The road to cyber resilience: asset management strategies for NHS Trusts

As healthcare technologies evolve, NHS Trusts face an escalating challenge in managing their networks and digital assets. The rise of the Internet of Medical Things (IoMT) and digital health records add both opportunity and vulnerability as they improve patient care but also expose the network to potential cyber risks by expanding the network’s attack surface..

Acknowledging the crucial necessity of more effective asset management, NHS England has earmarked additional funds solely for asset discovery across Trusts. Each Trust can apply for up to £40,000 in funding until next March to enhance network transparency and oversight.

If utilised effectively, this significant funding can help organisations develop long-term strategies to bolster their network efficiency and resilience. The focus extends to executing physical audits, crafting detailed asset registers, and maximising asset value. NHS Trusts now have the opportunity to strategically allocate this funding to fortify their security protocols while also achieving long-term benefits.

Understanding asset utilisation

Trusts manage a complicated mix of digital and operational technology assets within NHS Trusts— ranging from traditional IT systems and patient databases to physical assets such as MRI machines, insulin pumps, and even surgical tools. These assets are not only crucial for patient care but are now intrinsic to the smooth running of our healthcare institutions.  It is not uncommon for hospital’s emergency room to divert patients to other facilities or cancer treatment patients rescheduled during and after a ransomware attack.

The NHS, like the healthcare sector worldwide, is grappling with an escalating cybersecurity crisis as cybercriminals relentlessly exploit increasingly complex healthcare systems. The recent ransomware assault on NHS Barts Trust, in which hackers stole data for 2.5 million patients, is just one prominent example.

It is therefore worrying to see weaknesses in how these assets are managed. For instance, merely 35% of Trusts utilise automated tracking systems, and 59% update their asset information periodically. Worse yet, 10% of Trusts still depend on outdated manual tracking methods, while 19% admit that their asset information is either outdated or only updated once a year.

This isn’t just an issue of inefficiency; it’s a serious cybersecurity blind spot that opens up multiple vectors for attackers. However, the Trust is not to be blamed for these issues as detecting, identifying and managing tens of thousands of network devices has been a challenge for all healthcare institutions worldwide. With cybersecurity teams  stretched thin responding to relentless penetration attempts, device identification and management has understandably taken a back seat in the priorities of NHS Trusts.

Trusts need a strong asset management plan in place to reduce the risk of these exploits in a systematic, efficient and effective way.

The growing web of protocols and connectivity

The challenge of fragmented asset management is magnified by increasingly complex protocols and network connectivity. Protocols refer to a set of rules and specifications that govern how medical devices communicate on the network.  Protocols play a crucial role in ensuring reliable, efficient, and secure communication between medical devices on a network, paving the way for accurate data transmission, remote monitoring, and improved patient care.

Under-resourced IT departments, struggle to keep up with ever-changing communication protocols and network configurations. Also, the NHS faces an organisational issue where knowledge and responsibilities are siloed. Clinical engineers, who have invaluable insights into medical technologies, are often sidelined in discussions about asset management and network security. This exclusion provides a limited view of the asset landscape and hinders efforts at comprehensive visibility. They create vulnerabilities that put both patient care and regulatory compliance at serious risk.

It’s here that additional funding offers a transformative edge. These extra resources can be used to assess and understand the details of the network activity by analysing the data within the protocol transmissions. Which devices are communicating, with who and is that communication appropriate.  This detail provides the additional level of visibility needed to update network security across the healthcare ecosystem.

Enhanced connectivity isn’t just about more devices talking to each other; it’s about making those conversations secure and efficient. Identifying devices and their communication requirements least privileges, network segmentation can be automated and implemented at scale. This benefit from accurate device identification creating VLANs to restrict and limit an attackers movement increases resilience by reducing the daily stress on the cyber team.   By wisely utilising this funding, NHS Trusts can achieve improved visibility across their networks, optimise protocol management and automate a strategy of least privilege.. The result is a more secure and cost-effective healthcare delivery system managed at scale..

Staying ahead of regulatory curve

Enhanced asset management directly impacts meeting compliance standards, a hurdle many NHS Trusts struggle with, particularly when navigating frameworks like the DSPT (Data Security and Protection Toolkit) and NIS2.

A thorough, real-time inventory of assets empowers Trusts to spot and plug security and data protection gaps more effectively. This makes collecting the necessary evidence for fulfilling compliance requirements considerably easier. For instance, the DSPT urges Trusts to establish strong security measures for personal data. An up-to-the-minute asset inventory can indicate where each piece of data is stored and the security safeguards in place for it. Likewise, NIS2 calls for security solutions that match the specific risks of each network. A detailed asset inventory allows Trusts to undertake a more focused risk evaluation, directing resources to the weakest links in their cybersecurity chain.

The overarching benefit is that complete asset visibility is a cornerstone for a robust cybersecurity posture, mitigating risks that would otherwise go unnoticed.

Strategic allocation to make the most of funding

Healthcare Delivery Organisations (HDOs) should use any additional funding to make lasting improvements towards resilient operations. The exhaustive mapping of all assets, both digital and physical, needs to be a top priority for immediate investment. Automated tracking systems should take precedence over outdated manual processes and spreadsheets. These systems can grant real-time insights into asset conditions, usage patterns, and security vulnerabilities, effectively minimising any blind spots.

The grant can also support integrating these advanced tracking systems into existing IT frameworks and operational processes. Such integration fosters a seamless data exchange, which is crucial for swift and well-informed IT decision-making. This becomes even more important for IoMT devices, frequent cyber-attack targets.

Trusts should also capitalise on centralised data platforms that integrate with their Computerised Maintenance Management Systems (CMMS) to streamline inventory management. By automating this, Trusts can remove the risk of manual errors and establish a unified data repository for all assets, be it medical equipment or IoT devices.

The advantage of a unified data platform extends to real-time threat intelligence. For example, if a networked medical device shows a security weakness, the centralised system could instantly alert IT personnel to initiate countermeasures such as isolating the device or updating its software. This enables rapid risk mitigation and helps IT teams allocate their focus and resources where they are most urgently needed.

Creating a resilient and efficient healthcare network

A crucial use of the funding should be to bring existing assets in line with contemporary regulatory standards. Part of the budget should be set aside for modernising or replacing outmoded systems that fall short of current cybersecurity regulations.

Equally important is the allocation of resources for workforce and skills development. Given the resource limitations often cited by IT managers, these funds offer an opportunity to recruit asset management and cybersecurity experts. Further, upskilling the existing workforce to navigate new systems and grasp cybersecurity protocols can strengthen a Trust’s cyber resilience considerably.

Of course, all Trusts vary in their levels of cybersecurity maturity and operational scale. As such, strategic investments must be tailored to suit each organisation’s specific needs and conditions. Collaborating with security partners who are well-versed in the intricacies of healthcare IT can also provide valuable insights and solutions, closing any technology gaps. Such targeted initiatives can ensure that asset management remains an integral part of NHS Trusts’ regular business processes. Once asset management becomes a part of business processes, Trusts can experience improved cyber resilience and safe patient care.

By Ty Greenhalgh, Healthcare Industry Principal at Claroty


Join our audience of healthcare industry professionals

Join our audience of healthcare industry professionals