• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Business   »   Preparing for Shadow OT: A Hospital Case Study

Preparing for Shadow OT: A Hospital Case Study

  • Posted on:July 25, 2018
  • Posted in:Business, Healthcare, Internet of Things, Security
  • Posted by:
    William "Bill" Malik (CISA VP Infrastructure Strategies)
0

The convergence of IT and OT is happening more rapidly than IT expects. Once upon a time, IT was so expensive that enterprises built entire departments to prioritize spending and efficiently manage those costly investments. Now, IT is so inexpensive that any individual who wants IT can buy it (or rent it). This is “Shadow IT”: information technology that the IT organization does not know about. IoT puts OT on the same path.

Nurses at a hospital in the US Northeast decided to use IoT to help doing rounds. They put motion and moisture detecting pads in thirty hospital beds on one ward, with remote monitors in the nurse’s station. Instead of walking into each room every hour or two overnight, nurses monitored the patients for signs of motion or possible spills centrally. This improved patient care. Patients who were sleeping soundly remained undisturbed, while those who needed attention got it quickly. The nurses had more time to manage paperwork, prepare medications, and attend to other duties.

These devices were very inexpensive – home versions retail for $50 or less. In contrast, an FDA-approved smart hospital bed can cost from $10,000 to $40,000 (a standard hospital bed costs around $6,000). Clearly the nurses would not succeed asking IT for an additional $4,000 to $30,000 per bed, but spending $50 per bed for non-clinical supplies doesn’t require that level of approval or scrutiny.

The experiment was so successful that sensors were installed on beds across the hospital – over 1,000 in total. They use WiFi and do not communicate over the hospital’s corporate network. Then the administration directed IT to take over management of the devices. IT was blindsided by the request. They are coping with this new technology.

See https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4746860/ for a survey of smart hospital bed technology.

Shadow IT represents a risk:

  • It is not governed and may violate compliance regulations,
  • It is not integrated into the organization’s information security program and may present additional attack surfaces,
  • It is not covered by the IT organization’s functional strategies so it will not be backed up or included in the enterprise disaster recovery plan, and
  • It is not included in the organization’s enterprise architecture so it may drive investment into counter-strategic channels.

OT – operational technology – is in the same boat. The Internet of Things brings sensors, actuators, and programmable analytics within the budget of most organizations. These organizations are acquiring capabilities without any governance, security, centralized management or architecture. This wave of ungoverned OT will end up in IT’s lap.

IT has never been able to shut off shadow IT. From personal computers, WiFi, and cheap storage devices to free open source software and cloud computing, people will use available technology to solve business problems whether IT approves or not. A better strategy is to embrace this creativity: provide tools and training to help power users can make better choices. By opening the lines of communications, IT can improve the overall security and management of its technology portfolio, and stay informed of what may come next.

What do you think? Let me know by responding below, or Tweet me @WilliamMalikTM .

Related posts:

  1. Preparing for the Fight: Best Practices for Healthcare IT and Security Teams
  2. California hospital suffers data breach
  3. Assessing the impact of shadow IT, part 2
  4. Assessing the impact of shadow IT, part 1

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.