Recently, our clinical IT services were called upon by a hospital for which we do not normally provide these services. When our engineers responded, they found the hard drive was starting to fail. As part of the normal process of assessing the system, it was discovered the system was connected to the hospital network, which in itself is not an issue. However, passwords, antivirus, and security updates were not enabled. In reality, there were multiple problems, the most pressing of which was a pending hard drive failure, with the application software not available and no backup/ghost of the drive, plus all of the patient data, which could have been lost. Second, but still critical, there was no antivirus software, OS patching process, security, or ongoing monitoring enabled on the system.

The point of this incident is not what was done to correct the problems, but how many hospitals are in this same situation: A medical IT device or system is connected to the network with inadequate protection; with little or no system administration; and lack of processes to monitor, alert, and correct issues on a real-time basis. Just as it is unacceptable to have a new system introduced into the clinical environment without inventory, inspection, and in-service, it is equally unacceptable to enable these systems without properly securing and protecting them from an IT standpoint.

Read full article from source []