• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
  • Research
Home   »   Business   »   Preparing for Shadow OT: A Hospital Case Study

Preparing for Shadow OT: A Hospital Case Study

  • Posted on:July 25, 2018
  • Posted in:Business, Healthcare, Internet of Things, Security
  • Posted by:
    William "Bill" Malik (CISA VP Infrastructure Strategies)
0

The convergence of IT and OT is happening more rapidly than IT expects. Once upon a time, IT was so expensive that enterprises built entire departments to prioritize spending and efficiently manage those costly investments. Now, IT is so inexpensive that any individual who wants IT can buy it (or rent it). This is “Shadow IT”: information technology that the IT organization does not know about. IoT puts OT on the same path.

Nurses at a hospital in the US Northeast decided to use IoT to help doing rounds. They put motion and moisture detecting pads in thirty hospital beds on one ward, with remote monitors in the nurse’s station. Instead of walking into each room every hour or two overnight, nurses monitored the patients for signs of motion or possible spills centrally. This improved patient care. Patients who were sleeping soundly remained undisturbed, while those who needed attention got it quickly. The nurses had more time to manage paperwork, prepare medications, and attend to other duties.

These devices were very inexpensive – home versions retail for $50 or less. In contrast, an FDA-approved smart hospital bed can cost from $10,000 to $40,000 (a standard hospital bed costs around $6,000). Clearly the nurses would not succeed asking IT for an additional $4,000 to $30,000 per bed, but spending $50 per bed for non-clinical supplies doesn’t require that level of approval or scrutiny.

The experiment was so successful that sensors were installed on beds across the hospital – over 1,000 in total. They use WiFi and do not communicate over the hospital’s corporate network. Then the administration directed IT to take over management of the devices. IT was blindsided by the request. They are coping with this new technology.

See https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4746860/ for a survey of smart hospital bed technology.

Shadow IT represents a risk:

  • It is not governed and may violate compliance regulations,
  • It is not integrated into the organization’s information security program and may present additional attack surfaces,
  • It is not covered by the IT organization’s functional strategies so it will not be backed up or included in the enterprise disaster recovery plan, and
  • It is not included in the organization’s enterprise architecture so it may drive investment into counter-strategic channels.

OT – operational technology – is in the same boat. The Internet of Things brings sensors, actuators, and programmable analytics within the budget of most organizations. These organizations are acquiring capabilities without any governance, security, centralized management or architecture. This wave of ungoverned OT will end up in IT’s lap.

IT has never been able to shut off shadow IT. From personal computers, WiFi, and cheap storage devices to free open source software and cloud computing, people will use available technology to solve business problems whether IT approves or not. A better strategy is to embrace this creativity: provide tools and training to help power users can make better choices. By opening the lines of communications, IT can improve the overall security and management of its technology portfolio, and stay informed of what may come next.

What do you think? Let me know by responding below, or Tweet me @WilliamMalikTM .

Related posts:

  1. Preparing for the Fight: Best Practices for Healthcare IT and Security Teams
  2. California hospital suffers data breach
  3. Assessing the impact of shadow IT, part 2
  4. Assessing the impact of shadow IT, part 1

Security Intelligence Blog

  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Windows App Runs on Mac, Downloads Info Stealer and Adware

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Collaborating with Law Enforcement to Tackle the Scourge of ATM Attacks
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • 2019 Security Predictions Report Released
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Cloud Risks and Container Vulnerability
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Attacking Containers and runC
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • Today’s Predictions for Tomorrow’s Internet
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • BEC Will Reach Two Levels Deeper

Follow Us

Trend Micro in the News

Trend Micro Blogs

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.