How Asset Visibility Reduces Risk in Healthcare: A Lesson from Texas Children's Hospital
Introduction
In cybersecurity, the old adage "you can't protect what you can't see" is a fundamental truth. This reality was recently highlighted in the healthcare sector when Texas Children's Hospital utilized RFID technology to gain complete visibility into their pharmacy inventory, saving $14 million annually. While the business case focuses on cost savings, the security implications are profound. For defenders, lack of visibility is a critical vulnerability. It leads to blind spots where unpatched systems, unauthorized IoT devices, and Shadow IT can hide, providing easy entry points for attackers. This post explores how implementing rigorous asset inventory and visibility controls acts as a formidable defense mechanism.
Technical Analysis
From a security perspective, the challenge faced by Texas Children's Hospital—lack of inventory visibility—translates directly to an Asset Management Vulnerability. When an organization does not have a real-time, accurate ledger of hardware and software, it creates an "Unknown Attack Surface."
The Vulnerability: Unmanaged Assets
- Affected Systems: IoT medical devices, mobile workstations, and legacy systems often escape traditional asset management inventories.
- Severity: High. Unmanaged assets rarely receive timely patches, often lack endpoint detection and response (EDR) agents, and frequently default to weak credentials (e.g., default passwords on medical IoT).
- Impact: Attackers specifically hunt for these "ghost" assets to pivot into the network, exfiltrate Patient Health Information (PHI), or deploy ransomware.
The Fix: Automated Asset Discovery
Just as the hospital implemented RFID for physical inventory, security teams must implement automated discovery agents and network scanning to map digital assets. The fix involves deploying agents that report back asset details (hardware ID, installed software, patch level) to a central CMDB or Security Information and Event Management (SIEM) system, ensuring no device remains "dark."
Defensive Monitoring
To defend against the risks associated with poor asset visibility, security teams must monitor for signs of "rogue" or unmanaged assets joining the network. Below are detection rules and queries to identify hardware and software that may have slipped through inventory controls.
SIGMA Rules
These rules help detect unsigned drivers (indicative of unauthorized hardware) and reconnaissance commands used to map assets.
---
title: Unsigned or Invalid Kernel Driver Load
id: 550d9a23-0f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects the loading of unsigned kernel drivers, which may indicate rogue hardware or rootkit activity attempting to bypass security controls.
references:
- https://attack.mitre.org/techniques/T1547/006/
author: Security Arsenal
date: 2024/05/20
tags:
- attack.persistence
- attack.t1547.006
logsource:
category: driver_load
product: windows
detection:
selection:
Signed: 'false'
falsepositives:
- Legacy hardware drivers in development environments
level: medium
---
title: System Information Discovery via WMIC
id: b7c8d9e0-f1a2-3456-bcde-f01234567890
status: experimental
description: Detects execution of WMIC to list installed software or hardware, common in reconnaissance by attackers or unauthorized users.
references:
- https://attack.mitre.org/techniques/T1082/
author: Security Arsenal
date: 2024/05/20
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\wmic.exe'
CommandLine|contains:
- 'product get'
- 'computersystem get'
falsepositives:
- Administrative troubleshooting
- Legitimate inventory scripts
level: low
KQL (Microsoft Sentinel/Defender)
These queries help identify devices that are communicating with the network but may be missing from the asset inventory.
// Identify devices connecting to the network but recently added to the logs (New Assets)
let DeviceInventory = materialize(
DeviceInfo
| summarize by DeviceId, DeviceName, OSVersion, AadDeviceId, TenantId
);
let NetworkConnections =
DeviceNetworkEvents
| where Timestamp > ago(7d)
| summarize arg_max(Timestamp, *) by DeviceId, RemoteIP, RemoteUrl
;
NetworkConnections
| join kind=leftanti DeviceInventory on DeviceId
| project Timestamp, DeviceId, RemoteIP, RemoteUrl, ActionType
| distinct DeviceId, RemoteIP
| sort by Timestamp desc
// Hunt for unsigned drivers or potentially unauthorized hardware
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "pnputil.exe" or FileName =~ "drvload.exe"
| extend CommandArgs = ProcessCommandLine
| where CommandArgs has "-i" or CommandArgs has "/add-driver"
| project Timestamp, DeviceName, AccountName, FileName, CommandArgs, InitiatingProcessFileName
Velociraptor VQL
Velociraptor can be used to hunt for specific hardware devices plugged into endpoints, verifying if they match the authorized inventory.
-- Hunt for Plug and Play devices to identify unauthorized hardware
SELECT
DeviceID,
Description,
Manufacturer,
PNPClass,
ConfigManagerErrorCode
FROM wmi(query="SELECT * FROM Win32_PnPEntity")
WHERE
Manufacturer NOT IN ("Microsoft", "Intel", "Realtek", "NVIDIA")
AND PNPClass NOT IN ("Monitor", "Keyboard", "Mouse", "DiskDrive", "Processor")
AND ConfigManagerErrorCode != 0
PowerShell Remediation
Use this script to perform a local audit of installed hardware and compare it against a baseline (or export it for manual review).
<#
.SYNOPSIS
Audits local PnP devices for potential unauthorized hardware.
.DESCRIPTION
Retrieves a list of non-standard Plug and Play devices and exports them to a CSV.
#>
$AuthorizedManufacturers = @("Microsoft", "Intel", "AMD", "Realtek", "Logitech", "Dell", "HP", "Lenovo")
$AuditResults = Get-PnpDevice | Where-Object {
$_.Status -eq "OK" -and
$_.Manufacturer -notin $AuthorizedManufacturers -and
$_.Class -ne "Monitor" -and
$_.Class -ne "Printer"
}
if ($AuditResults) {
$ExportPath = "C:\Temp\HardwareAudit_$(Get-Date -Format 'yyyyMMdd').csv"
$AuditResults | Select-Object InstanceId, FriendlyName, Manufacturer, Class, Status | Export-Csv -Path $ExportPath -NoTypeInformation
Write-Host "[+] Audit complete. Unrecognized hardware exported to $ExportPath" -ForegroundColor Cyan
} else {
Write-Host "[+] No unauthorized hardware detected." -ForegroundColor Green
}
Remediation
To close the gap on asset visibility and secure the healthcare environment:
- Implement Continuous Asset Discovery: Move away from annual or quarterly manual spreadsheets. Deploy automated tools that scan the network and query endpoints continuously to detect new devices immediately upon connection.
- Network Segmentation (NAC): Utilize Network Access Control (NAC) solutions to isolate unknown devices into a quarantine VLAN until they are authenticated, inventoried, and assessed for compliance.
- Tag and Track Physical Assets: Following the lead of Texas Children's Hospital, use RFID or NFC tags for critical mobile workstations and high-value medical equipment. Integrate the physical inventory database with your IT asset management (ITAM) database to correlate physical movement with digital connection logs.
- Enforce Driver Signing: Ensure endpoint protection policies block the installation of unsigned drivers. This prevents the connection of unauthorized hardware peripherals that could be used for data exfiltration.
Executive Takeaways
The $14 million savings reported by Texas Children's Hospital is a testament to the power of visibility. In healthcare, where patient safety and data privacy are paramount, knowing exactly what you have is the first step in defense. By treating asset inventory not just as an operational task but as a security control, organizations can drastically reduce their attack surface and ensure compliance with HIPAA and other regulatory frameworks.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.