3 steps for better asset management in healthcare

In Part 1 of this series, we identified the many challenges of good asset management in healthcare. In part two, we cover solutions to help hospitals and healthcare systems improve asset management and medical device security.

With the proliferation of connected IoT and OT devices in hospitals, asset management – the process of creating an inventory of devices connected to a network – is increasingly difficult. Yet it is a crucial part of healthcare cybersecurity. In fact, asset management is a top priority for cybersecurity readiness by the National Institute of Standards & Technology (NIST), the Center for Internet Security (CIS) and the European Banking Authority.

In addition, the Covid-19 pandemic has strained hospital resources, with the influx of patients, staff shortages and shrinking budgets. It also introduced new security challenges, with ransomware attempts against hospitals increasing 123% last year, impacting revenue, the ability of healthcare professionals to provide care and patient outcomes, as evidenced by the 2019 attack on Alabama-based Springhill Medical Center, resulting in the first potential ransomware-related death. Visibility into hospital networks and the devices connected to them has become life or death – after all, you can’t secure what you don’t know is there.

However, despite its importance, many hospitals still do not have the IT or security resources to accurately track device inventory. New processes, policies and tools are needed to ensure accurate and holistic inventory so that hospital networks and devices can be secure. It should be noted, however, that asset management is only one part of improving the security of healthcare systems, and additional steps and tools are needed to improve the overall security of our critical healthcare infrastructure.

The challenges of asset management in healthcare

Cybersecurity Ventures estimates that the healthcare industry will spend a total of just $ 125 billion per year on cybersecurity by 2025, while the financial services industry spends an average of 10% of its revenue or $ 2,300 per employee on cybersecurity per year, with Bank of America costs reaching over $ 1. billion. Yet many consider the healthcare industry to be the most at risk for cyberattacks due to the demand for medical records on the Dark Web, with a single patient record selling for up to $ 1,000.

This is why asset management is so critical for hospitals – accounting for all the devices on your network can help identify risks that would make your hospital vulnerable to attacks. However, the management of hospital assets still faces several challenges.

First, there is the challenge of “bring your own device” policies, allowing healthcare providers to purchase their own medical equipment and devices, as well as to bring their own personal non-medical devices to work. This is made even more difficult by the massive influx of connected medical devices in recent years and the network’s lack of visibility to track them all. Without a clear system for registering, tracking, and securing devices, many devices on a hospital’s network go missing, leaving them exposed to ransomware and other threats and vulnerabilities.

Improve the management of assets in the health sector

In light of these challenges, hospitals need to take several steps to improve asset management:

• Secure physician budgets: As equipment purchasing decisions are increasingly made by committees made up of healthcare professionals, IT staff, compliance officers and senior executives, many hospitals and healthcare systems are giving physicians their own budget to buy devices and technologies. It can give physicians – especially those whose purchases require advanced medical knowledge – the tools they need without so much “paperwork”. However, it can also put hospitals and their patients at increased risk of a cyberattack if the new tools are not properly considered and secured. For these purchases, IT and security staff should work alongside medical staff to ensure that devices meet security standards before they are introduced to the network.
• Adopt a zero-trust network architecture: Hospitals often have flat networks without the segmentation necessary not only to secure connected devices, but also to limit the number of devices communicating with each other to ensure optimal performance and patient outcomes. This not only optimizes data sharing for doctors, but also opens up new vulnerabilities, such as ransomware, which could shut down all medical devices and allow recognition of potential attacks. To mitigate this risk, hospitals should take a zero-trust approach to critical networks, requiring strict identity verification for all users and devices. In addition, separate networks are required for all personal devices used by staff, patients and visitors.
• Define an enforceable asset management policy: Traditionally, hospital asset management has been done manually. However, with thousands of devices connected to a hospital’s network and growing, it’s nearly impossible to keep an accurate inventory with a manual device audit. Not only that, but it also takes a tremendous amount of time and resources. Without automating this process and without introducing processes that signal a device’s risk for potential remediation, the attack surface remains large and exposed. Implementing an asset management solution is critical to giving hospitals visibility into their networks and ensuring device security.

Better asset management can go a long way in improving cybersecurity visibility for hospitals. However, this is not the only step hospitals need to take to ensure they are protected. In the next article in this series, find out why inventory isn’t enough and why more actionable asset management is needed, along with other tips to improve cybersecurity in hospitals.