A third of NHS Trusts have no method for tracking IoT devices

One-third of the UK’s National Health Service (NHS) Trusts have no method for tracking internet of things (IoT) devices, potentially exposing data and services to significant security risks. That's according to a Freedom of Information request on 154 NHS Trusts conducted by cybersecurity firm Armis, which highlights the challenges UK hospitals face due to a lack of visibility and monitoring of connected assets in their environments.

These blind spots not only could become the catalyst of an attack but also add difficulties to compliance challenges for NHS Trusts. Meanwhile, despite 82% of Trusts stating that they can respond to cyber alerts within 48 hours, they struggle to remediate issues within the two weeks mandated by NHS directives and regulations encountering challenges in arranging downtime, impact to business, and deployment of patches.

In March, the UK government set out a new strategy to increase the cyber resiliency of the NHS and help protect it from cyberattacks. The Cyber Security Strategy for Health and Adult Social Care aims to promote enhanced cybersecurity across the UK's healthcare sector by 2030, ensuring services are better protected from cyberthreats, securing sensitive information, and safeguarding patients' access to care. The vision includes five key pillars to minimise the risk of cyberattacks and other cybersecurity issues along with improving response and recovery following incidents.

NHS Trusts lack resources securely manage connected devices

In addition to the third of Trusts that lack a method of tracking IoT devices, 10% use manual processes or spreadsheets to do so, according to the research. A further 18% of respondents said information on IoT devices in their inventory system is either not updated at all or only updated annually. Fewer surveyed Trusts have no method for tracking medical things (IoMT) devices --devices and applications that connect to healthcare information technology systems through online computer networks -- at (15%) but one in five use manual processes or spreadsheets to track these assets.

Only 35% of NHS Trusts said they have an automated system to track all connected assets, the research found, with 38% claiming to have sufficient staff to meet the demands placed upon them. Moreover, almost a quarter (23%) Trusts said they did not have enough resources to replace legacy or unsupported medical devices.

Connected devices expanding healthcare's attack surface

The introduction of connected assets to healthcare is driving innovation and ultimately improving delivery of care, but its adoption has expanded the attack surface, which now needs more oversight than ever, said Mohammad Waqas, principal solutions architect at Armis. "Specifically, for IoMT devices, which are hard to keep updated, being able to monitor them and understand their behaviour and risk in real-time is key to ensure safety and comply with the latest regulations," he said.

One of the most important things to bear in mind when looking at risk in the medical space is that it will be a very different consideration of impact compared to a traditional enterprise, Hollie Hennessy, senior analyst, IoT cybersecurity at Omdia, tells CSO. "Hospitals and healthcare organisations need to be considering impact to hospital staff, operations, and individual patients," she adds. There are vulnerabilities in IoMT devices which, if exploited, could result in a loss of data but also manipulation of the data displayed by these devices themselves, affecting the integrity of the data that healthcare professionals rely upon, Hennessy says. "Other scenarios could result in devices becoming inoperable, which again can have significant impact on patient health. Managing these devices and becoming aware of vulnerabilities can help organisations apply effective controls and measures to keep the organisation secure and devices operable and available."