Armis, an asset visibility and security company, has released data from a freedom of information (FOI) request to UK National Health Service (NHS) trusts. The results of the research highlight challenges for NHS trusts due to a lack of visibility and monitoring of all connected assets in their environment and heightened compliance requirements, which they are struggling to meet.
“The introduction of connected assets to healthcare is driving innovation and ultimately improving delivery of care. However, its adoption has expanded the attack surface that now needs more oversight than ever. Specifically for connected medical devices (IoMT), which are hard to keep updated, being able to monitor them and understand their behaviour and risk in real-time is key to ensure safety and comply with the latest regulations,” says Mohammad Waqas, principal solutions architect at Armis.“Real-time insights on everything connected in a Trust’s environment, even third party assets, are key to establishing a resilient security strategy and proactively reducing the attack surface.”
While 35% of NHS trusts stated having an automated system to track all connected assets and 59% said they are updating information on all assets as changes occur, there are still blind spots for effectively reducing risk and ensuring compliance with NHS directives and regulations:
- Connected medical devices (IoMT): 15% of the surveyed NHS trusts acknowledged not tracking IoMT devices and one in five stated they use manual processes or spreadsheets to track these assets. A further 19% of respondents recognise that information on connected medical devices in their inventory system is either not updated at all or only updated annually.
- Internet of Things (IoT): One-third of surveyed trusts admitted having no method of tracking IoT devices and 10% said they use manual processes or spreadsheets to do so. A further 18% of respondents recognise that information on IoT devices in their inventory system is either not updated at all or only updated annually.
- Operational technology (OT): 10% of respondents acknowledged that they do not track OT devices in their environment and 17% stated they use manual processes or spreadsheets to track their OT inventory. A further 9% of respondents said they either do not update the information for OT devices in their inventory at all or do so annually.
These blind spots not only could become the catalyst of an attack, but also add difficulties to compliance challenges for NHS trusts. Complying with regulatory demands starts with knowing what is on the network, which, without adequate automation, can be a heavy lift for an NHS with a shortage of resources. 38% of respondents admitted that they do not have sufficient staff to meet the demands placed upon them and one in five (23%) trusts said they do not have enough resources to deal with replacing legacy or unsupported medical devices.
When carrying out Data Security Protection Toolkit (DSPT) assessments, trusts note that compiling evidence was the number one difficulty. And, while most trusts (82%) can respond to NHS Cyber Alerts within the requested 48 hours, they struggle to remediate issues within the mandated two weeks encountering challenges on arranging downtime, impact to business as usual and deployment of patches.
“Although the NHS is working hard, the research shows there are still crucial gaps that must be filled when it comes to addressing visibility, automating processes and satisfying compliance requirements. To fill in those gaps and improve the operational effectiveness of NHS trusts, allowing staff to focus on core functions and enabling insights on threat intelligence and clinical device utilisation, the right technology partners need to be brought in to solve multiple use cases and bridge technology gaps,” concludes Waqas.
Recent Armis research identified the top connected medical devices that posed a high risk to clinical environments as nurse call systems, infusion pumps and medication dispensing systems.
For information on how Armis can help address those challenges please email NHS@armis.com or visit Armis. And, to understand how Armis’ new DSPT specific compliance dashboards and reports can enable simplification of the DSPT process see a 2 minute demo here.
Armis will be attending Infosecurity Europe in London at the Excel Center on June 20-22, 2023 and will be located in booths W20. For more details of what the company has planned at the event or to book a meeting, please visit Armis.
Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow
