Nov 23, 2021
By Sarah Czarnowski

A Database of Assets Isn’t Enough. Here’s Why Having a CMMS Is Crucial.

In a healthcare organization, ensuring effective direct patient care is a top priority. To achieve this, the safety and functionality of operational technology (OT)—including key assets like medical devices and healthcare facilities systems—is a mission critical requirement.

Patient care depends on these devices and systems. But since many of these assets are now connected to the Internet, they are constantly at risk of a cyber-attack, which can have devastating consequences. Just imagine the catastrophic results of a hacker remotely gaining access to an infusion pump or life support system.

The problem is that it can be challenging for healthcare technology management (HTM) teams to identify OT security vulnerabilities and incidents and mitigate them. Where should they start?

The answer for many organizations is to implement a configuration management database (CMDB) that stores device data. An organization uses a CMDB to store information about hardware and software assets. However, as we’ll explore in this article, CMDBs have limited capabilities, storing only basic network information, and are less effective than a fully-connected computerized maintenance management system (CMMS).

Let’s take a closer look at why CMDBs aren’t optimal for OT security.

5 Major Limitations of CMDBs

Although many healthcare organizations look to CMDBs for protection of their connected devices, they’re often unaware of the drawbacks of such a system. Here are just a few:

  • Lack of scope: A best practice for OT security is to import basic information (like IP and MAC addresses and software versions) for connected devices into a single organizational database. But CMDBs often do not allow easy import or tracking of devices that have yet to be added to the documented inventory, are only connected to the network occasionally, or are in storage.
  • Little or no device context: It’s difficult to solve a security challenge for a device without knowing key details about it. Many CMDBs only include information such as make and model, serial number, and network IP address. They don’t account for crucial device context like location, owning department, maintenance history, device owner’s name, or service and warranty contract status.
  • Unclear security statuses: Oftentimes CMDBs offer no way to see which devices—connected to the network or not—have the latest approved security settings or were onboarded with the appropriate security lifecycle profiles. This can lead to uncertainty and confusion in the midst of an emergency, when speed of response is crucial.
  • No remediation system: When a security event occurs, HTM teams need to know immediately how to resolve it. They need a system that can alert them to the issue and automatically generate trackable work orders for the appropriate technicians. CMDBs do not offer this kind of capability, which makes them ineffective at helping to ensure fast responses to security problems.
  • Challenging database maintenance: IT teams are often responsible for updating the information contained within a CMDB. Unfortunately, these employees don’t work directly with many of the devices they’re responsible for tracking. What’s more, this can create a diffusion of responsibility that results in key device details never being entered into the system.

The Importance of a Fully-Connected CMMS

Modern HTM departments need a solution that addresses the challenges listed above. A cloud-based CMMS like Nuvolo Connected Workplace for Healthcare, combined with the Nuvolo OT Security solution, does all of that and more, including:

  • Establishing a single database of every device and system across the organization, including key details like manufacturer/model, equipment type, location, device owner, software version, update history, service and warranty contract status, and more
  • Fully integrating with all major OT network discovery and monitoring tools, allowing teams to quickly identify a cybersecurity vulnerability or incident on networked medical devices and facilities systems
  • Enabling fast remediation via automated workflows with trackable work orders when a security event occurs

To learn more, watch the insightful webinar “Five Lessons Learned to Implement OT Security.” You can also read more about the Nuvolo OT Security solution here.