Armis, the unified asset visibility and security platform provider, has released figures from a Freedom of Information (FOI) request to over 80 NHS Trusts that highlighted how compliance and device management complexities could be creating critical cybersecurity gaps. The study confirmed that while 85% had identified all devices, including medical devices, on the Trust’s network, 41% had no real-time risk register of these assets and one in three did not identify and monitor all medical devices being used for remote patient management. With the Internet of Medical Things (IoMT) predicted to rise to $158.1bn next year, an explosion of devices could put Trusts on the back foot if these security blind spots are not addressed.
A recent study by Obrela Security Industries confirmed that over 80% of healthcare organisations in the UK had been hit by ransomware last year, with a 30% rise in attacks from Q2 to Q3. And earlier this year, Ireland’s Health Service was severely impacted by a ransomware attack, with the NCSC declaring the healthcare sector a top target for cybercrime.
Main findings from the FOI request:
“NHS Trusts are no doubt doing their best in the face of some extraordinary challenges, but unfortunately the list of challenges keeps getting longer,” said Conor Coughlan, General Manager for EMEA at Armis. “The role of technology is obviously critical, yet its vulnerabilities have also been exposed by unscrupulous bad actors who, regrettably, believe that targeting healthcare services is acceptable. From WannaCry in 2017 to recent ransomware attacks in Ireland, the need to defend systems and devices in hospitals is self-evident. As IoMT proliferates, gaining visibility and understanding of these devices is paramount because without specialist technology, visibility into device estates can be as low as 60%.”
The study also found that regulatory compliance remains a challenge, with 14% unable to yet meet their Data Security and Protection Toolkit (DSPT) requirements. Interestingly, one of the new DSPT non-mandatory requirements for ‘21-‘22 is for Trusts to maintain a register of medical devices connected to its networks. Furthermore, the NCSC’s Cyber Essentials is met by 54% of Trusts, though 63% have not yet met the controversial Cyber Essentials Plus recommendations; and 37% do not comply with the EU’s Network & Information Security Directive (NIS). Over two-thirds (67%) of the NHS Trusts are not ISO27001 compliant. 
When it comes to devices running outdated or unsupported software, it’s clear that more security gaps appear. Of the Trusts that did not withhold their answers, only 37% said they had no medical device estate running on end of life or unsupported software, while 16% said they were running over one-tenth of their medical device estate on EOL or unsupported software. In terms of using segregation to keep potentially risky medical devices away from the main IT network, encouragingly, almost one in three (30%) recognise the importance and keep all their medical estate segregated form the main network, while the same amount keeps the majority (61-99%) of it segregated. Nearly the same amount (27%) said none of the medical device estate is segregated from the main network.
“Device management can be a complex task and therefore it becomes a matter of context and the ability to confidently accept some risk. The key here is for systems administrators to have all the information about devices, known threats and where they are on their support lifecycles to be able to make these quick judgements and remediate issues swiftly,” said Sumit Sehgal, Armis Strategic Product Marketing Director. “Having this level of knowledge, mapped to their compliance requirements, will help put NHS Trusts in the best position to defend themselves against a backdrop of increasing medical devices and attackers waiting to exploit them.”
Implementing a successful medical device security strategy requires a multi-faceted approach that accounts for the entire healthcare device ecosystem in addition to connected medical devices. Mapping this data to clinical workflows and creating a holistic visual of prioritised risk transforms security operations and allows information security strategy to be aligned with resilience and continuity of operations.
For further information on securing healthcare environments, Armis has also produced a whitepaper entitled Security and Operational Efficiency which can be accessed here:
FOI request information gathered from over 80 NHS Trusts from July to October 2021

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY
Follow Us
© 2015 – 2019 IT Security Guru – Website Managed by Calm Logic
© 2015 – 2019 IT Security Guru – Website Managed by Calm Logic
This site uses functional cookies and external scripts to improve your experience.
Privacy Settings / PENDING
This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.
NOTE: These settings will only apply to the browser and device you are currently using.
GDPR Compliance


You May Also Like

Launch of News-Style Programme Endeavours to Raise Awareness of Cybersecurity

The UK Cyber Security Council, International Cyber Expo and ITN Business will…

Cybercriminals take advantage of unpatched Hikvision systems

Moobot botnet is leveraging a known remote code execution (RCE) vulnerability in Hikvision…