The life-saving capabilities of technology in a healthcare environment are beyond dispute. Medical professionals in hospital environments rely on networked medical devices to access and share patient information rapidly to reduce the time it takes to make life-saving decisions and deliver essential patient care.
Connected devices in Healthcare environments allow medical professionals to monitor patients more closely, improve medical assistance and use data for analytics and medical research. Technology is allowing medical staff to work smarter with earlier interventions and diagnoses in the treatment process.
But the increased use of IT in healthcare is not without its risks. Many devices are running outdated software, making them vulnerable to cybersecurity risks. Ransomware attacks, malware and hackers target vulnerabilities in medical devices to access and steal patient information and compromise devices – which ultimately can put patients in danger.
Not only are medical devices critical to modern day patient care, they are extremely expensive. Nefarious attacks that disable or compromise MRI machines, for instance, can have potentially traumatic effects on the healthcare department.
In April 2020, for example, 42 healthcare sites across the US were forced to postpone radiation therapy because the medical systems company producing the cancer care devices, Elekta, was the victim of a cyberattack.
An Amplified Threat
Healthcare is a particularly attractive target for cybercriminals, and that threat is amplified by the willingness of healthcare organisations to allow staff to use their own devices and install them on their networks, opening up an access point for malware from an employee’s computer or mobile device to gain entry to the IT network and put critical medical devices at risk.
There is a real risk that healthcare networks will become IT ‘jungles’ with large swathes of unregistered devices and increased security threats that can wreak havoc on organisations.
Speaking to Brett Draper, Managing Director of IT Health, a NHS cyber security specialist, his view of the challenge facing the NHS was clear, “NHS organisations lack cyber assurance because they don’t have a complete picture of the network that they can trust. They need a technology platform that helps solve this massive problem and provides a clear, concise and truthful view of all network connected assets in near real-time and is accessible from a single dashboard. From that starting point of having detailed inventory data, we can integrate other key data feeds and intelligence to form a dashboard that’s tailor-made for NHS organisations to help them better manage their exposure to risk and stay cyber assured.”
The 2021 Ransomware Threat Report from the Unit 42 global intelligence team at Palo Alto Networks found cyber extortion had “reached crisis levels” as attackers focused on industries and organisations with operations most vulnerable to systems outages or data loss. One in five ransomware cases investigated by the unit in 2020 involved providers that depended on computers to treat patients.
The vulnerability of the healthcare sector was highlighted again recently by the Protenus Breach Barometer which found more than 40 million patient records were breached and a 42% increase in hacking incidents.
There is no question that the rising incidence of cyber-attacks and breaches in healthcare and the compromising or disabling of networks and devices can be a matter of life or death for patients.
What can be done to reduce the risks?
Leaders in healthcare are focused rightly on the ways technology can improve the work of medical professionals and health outcomes for their patients. They are understandably less conscious of the dangers that come with it.
Healthcare leaders are not IT leaders or professionals. Their area of expertise is healthcare not technology. They don’t have the time to spend trying to ensure every device in their facility that is connected to the network is running up to date software and secure. Besides, it is a near impossibility for them to be aware of every device that is connected to their network.
In nearly every case, healthcare leaders are reliant on outsourced support to ensure their technology estate is secure, performing optimally and inventoried. But this can be further complicated if they are using a number of outsourced IT providers for different departments or aspects of their healthcare provision.
Healthcare organisations may have a perception of the value of their technology assets from the amount of money spent on the different IT contracts they have signed over the years but it is unlikely to be entirely accurate. Do they know if those “assets” are up-to-date? Are they being used effectively? Are they performing optimally? Are they secure? Where are they being used? Are they being used at all?
What about the assets that the organisation did not purchase, the personal devices being used by medical professionals on the network during their working day? Are they secure? Are they up-to-date? Are there any controls over how those devices access the network and what parts they can access?
How can organisations gain a clear view of the IT or medical devices on their network or those accessing their network so they can see where some of those assets are more of a security liability than a benefit?
These questions highlight just some of the abundance of potential issues that can plague healthcare leaders.
Healthcare ITAM Essentials
IT asset management (ITAM) in Healthcare is not a ‘nice to have’, it’s essential.
ITAM allows an organisation to get a very clear picture of all the devices on the network. It is possible to discover every asset on the network without having to install any software on any devices using a technique called agentless scanning. This is particularly useful in an area like healthcare where the assets encompass a wide range of diverse devices.
Stephen Deacon, Head of Digital Compliance, Warrington and Halton Teaching Hospitals NHS Foundation Trust told me of his experience of getting this detailed oversight, “Having a single Dashboard view of our connected IT estate has massively increased security visibility for the Trust. I can now access key network data through a single pane-of-glass. Having relevant data at our fingertips also demonstrates to auditors that we have our finger on the pulse.”
Agentless scanning is a cost-effective way to rapidly create a complete inventory of all devices on the network, including Windows, Linux and Mac devices, printers, routers, switches and, in the case of a hospital or other medical environments, any networked medical devices.
Scanned devices are automatically sorted into categories based on their device type. Locating devices and checking configuration is extremely easy. Sort devices by IP or find a specific one through a filtered search in the web console.
ITAM enables organisations to build a comprehensive, up-to-date and centralised inventory of hardware, software and user information for their networked assets, helping assess threats and vulnerabilities and respond to security incidents.
By providing a single source of truth about the state of the network, ITAM helps healthcare organisations save time and resources while benefiting from streamlined compliance and reporting.
And by preventing IT assets from turning into liabilities, they can focus on using technology to help medical professionals provide improved healthcare to their patients.
Roel Decneut, CMO at Lansweeper
