Asset Management: how leaders can improve patient safety by using IT assets that are “cyberworthy”
From the perspective of cybersecurity in healthcare, asset management ensures that IT assets are safe to use to deliver care.
Federal Aviation Administration (FAA) has a thorough process of certifying aircraft to be airworthy [1]. This process is critical to ensure passengers’ and operators’ safety. Chances are, you will not be flying on an aircraft that has not been certified by FAA as airworthy.
Applying the same principle to the healthcare industry, healthcare workers should not use IT assets that risk patient safety. Unsafe assets could produce errors and inaccurate information, affecting diagnosis or treatment. In essence, the IT assets used to deliver care should be cyberworthy.
You also need to get asset management at 100% because threat actors can exploit those unaccounted assets. The idea is that you can’t defend assets that you don’t know.
The Health Industry Cyber Practices (HICP) document contains a practice on asset management. The asset management process starts with a good inventory of what you have, a streamlined procurement process, and safely decommission assets when no longer functional.
This article is the fifth in a series where each article discusses adopting a specific HICP practice for small-medium organizations. Previously, we discussed email protection, endpoint protection, access management, and data protection.
This article will look at:
- Asset management practice described by HICP
- Evaluation criteria
- The tool
- The projected cost for adopting this tool.
1. Looking at HICP requirements
HICP described asset management practice as having an accurate inventory and workflows for procurement and decommissioning.
The scope of asset management includes workstations, laptops, servers, portable drives, mobile devices, tablets, and smartphones.
HICP recognizes practices based on the organization size, as depicted in the diagram (S=small, M=medium, L=large). For example, automated discovery and NAC integration are more appropriate for large organizations.
Add alt text
2. Evaluation criteria
I considered the following criteria for evaluation: price point, capabilities, peer-review, installation, ease of use, and compensating tool.
For capabilities, the primary task of an ITAM tool is to keep an accurate and complete inventory of IT assets. However, the biggest challenge is to keep this database up to date. Therefore, it is crucial to automate this task to keep the database current and reliable as a single source of truth. With that said, the tool must have a robust and automated discovery feature. It also must be capable of discovering both on-premise and cloud-based assets.
Peer review is essential to validate products capabilities. Considering that discovering assets and ITAM tasks are complicated, we can learn from others’ experiences. The product needs to maintain good feedback from peer review sites such as Gartner peer insights, G2, TrustRadius, and customer references.
Another consideration is the time and effort for the tool to function correctly in your organization. A product may look impressive on brochure and demo, but implementing those mesmerizing features will take more time, money, and effort than anticipated. A pragmatic product should allow the user to reap the benefit without months of professional services.
Ease of use during the operation phase is another important consideration. The tool should keep continuing working reliably without much attention. If it needs constant tweaking to make it work properly, it failed to deliver.
Last but not least, whether we have a compensating tool for features that it lacks.
After reviewing products in the market with the above criteria, I landed on LanSweeper. Other products that I reviewed were Microsoft Intune, Snipe-it, and Freshservice.
Microsoft Intune is a Mobile Device Management (MDM) and Mobile Application Management (MAM). It does not scan for other types of devices like networking equipment or medical devices on-premise.
Snipe-It is an ITAM tool, but it does not have an automatic scanning feature to discover assets.
Freshservice is an IT Service Management (ITSM) + IT Operation Management (ITOM) + ITAM + Project Management tool, which might be overkill for a small organization. However, you need to pick the Enterprise package to comply with HIPAA.
3. Looking at LanSweeper
LanSweeper is an on-premise, windows-based ITAM solution. It groups its functionalities around discovery, analysis, control, and coordination.
The discovery function scans the network to discover endpoints, servers, networking equipment, medical devices, etc. Once the scanner finds an endpoint, it probes for hardware and software components that exist on that endpoint.
The analyze function allows users to generate reports on the previously discovered assets. For example, it provides asset reports, out-of-warranty reports, license reports, etc. Below are the reports that are available out-of-the-box [2].
Add alt text
The control function allows the administrator to take action on the assets. For example, it will enable the administrator to remote access, look at the services, or reboot the endpoint.
Add alt text
Finally, the coordinate function provides users and IT to collaborate through helpdesk, knowledgebase, and calendar.
Add alt text
Architecture
LanSweeper runs on an on-premise Windows server. It has a web-based interface, scanner, and SQL database.
