Armis have released data from a Freedom of Information (FOI) request to U.K. National Health Service (NHS) trusts, with the results of the research highlighting challenges for NHS trusts due to a lack of visibility and monitoring of all connected assets in their environment and heightened compliance requirements, which they are struggling to meet.
“The introduction of connected assets to healthcare is driving innovation and ultimately improving delivery of care,”said Mohammad Waqas, Principal Solutions Architect at Armis. “However, its adoption has expanded the attack surface that now needs more oversight than ever.
“Specifically for connected medical devices (IoMT), which are hard to keep updated, being able to monitor them and understand their behaviour and risk in real-time is key to ensure safety and comply with the latest regulations.
“Real-time insights on everything connected in a Trust’s environment, even third party assets, are key to establishing a resilient security strategy and proactively reducing the attack surface.”
While 35% of NHS trusts stated having an automated system to track all connected assets and 59% said they are updating information on all assets as changes occur, there are still blind spots for effectively reducing risk and ensuring compliance with NHS directives and regulations:
Connected Medical Devices (IoMT): Fifteen percent of the surveyed NHS trusts acknowledged not tracking IoMT devices and one in five stated they use manual processes or spreadsheets to track these assets. A further 19% of respondents recognise that information on connected medical devices in their inventory system is either not updated at all or only updated annually.
Internet of things (IoT): One-third of surveyed trusts admitted having no method of tracking IoT devices and 10% said they use manual processes or spreadsheets to do so. A further 18% of respondents recognise that information on IoT devices in their inventory system is either not updated at all or only updated annually.
Operational Technology (OT): Ten percent of respondents acknowledged that they do not track OT devices in their environment and 17% stated they use manual processes or spreadsheets to track their OT inventory. A further nine percent of respondents said they either do not update the information for OT devices in their inventory at all or do so annually.
These blind spots not only could become the catalyst of an attack, but also add difficulties to compliance challenges for NHS trusts. Complying with regulatory demands starts with knowing what is on the network, which, without adequate automation, can be a heavy lift for an NHS with a shortage of resources.
38% of respondents admitted that they do not have sufficient staff to meet the demands placed upon them and one in five (23%) trusts said they do not have enough resources to deal with replacing legacy or unsupported medical devices.
When carrying out Data Security Protection Toolkit (DSPT) assessments, trusts note that compiling evidence was the number one difficulty. And, while most trusts (82%) can respond to NHS Cyber Alerts within the requested 48 hours, they struggle to remediate issues within the mandated two weeks encountering challenges on arranging downtime, impact to business as usual and deployment of patches.
“Although the NHS is working hard, the research shows there are still crucial gaps that must be filled when it comes to addressing visibility, automating processes and satisfying compliance requirements. To fill in those gaps and improve the operational effectiveness of NHS trusts, allowing staff to focus on core functions and enabling insights on threat intelligence and clinical device utilisation, the right technology partners need to be brought in to solve multiple use cases and bridge technology gaps,” concluded Waqas.
Recent Armis research identified the top connected medical devices that posed a high risk to clinical environments as nurse call systems, infusion pumps and medication dispensing systems.
Armis will be attending Infosecurity Europe in London at the Excel Center on June 20-22, 2023 and will be located in booths W20. For more details of what the company has planned at the event or to book a meeting, please visit: https://www.armis.com/infosec-2023/.
You can join Armis’ CTO and Co-Founder Nadir Izrael with a session taking place Wednesday, June 21, 2023 from 1:00pm – 1:25pm titled: The Future of Cyberwarfare: Defending our Critical Infrastructure.