Written by: Cynerio
Device Proliferation at Bedfordshire Hospitals
Situated in the east of England some 55 kilometres north of central London, Bedfordshire is anchored by the cities of Luton and Bedford. In 2020, Luton & Dunstable University Hospital and Bedford Hospital merged to form Bedfordshire Hospitals NHS Foundation Trust, which now provides comprehensive healthcare services for the entire county.
Like every other healthcare institution, Bedfordshire Hospitals has seen a proliferation of medical devices in recent years. “Connected devices move healthcare to the next level, improving outcomes and saving lives,” notes Hubert Ametefe, head of cyber security at Bedfordshire Hospitals NHS Foundation Trust. “But they also increase our cyber risk.”
Looking to the Next DSPT Assessment
As part of risk mitigation efforts, every organisation that has access to NHS patient data and systems must undergo an annual assessment with the Department of Health and Social Care (DHSC) Data Security and Protection Toolkit (DSPT). This online assessment is due each June and evaluates readiness against the National Data Guardian’s ten overarching data security standards.
One requirement of DSPT is that healthcare organisations must have a complete, up-to-date inventory of all medical devices. While this may sound basic, it is easier said than done. “We have thousands of devices and hundreds of distinct device types, and tracking them was a manual process,” Ametefe recalls. “In 2022, it was all-consuming for our staff to just assemble a list of devices and the risks associated with each. After all that effort, we did not have the bandwidth to actually fix the vulnerabilities we identified. And we did not identify every risk because of the gaps inherent with a fully manual process. We knew we had to find a better way.”
Getting Strategic About Device Security
The cyber security leadership team at Bedfordshire Hospitals contacted Cynerio to see what they could do to help. The Cynerio team conducted a demo of the Cynerio 360 platform, which automatically delivers detailed asset visibility for all devices that interact with the hospital network—including serial numbers, operating systems, whether they hold ePHI, and more. The platform also identifies vulnerabilities in devices and prioritises them according to the risk they present.
On top of that, the industry-unique DSPT Dashboard in Cynerio 360 automatically tracks an organisation’s compliance with 35 elements of that standard that apply to medical devices. For each element, team members can see the status at a glance and glean actionable information for correcting any problems.
After the demo, the cyber security leadership team realised that if they acted quickly, Bedfordshire Hospitals could automate DSPT reporting and help achieve compliance. He made the decision to move forward, and the Cynerio Customer Success team expedited the proof of concept (POC) process and the initial deployment.
Ametefe’s team was amazed at the results they saw in just a few days. Cynerio 360 detected thousands of devices that had interacted with the Bedfordshire Hospitals network. Through an intuitive user interface, team members could see identifying information for each device, known security vulnerabilities—including NHS Cyber Alerts—and strategies to address those vulnerabilities. The platform also makes note of procedural issues such as devices that still use default passwords. All vulnerabilities are prioritised by the amount of risk they pose to the organisation.
“Going from having basically zero visibility into medical devices to this granular view was an amazing experience,” Ametefe says enthusiastically. “Combining that data with the ITHealth Assurance Dashboard gives us deep insight into every device. We began right away on the most urgent issues—most of which we were unaware of before Cynerio. We are now on track to dramatically reduce the risk posed by medical and IoT devices.”
To the DSPT Assessment—and Beyond
The Bedfordshire Hospitals team got up to speed and completed the 2023 DSPT assessment easily and quickly. Next, they began to focus on bringing the organisation into full compliance in time for the 2024 assessment. To that end, Ametefe formed a Connected Devices Security Working Group consisting of security team members, employees from clinical departments, and IT and security vendors. Its charter is to place ongoing focus on remediating all issues identified by Cynerio 360 with all medical and other IoT devices.
The DSPT Dashboard helps the Working Group identify where they need to focus and prioritise their efforts. At a glance they can see their status with each relevant requirement—green for compliant, amber for areas of concern, and red for urgent issues. For each element, hyperlinks take the user to actionable information about how to become compliant. “We expect to see all green when we submit the next assessment,” Ametefe predicts. “And we can transmit customised reporting from Cynerio 360 directly to the NHS as evidence of compliance.”
“Cynerio 360 has made the DSPT assessment infinitely easier on my team,” Ametefe concludes. “More importantly, Bedfordshire Hospitals NHS Foundation Trust will see greatly reduced risk from our medical devices.”
Want to Learn More?
Bedfordshire Hospitals NHS Foundation Trust continues to demonstrate how to minimise DSPT efforts while improving device-level security. To learn more, download the case study or visit www.cynerio.com