Bedfordshire Hospitals NHS Foundation Trust Easily Adds Medical Devices to DSPT Audit

To address this risk, every organisation that has access to NHS patient data and systems must undergo an annual assessment with the Department of Health and Social Care (DHSC) Data Security and Protection Toolkit (DSPT). This online assessment is due each June and evaluates readiness against the National Data Guardian’s ten overarching data security standards. One requirement of DSPT is that healthcare organisations must have a complete, up-to-date inventory of all medical devices.

While this may sound basic, it is easier said than done. “We have thousands of devices and hundreds of distinct device types, and tracking them was a manual process,” Ametefe recalls. “In 2022, it was all-consuming for our staff to just assemble a list of devices and the risks associated with each. After all that effort, we did not have the bandwidth to actually fix the vulnerabilities we identified. And we did not identify every risk because of the gaps inherent with a fully manual process. We knew we had to find a better way.”

The cyber security leadership team at Bedfordshire Hospitals contacted Axonius to see what they could do to help. The Axonius team conducted a demo of the Axonius platform, which automatically delivers detailed asset visibility for all devices that interact with the hospital network—including serial numbers, operating systems, whether they hold ePHI, and more. The platform also identifies vulnerabilities in devices and prioritises them according to the risk they present. 

On top of that, the industry-unique DSPT Dashboard on the Axonius platform automatically tracks an organisation’s compliance with 35 elements of that standard that apply to medical devices. For each element, team members can see the status at a glance and glean actionable information for correcting any problems.

After the demo, the cyber security leadership team realised that if they acted quickly, Bedfordshire Hospitals could automate DSPT reporting and help achieve compliance. He made the decision to move forward, and the Axonius Customer Success team expedited the proof of concept (POC) process and the initial deployment. Ametefe’s team was amazed at the results they saw in just a few days. Axonius detected thousands of devices that had interacted with the Bedfordshire Hospitals network. Through an intuitive user interface, team members could see identifying information for each device, known security vulnerabilities—including NHS Cyber Alerts—and strategies to address those vulnerabilities. The platform also makes note of procedural issues such as devices that still use default passwords. All vulnerabilities are prioritised by the amount of risk they pose to the organisation. “Going from having basically zero visibility into medical devices to this granular view was an amazing experience,” Ametefe says enthusiastically. “Combining that data with the ITHealth Assurance Dashboard gives us deep insight into every device. We began right away on the most urgent issues—most of which we were unaware of before Cynerio.