Jun 19, 2023

Cybersecurity Pressures in the NHS – A 2023 FOI Report by Armis

Healthcare - Medical - blog thumbnail

The increasing adoption of connected assets in healthcare has undoubtedly improved the delivery of care, but it has also introduced new complexities and blind spots, expanding the attack surface. With connected medical device (IoMT) vulnerabilities and healthcare cyberattacks on the rise, now more than ever it’s crucial for care delivery organisations to focus on building a resilient security program.

Armis has conducted a Freedom of Information (FOI) request to U.K. National Health Service (NHS) trusts which uncovered valuable insights into NHS trusts operational resilience. The research findings exposed difficulties for the trusts to maintain visibility and monitor all connected assets within their environments, as well as meeting heightened compliance requirements. By delving into the results we can explore potential solutions to enhance their security strategy and proactively reduce the attack surface.

Let’s go through the key challenges identified:

Connected medical devices (IoMT) need additional oversight

Connected medical devices (IoMT) are hard to keep updated, as they usually do not accommodate external software and cannot be secured through traditional endpoint agents. Being able to monitor them and understand their behaviour and risk in real-time is key to ensure patient safety. Additionally, they play a significant role in compliance to DSP and are in scope of NHS Cyber Alert assessments and so need to be accounted for just as enterprise assets are.

According to the data, 15% of the surveyed NHS trusts admitted to not tracking connected medical devices (IoMT) and a further one in five trusts said they rely on manual spreadsheets as their primary method of tracking these critical assets. This reliance on manual processes introduces a risk of errors, omissions, and outdated information. Furthermore 19% of respondents recognise that information on connected medical devices in their inventory system is either not updated at all or only updated annually.

There is limited visibility and tracking of connected assets

A significant revelation from the research is the lack of visibility and the manual tracking of all connected assets within NHS trusts.

When it comes to tracking Internet of Things (IoT) devices, one-third of the surveyed trusts admitted to having no method of tracking IoT devices, and 10% of respondents still resort to using manual spreadsheets. The numbers are no different for Operational Technology (OT), ten percent of respondents acknowledged that they do not track OT devices in their environment and 17% stated they use spreadsheets to track their OT inventory. These statistics underscore the urgent need for automated tracking and monitoring systems to bridge the gap in asset visibility.

Furthermore, the research highlights a low frequency of updating information in inventory systems for most asset types. Eighteen percent of trusts acknowledged that information on IoT devices in their inventory systems is either not updated at all or only updated annually; this number goes down to nine percent for updating information on OT assets.

What is your primary inventory method for tracking devices

How often is the information on systems updated

The consequences of limited visibility and manual tracking are twofold. Firstly, it could lead to security breaches, as blind spots in asset monitoring can be exploited by threat actors. Secondly, it heightens the compliance challenges faced by trusts, making it difficult to meet the requirements of regulatory frameworks.

Compliance challenges are exacerbated by a shortage of resources

The findings expose the difficulties trusts face in ensuring data security and demonstrating compliance with NHS directives and regulations such as the Data Security Protection Toolkit (DSPT) assessments.

One of the primary obstacles identified by trusts is the arduous task of compiling evidence and meeting data security awareness training requirements. A considerable number of trusts struggle to fulfil these obligations, primarily due to resource limitations. Specifically, 38% of respondents admitted that they lack sufficient staff to meet the demands placed upon them.

While the research indicates that most trusts (82%) are capable of responding to NHS Cyber Alerts within the requested 48-hour timeframe, they encounter significant hurdles when it comes to remediating issues within the mandated two-week period. This struggle is further exacerbated by the complexities of arranging downtime, the impact on business operations, and the deployment of patches.

Effective remediation processes require efficient coordination, streamlined workflows, and automated patch management. Trusts must ensure that appropriate resources and procedures are in place to address identified vulnerabilities promptly. By leveraging advanced solutions like Armis, NHS trusts can streamline their remediation efforts, minimise the impact on business operations, and maintain a secure environment for patient care.

Enhancing NHS Cybersecurity with Armis

To address the challenges faced by NHS trusts, Armis offers tailored solutions designed specifically for the healthcare industry. The Armis Platform provides comprehensive asset visibility, allowing trusts to gain real-time insights into their entire device landscape, including IoMT, IT, OT and IoT devices. Automated tracking and monitoring capabilities enable proactive identification of risks and vulnerabilities empowering trusts to take timely action. With centralised risk management, trusts can adopt a unified approach to risk reduction across all device types, ensuring a holistic security posture.

Moreover, Armis’ solutions address compliance challenges by streamlining evidence collection for DSPT assessments and enabling trusts to quickly respond to NHS Cyber Alerts by identifying affected assets, providing risk analysis, prioritisation, and links to remediation steps.  By automating these processes, trusts can efficiently meet their compliance requirements and uphold the highest standards of data security.

To learn more about how Armis can help your organisation, please contact [email protected] or visit our website at Armis NHS. And, to understand how Armis’ new DSPT specific compliance dashboards and reports can enable simplification of the DSPT process see a 2 minute demo.


Get Updates

Sign up to receive the latest from Armis.