There is an ongoing debate as to whether asset management is the most important undertaking in enterprise cybersecurity or if it’s just a small but important piece of a much bigger risk reduction puzzle.
Proponents will argue that no organization can proactively protect against threats and manage vulnerabilities, and accelerate incident response, if it lacks unobstructed visibility into the exact number of applications and devices connected to, or trying to connect to, the corporate network(s) at any given point in time. Those less bullish on asset management as a silver bullet point to its inherent complexities and the immense challenges brought on by the proliferation of the Internet of Things (IoT).
Despite the differing perspectives, there is almost universal agreement that asset management is a net positive to a company’s overall security posture. Perhaps that’s why so many government agencies — from the National Institute of Standards & Technology (NIST) and the Center for Internet Security (CIS) in the US to the National Cyber Security Centre (NCSE) and the European Banking Authority abroad — rank asset management atop their cybersecurity preparedness recommendations.
“Being aware of the assets in an environment, how vulnerable they are to threats and how to protect them is an important part of any cybersecurity program,” wrote SAP’s Anne Marie Columbo in a recent Forbes article. But just how useful is awareness in itself if organizations aren’t prepared to act on information on a moment’s notice?
Traditional asset management challenges
Asset management has always presented a unique set of challenges for large organizations, leaving some to deemphasize the initiative in favor of greater investments into detection and response technologies.
From a device standpoint, simply aggregating the total number of in use and unmanaged applications and machines with connectivity capability can be a years-long headache requiring extensive IT and security resources. This is further complicated by the proliferation of hybrid and remote work due to Covid-19 as well as popular Bring Your Own Device (BYOD) policies that open corporate networks to devices outside of corporate control.
Even in instances when businesses believe they have complete, or near complete, visibility into their assets, they traditionally haven’t had an easy way to interpret data. Like asset discovery, asset inventory analysis has also increased in complexity in recent years, primarily due to the acceleration of cloud migration and Internet of Things (IoT) deployments within corporate environments and the shift to edge data centers, among other digital transformation and future of work initiatives straining network usage.
All these obstructions have hindered hospitals and health systems from reaching their asset management goals.
Unique complications hinder healthcare asset management ubiquity
For the past decade, nation state hackers and cyber-criminals have prioritized attacks on hospitals and healthcare systems because of the treasure trove of lucrative data available for exploitation and due to the inferior cybersecurity defenses inherent to many of their enterprise counterparts. According to the Wall Street Journal, “almost every month last year more than 1 million people were affected by data breaches at health-care organizations.”
Even before Covid-19, hospitals and healthcare systems began to flex stronger cybersecurity muscle by increasing budgets and resources. Still, it is estimated by Cybersecurity Ventures that the industry in total will only spend $125 billion annually on cybersecurity by 2025. Putting this into perspective, Bank of America alone spends more than $1 billion per year on cyber.
While overall spending may not yet correspond to the totality of the cybersecurity threat landscape, asset management has emerged as a primary area of opportunity for hospitals and healthcare systems to invest in as they ‘up’ their cybersecurity game and put greater emphasis on risk reduction. But unlike the general enterprise, cybersecurity asset management presents three specific challenges that make the undertaking substantially more complicated. These include:
Physician Budgets – While in hospitals and healthcare systems IT purchasing decisions are increasingly being made by committees composed of clinicians, C-suite executives, compliance and others, in many cases physicians maintain their own budgets with which to procure new software and hardware. According to a survey by MGMA in 2017, hospital-owned physician practices were spending $8,000 per physician per year on IT; Covid-19 has impacted IT purchasing decisions since then, with larger IT implementations being delayed but physicians placing an emphasis on purchases of technologies like telehealth and RPM. Historically, physician budgets came without a corporate mandate to inform IT or security teams about purchases, no less to help with setup. While this is evolving in parallel with greater security concerns, physician technology adoption without IT notification can leave security stakeholders blind to certain assets until such a time when a threat or vulnerability is detected, which is often too late to significantly mitigate disruption or damages from occurring.
Massive Influx in Connectivity – Millions of healthcare IoT devices are now being used to care for patients, to streamline critical workflows and to communicate with patients. Moreover, many of these devices can’t be disconnected because of their critical roles in patient care and IT network infrastructure complexity, making it difficult to patch and protect against new threats and vulnerabilities. Further, mapping and taking inventory of thousands (and often tens of thousands) of connected assets manually, which is how asset management was traditionally done, is impossible. Further, many of the legacy asset management tools on the market are not built to visualize the communications protocols specific to the healthcare environment.
Network Architecture – Many critical infrastructure sectors utilize layered networks. This means, although many OT devices are coming online for the first time, that the network infrastructure already exists to transmit communications across the seven network protocols. In contrast, healthcare networks are primarily flat and lack segmentation, making it more difficult to track inventory and easier for adversaries to compromise and traverse the network.
While traditional and healthcare industry specific challenges to asset management remain problematic, the pros of complete network visibility undoubtedly outweigh the cons except for organizations who mistakenly believe that asset management alone is sufficient to measurably reduce risk.
In the next article of this three-part series, we’ll explore practical and efficient steps to reduce the burden of asset management in hospital and healthcare systems.