In part one of this series, we identified the many challenges to proper asset management in healthcare. In part two, we cover solutions to help hospitals and healthcare systems improve asset management and medical device security.
With the proliferation of IoT and connected OT devices in hospitals, asset management – the process of creating an inventory of the devices connected to a network – is increasingly difficult. Yet, it is a crucial component of healthcare cybersecurity. In fact, asset management ranks as a top priority for cybersecurity preparedness by the National Institute of Standards & Technology (NIST), Center for Internet Security (CIS), and the European Banking Authority.
With the Rise of AI, What IP Disputes in Healthcare Are Likely to Emerge?
Munck Wilson Mandala Partner Greg Howison shared his perspective on some of the legal ramifications around AI, IP, connected devices and the data they generate, in response to emailed questions.
Further, the Covid-19 pandemic has stretched hospital resources thin, with the influx in patients, staffing shortages, and shrinking budgets. It has also introduced new security challenges, with ransomware attempts on hospitals increasing 123% last year, impacting revenue, healthcare practitioners’ ability to provide care, and patient outcomes, as evidenced by the 2019 attack on Alabama-based Springhill Medical Center resulting in the first potential ransomware-related death. Visibility into hospital networks and the devices connected to them has become life or death – after all, you can’t secure what you don’t know is there.
However, despite its importance, many hospitals still don’t have the IT or security resources needed to accurately track device inventory. New processes, policies, and tools are needed to ensure an accurate and holistic inventory so that hospital networks and devices can be secured. It is worth noting, however, that asset management is just one component of improving security for healthcare systems, and additional steps and tools are needed to improve the overall security posture of our critical healthcare infrastructure.
Challenges to asset management in healthcare
Cybersecurity Ventures estimates that the healthcare industry in total will spend only $125 billion annually on cybersecurity by 2025, while the financial services industry spends an average of 10% of revenue or $2,300 per employee on cybersecurity per year, with Bank of America’s costs reaching over $1 billion. Yet, many consider the healthcare industry to be the most at risk of cyberattack because of the Dark Web demand for medical records, with a single patient record selling for as much as $1,000.
A Personalized Approach to Medication Nonadherence
At the Abarca Forward conference earlier this year, George Van Antwerp, managing director at Deloitte, discussed how social determinants of health and a personalized member experience can improve medication adherence and health outcomes.
This is why asset management is so critical for hospitals – accounting for all of the devices on your network can help identify risks that would leave your hospital vulnerable to attacks. However, there are several challenges still facing hospital asset management.
First, there is the challenge of “bring-your-own-device” policies, allowing healthcare providers to purchase their own medical equipment and devices, as well as bringing their own non-medical personal devices to work. This is made even more difficult by the massive influx of connected medical devices in recent years and the lack of network visibility to keep track of all of them. Without a clear system for registering, tracking, and securing devices, many devices on a hospital’s network go unaccounted for, leaving them open to ransomware and other threats and vulnerabilities.
Improving asset management in healthcare
Considering these challenges, there are several steps hospitals should take to improve asset management:
- Secure physician budgets: While equipment purchasing decisions are increasingly made by committees made up of healthcare professionals, IT staff, compliance officers, and C-suite executives, many hospitals and healthcare systems give physicians their own budget to make device and technology purchases. This can empower physicians – particularly those whose purchases require advanced medical knowledge – with the tools they need without as much ‘red tape.’ However, it can also put hospitals and their patients at higher risk of cyber attack if new tools aren’t properly accounted for and secured. For these purchases, IT and security staff should work alongside medical personnel to ensure devices meet security standards before they are ever introduced to the network.
- Adopt a zero trust network architecture: Hospitals often have flat networks without the segmentation needed to not only secure connected devices but limit the number of devices communicating with each other to ensure optimal performance and patient outcomes. This optimizes data sharing for doctors, but also opens new vulnerabilities, such as ransomware, that could shut down all medical devices as well as enable potential attack reconnaissance. To mitigate this risk, hospitals must adopt a zero trust approach for critical networks, requiring strict identity verification for all users and devices. Additionally, separate networks are needed for any personal devices used by staff, patients, and visitors.
- Set an enforceable asset management policy: Traditionally, hospital asset management has been carried out manually. However, with thousands of connected devices on a hospital’s network and growing, it is nearly impossible to keep an accurate inventory with a manual device audit. Not only that, but it also takes a huge amount of time and resources. Without automating this process, and introducing processes that flag device risk for potential remediation, the attack surface is left expanded and exposed. Implementing an asset management solution is critical to give hospitals visibility into their networks and ensure devices are secured.
Improved asset management can go a long way in better cybersecurity visibility for hospitals. However, it is not the only step hospitals need to take to make sure they’re protected. In the next article in this series, learn why taking inventory is not enough and more actionable asset management is needed, as well as other tips for improved hospital cybersecurity.
Leon Lerman is the co-founder and CEO of Cynerio, Inc., a full-suite Healthcare IoT platform that enables healthcare providers to secure patient data and connected devices against cyber threats. He has over 15 years of experience in innovative technology development, served in Israel's elite Unit 8200 cyber technology division, has served as a trusted security advisor to Fortune 500 companies, and has earned international recognition for excellence in the cybersecurity industry.
