Trust’s environment, even third-party assets, are key to establishing a resilient security strategy and proactively reducing the attack surface. […] Specifically for connected medical devices (IoMT), which are hard to keep updated, being able to monitor them and understand their behavior and risk in real-time is key to ensure safety and comply with the latest regulations.”
“To fill in those gaps and improve the operational effectiveness of NHS Trusts, allowing staff to focus on core functions and enabling insights on threat intelligence and clinical device utilization, the right technology partners need to be brought in to solve multiple use cases and bridge technology gaps,” he added.
Results from the Armis report came from a Freedom of Information (FOI) request to UK NHS Trusts.