Add alt text
The disadvantage with having an on-premise server is that you will need a VPN connection to reach the server when working from home. To address this limitation, LanSweeper is working on a “Cloud Platform” that allows the data on the on-premise server to be accessible from the cloud.
Add alt text
Keeping inventory up to date
The first HICP practice requirement is building inventory. This task is achievable by running the discovery using LanSweeper’s scanner.
LanSweeper has a comprehensive and automated scanner that helps to keep the inventory database up to date.
Add alt text
The following protocols are supported: Bonjour (Apple), DNS-SD (DNS Service Discovery), mDNS (multicast DNS), FTP, HTTP/S, JetDirect (printer), SIP, SMTP, SNMP, SSDP (Simple Service Discovery Protocol), SSH, Telnet, UPnP (Universal Plug-and-Play), and WMI [3].
In addition, it can discover on-premise computers, virtual machines, and cloud infrastructure (AWS, Azure, Office 365, and Intune).
Below is a screenshot showing the assets:
Add alt text
Workflow (Procurement and Decommissioning)
LanSweeper does not currently offer workflow. Some users built workflow on LanSweeper through coding [4]. However, it may not be practical for clinicians or administrators.
LanSweeper offers helpdesk functionality to open a ticket to IT. But this would be a more traditional helpdesk function than a pre-defined workflow.
For adding workflows, I would add Microsoft PowerAutomate to augment LanSweeper [5]. LanSweeper helpdesk can send an outgoing email template that will trigger PowerAutomate. With PowerAutomate, you can create the purchasing order, approval process, and asset lifecycle management workflow.
Automated Rouge Device Detection
LanSweeper offers a unique feature to detect the presence of an unknown device on the network. They call this feature Asset Radar.
It works by running a packet capture session on its network card. When it sees packets coming from an unknown entity, it will trigger its scanning method to investigate further.
This feature is helpful because it does not depend on a regular scanning schedule. As it discovers an unknown endpoint, it can trigger an alert to the administrator.
Peer Review
LanSweeper received good feedback from various review sites (Gartner peerinsights, TrustRadius, and G2)
Add alt text
For healthcare specific customer references, they have case studies from Cerner [6] and the NHS [7]. These case studies suggest that LanSweeper can scale to large health systems.
Add alt text
4. Looking at the cost for LanSweeper
LanSweeper is free for up to 100 assets [8]. LanSweeper defines an asset as any device that the scanning engine can discover. In this definition, an asset can be computers, laptops, mobile devices, virtual machines, etc.
Add alt text
When you have more than 100 assets, the cost is $1/asset/year. However, the 100 assets limit should be sufficient for small organizations.
Since LanSweeper runs on Windows operating system, you need to budget for decent server hardware. I would budget $1400 for the hardware and Windows license. Please click here for system requirements [9].
Add alt text
LanSweeper requires a knowledgeable IT person to set this up. Besides setting the server and installing the software, they also need to prepare the endpoints. However, it shouldn’t take more than 3 hours to set up the server and perform initial scanning. Assuming that your MSP charges $200/hour, you should budget $600 for the labor.
Projected cost for adopting HICP practices so far
Add alt text
Conclusion
Asset Management is an important practice to deliver patient safety. It ensures that care is delivered through IT assets that are cyberworthy.
LanSweeper is an IT Asset Management tool accessible by small organizations and can scale to large organizations. However, since workflow features are not available out of the box, we need to augment LanSweeper with other tools or processes.
References
- https://www.faa.gov/aircraft/air_cert/airworthiness_certification/aw_overview/
- https://www.lansweeper.com/report/
- https://www.lansweeper.com/knowledgebase/network-device-scanning-requirements/
- https://www.lansweeper.com/forum/yaf_postsm65613_How-I-managed-to-create-a-purchasing-workflow-in-LW.aspx#post65613
- https://docs.microsoft.com/en-us/power-automate/modern-approvals
- https://www.lansweeper.com/testimonial/cerner-strengthens-managed-it-services-offering-to-healthcare-clientele-with-lansweeper/
- https://www.lansweeper.com/testimonial/a-fundamental-part-of-the-national-health-services-it-scope/
- https://www.lansweeper.com/pricing/
- https://www.lansweeper.com/knowledgebase/lansweeper-installation-requirements/