Although the NHS has come on by leaps and bounds in cyber security terms since the 2017 WannaCry incident, compliance and device management complexities are still creating significant and potentially critical security gaps, according to the results of a series of freedom of information (FoI) requests by asset visibility and management specialist Armis.
Out of more than 80 NHS Trusts across the country that responded to the firm’s questions, 14% of respondents were not able to demonstrate compliance with the health service’s own Data Security and Protection Toolkit (DSPT), 46% did not comply with the National Cyber Security Centre’s Cyber Essentials scheme, and 62% did not comply with Cyber Essentials Plus.
Furthermore, 37% did not comply with the EU’s Network & Information Security Directive (NIS) and over two-thirds (67%) of the NHS Trusts were not ISO27001 compliant.
Although the vast majority (85%) of NHS Trusts were able to identify all devices, including medical ones, on their networks, 41% had no real-time risk register relating to those assets, and just under a third did not identify or monitor medical devices used for remote patient management – which is a concern in light of projected spending increases on connected healthcare devices.
“NHS Trusts are doing their best in the face of some extraordinary challenges, but unfortunately the list of challenges keeps getting longer,” said Conor Coughlan, general manager for Europe, the Middle East and Africa (EMEA) at Armis.
“The role of technology is obviously critical, yet its vulnerabilities have also been exposed by unscrupulous bad actors who, regrettably, believe that targeting healthcare services is acceptable. From WannaCry in 2017 to recent ransomware attacks in Ireland, the need to defend systems and devices in hospitals is self-evident.
“As IoMT [the internet of medical things] proliferates, gaining visibility and understanding of these devices is paramount because without specialist technology, visibility into device estates can be as low as 60%,” said Coughlan.
Threadbare patching
The series of FoI requests made by Armis found further security gaps around critical medical devices running outdated or otherwise unsupported software.
Out of those trusts that did not withhold their answers, only 37% could say that none of their medical device estate running on end-of-life or unsupported software, while 16% said they were running over a tenth of their estate on old code.
More encouragingly, however, about a third of respondents understood the need to keep their medical kit segregated from the main organisational network, and a similar number said the majority of their medical devices were segregated, although this leaves close to 30% who do not segregate any of it – a massive risk that leaves the door open to a cyber attack that could result in fatalities.
“Device management can be a complex task and therefore it becomes a matter of context and the ability to confidently accept some risk. The key here is for systems administrators to have all the information about devices, known threats and where they are on their support lifecycles to be able to make these quick judgements and remediate issues swiftly,” said Sumit Sehgal, Armis’ strategic product marketing director.
“Having this level of knowledge, mapped to their compliance requirements, will help put NHS Trusts in the best position to defend themselves against a backdrop of increasing medical devices and attackers waiting to exploit them.”
Computer Weekly contacted NHS Digital for comment on this article, but the organisation had not responded at the time of publishing.
