The healthcare sector is an increasingly popular target for cyberattacks, with hospitals and other providers regularly being hit with highly disruptive attacks that threaten patient care. In an attempt to mitigate the risk, NHS organisations have until June 30, 2023, to comply with version five of the Data Security Protection Toolkit (DSPT). This updated regulation requires that all NHS organisations have vulnerability management in place and, ultimately, learn from previous cyber incidents or near misses.
However, meeting these new regulations can be challenging for healthcare providers struggling with budgets, resources, and a proliferation of medical devices often not designed or implemented with security in mind.
Why has securing connected medical devices proved to be such a challenge?
Connected medical devices aren’t usually compatible with standard security practices, so they have always been more challenging to secure. For most IT assets, it’s a straightforward task to deploy agents and conduct scans to detect vulnerabilities and threats. However, since connected medical devices are rarely compatible with these tools, they can rarely be installed with agents or actively scanned. This has become a greater issue as organisations have expanded their use of cyber-physical systems, forming what we call the Extended Internet of Things (XIoT).
For example, an endpoint detection and response (EDR) tool cannot be installed on a connected medical device. Most firewalls are built to scope out traffic between PCs and other standard IT hardware but were not designed to understand the traffic of medical and other unmanaged devices.
Furthermore, the healthcare sector’s issues around budgets and resource limitations, means that the task of securing connected medical devices becomes even more challenging for NHS organisations.
How will the Data Security Protection Toolkit (DSPT) help?
The UK government has undertaken a number of programmes to reduce the cyber risk facing NHS trusts, with five key pillars of security being introduced in March. These efforts include an updated version of the Data Security and Protection Toolkit (DSPT). The DSPT is an online self-assessment tool designed to enable organisations to test their security capabilities against the National Data Guardian’s 10 data security standards.
The latest changes in version five of the DSPT mostly apply to category one organisations, which includes NHS Trusts. New requirements include improved security capabilities, such as vulnerability management and monitoring. The focus here is to help Trusts become more aware of their IT and Internet of Things (IoT) estates, hopefully putting them in a better position to identify and resolve security issues.
As part of this, Trusts need to prove they know their most critical assets – devices that are most vulnerable to compromise or could cause the greatest impact. For example, a cyberattack on an insulin pump could cause patient fatality.
Getting NHS organisations to work on supported operating systems, is also a priority in the DSPT update, as this has long been a struggle for the healthcare sector. WannaCry demonstrated how dangerous outdated operating systems (OS) can be, with the ransomware rapidly spreading through unsupported devices. Connected XIoT devices make this even more challenging as they tend to have longer lifespans than standard IT but often have poor support for update processes.
What are the biggest priorities for NHS organisations in meeting the DSPT?
For most trusts, visibility is the most important thing. Connected medical devices are often a big challenge here, as losing track of them is easy.
If you liked this content…
Most NHS staff not confident in current cyber defences
In the Spotlight: Lancashire and South Cumbria Secure Data Environment (SDE)
Why IT/OT security is on the 2025 agenda for public sector CISOs
Essex NHS Trusts to roll out new £65 million Patient Record system
Mid and South Essex ICS rolls out new Shared Care Record
New IoT assets get purchased and connected to the network, but at some point, they get overlooked and fall off the radar for patching and maintenance. When devices are not monitored this is when serious security vulnerabilities are exploited. Trusts need to have an accurate picture of all their connected assets to have a chance of securing them.
This visibility must extend beyond medical devices and encompass the whole environment. There are also operational technology (OT) systems such as lifts, that are also potentially vulnerable to a cyberattack. Anything connected to the IT environment can be an attack entry point.
Ultimately, there needs to be a single point of visibility for all of these systems and how they connect and interact. Trusts with multiple sites must also ensure they are all in the same scope.
What’s the next step – can you recommend a quick win?
Asset discovery is a huge win as it will inform the rest of the strategy. Once trusts know what they have, they can prioritise their security activity to first deal with the highest risk issues, threats and vulnerabilities.
However, this is a huge job without having the right tools. Most trusts deal with decades of IT expansion with no clear map of their assets. Many likely have long-forgotten devices which are still connected to the network. Ultimately, dealing with this manually is an extremely slow and resource-heavy job.
So, automation is the key here. An automated asset discovery solution will be able to find and collate all of the devices connected to the network. IT and security staff can then work to remove or repurpose unused devices and fix critical issues with important assets. Teams can get to work rather than wasting months trying to fit asset discovery into their demanding schedules.
From here, management of these systems can be placed under a single pane of glass, enabling IT and security to keep track of everything from one unified control point. This approach can also provide value outside of security, as data flows can show where assets are and how they are being used.
For example, say oncology wants to invest in new ultrasound machines. Telemetry on data traffic for the existing devices will provide insight into how heavily used they are and if investing in new machines is justified.
Not only will trusts be in line with the new DSPT requirements, but they can also make more informed decisions to improve patient care alongside security.
