In an ideal world we wouldn’t have to worry about cybersecurity for healthcare. But unfortunately that is just not the case. Instead with how deeply personal and important the information and data that we hold is in the world of healthcare, we need to be prepared for the absolute worst. All systems should have protections in place against even the worst of cyber threats.
But doing so is a very daunting task since technology is so deeply embedded into everything we do. So where do we start? What areas could your organization be overlooking? We reached out to our incredibly talented Healthcare IT Today Community for these answers. The following is what they had to say on how to stay safe and can be used as a little check list for your healthcare cybersecurity efforts.
Christopher Toth, Director of Compliance and Risk Management at hc1
In today’s healthcare IT landscape, ensuring your partners take data protection and information security as seriously as your organization is key. While arguably some are very time consuming and resource intensive to achieve, this is where the return on investment of an industry certification pays for itself. For instance, whether your organization achieves a SOC2 or HITRUST Risk-based, 2-year (r2) Validated Assessment certification, it demonstrates to your prospective partner your organization’s commitment to data protection and information security at the highest levels.
Ameesh Divatia, CEO at Baffle
I’m thrilled to see the national cybersecurity legislation broken down by pillars and the strategic objectives articulated eloquently. While individual state legislative efforts so far have made an impact, these separately cannot replace one consistent policy across the United States. And, as cybercriminals continue to invent ways to exploit new and existing vulnerabilities, we must provide healthcare organizations with tools to stop—or at least slow them. The burden will fall to software developers and service providers, thus elevating the data-centric approach to cybersecurity.
Pillar 1: Protect Critical Infrastructure, Modernize Systems: The first pillar of the strategy is fundamental in its approach to protecting critical infrastructure. The strategic objective aims to modernize federal systems with a zero trust architecture strategy that includes encryption, sophisticated multi-factor authentication, and access control while adopting cloud-based security controls.
Pillar 2: Implement Security Controls: The next pillar reinforces this foundation by shaping market forces to build resilience through security controls that hold data collectors accountable. This leads up to NIST-approved data protection at the record-level.
Pillar 3: Use Data Responsibly: The final pillar sets the stage for a resilient privacy-preserving data ecosystem that guarantees individual rights without giving up on the need to gain insights from critical data.
We feel energized and motivated by these initiatives that enable us to build a future where data producers and processors can collaborate in a well-regulated environment managed by a federal mandate for cybersecurity responsibility.
Tim Meyers, Vice President of Federal Cybersecurity at Maximus
IT departments at federal health agencies should engage with cybersecurity experts at the start of all IT decisions to ensure that modernization efforts are designed with a foundation that prioritizes data security and availability alongside maximizing user experience to promote better health outcomes.
Kynan Carver, DoD Cybersecurity Lead at Maximus
By implementing a Zero Trust Architecture (ZTA) for cybersecurity, health agencies and organizations can effectively increase patient confidence in exchanging medical information. The benefits of this can have a cascading impact, ultimately helping to ensure that more patients are willing to provide personal health data and engage with public health programs more of the time – leading to better health data acquisition, knowledge, and potentially better health outcomes.
Ben Herzberg, Chief Scientist at Satori
We are living in a time where healthcare organizations have to balance between collecting and utilizing patient data for analytics and ensuring the privacy and security of that data. It’s a delicate balance and one that requires a comprehensive data security platform that provides visibility and control over access to data while avoiding any changes to the underlying data, schema, or user experience. With the right data security platform, healthcare organizations can ensure that patient data is secure while also making sure that it is available to those who need it when they need it.
Steve Gwizdala, Vice President Healthcare at ForgeRock
Healthcare continues to be the industry most impacted by data breaches. In 2021, healthcare-related data breaches made up 24% of overall cybersecurity incidents, the largest across all industries. It should come as no surprise that as healthcare breaches rise, so has the average cost to mitigate them.
Vigilance and new ways of enhancing cybersecurity measures will be crucial to healthcare organizations and businesses responsible for protecting the personal information of consumers stored online in 2023 and beyond. The traditional password and username approach is no longer enough to properly protect such valuable information. Implementing multi-factor authentication (MFA), passwordless authentication, and zero-trust architecture ensures users experience a high level of security while mitigating risk and reducing opportunities for malicious actors to capture patient medical records.
The demand for security and flexibility is extremely high within the healthcare industry as members and patients navigate different insurance providers, medical providers and specialists, while also taking a hybrid approach to in-person and virtual medical appointments. As competition in the medical industry continues to increase for attracting patients and members, the medical industry must transition to deliver a more retail-like experience yet without jeopardizing security. Creating an improved patient experience while never losing sight of protection is no longer a nice to have, it is a need to have.
Ahsan Siddiqui, Director of Product Management at Arcserve
Data breaches within hospitals and healthcare systems can be catastrophic impacting data connected to everything from diagnosis to long-term care. The healthcare industry produces large data sets at various levels of care and that data is very important for offering the most optimal patient care. Given the volume and depth of valuable healthcare data, implementing a multi-layered data protection and recovery strategy is imperative for all healthcare organizations.
One approach to combat ransomware is 3-2-1-1 data protection. It means maintaining three backup copies of data on two different media types, including tape and disk. One of the copies should always be kept offsite to ensure a fast recovery if a ransomware attack occurs. Also, healthcare organizations should keep one immutable object storage copy of data and one air-gapped copy. Immutable object storage protects data continuously by taking a snapshot at 90-second intervals. This is important because data can be recovered immediately.
Jon Kimerle, Epic Alliance Manager at Pure Storage
Ransomware attacks are increasing at an unprecedented rate, while the level of their sophistication continues to rise. In fact, according to industry estimates, the global damage caused by ransomware could cost $265 billion by 2031. The truth is, whether an organization will experience a cybersecurity attack attempt is no longer an “if” but a “when.” As a result, health IT administrators should be doubling down on ransomware recovery plans.
Investing in a more robust disaster recovery plan and a separate disaster recovery location in case of internal network issues is critical now more than ever considering attackers are outpacing cybersecurity efforts. Having a recovery strategy and plan in place that implements a tiered resiliency architecture, which refers to building an environment of high-speed recoverability by leveraging immutable snapshots for near-immediate recoverability and faster forensic investigation, is a future-proof way to build speed and durability into a recovery plan that can save money and lives, further strengthening your cybersecurity strategy overall.
Health IT administrators should also be accounting for the growing number of healthcare cybersecurity tools that health organizations are acquiring and how their interoperability will affect the security of patient information. Hackers are finding holes in the gaps created by fragmented systems. Cybersecurity products should not stand alone but should be integrated with others to create a mesh of solutions working together. Cohesive solution portfolios can improve automation and efficiency – both of which are essential for protecting, detecting, and recovering from cybersecurity attacks.
Dylan Border, Director of Cybersecurity at Hyland
Artificial intelligence (AI) has played an instrumental role over the years when addressing cybersecurity threats and continues to be a priority. No single system can provide all broad security insights for an organization which makes AI a powerful tool when interpreting massive amounts of data across multiple systems. Although AI does the heavy lifting, organizations can strengthen their cybersecurity measures by implementing training for employees to act as human defenders. By establishing training for recognizing and reporting attacks, like phishing, the combination of human and machine learning becomes a force multiplier which is especially important as cyberattacks grow and become automated.
Kyle Ryan, Chief Technology Officer at Tebra
Cybersecurity requires a holistic approach on both an individual and organizational level. With limited resources, independent practices are a primary target for cybercriminals. Updating cybersecurity software regularly is essential against digital threats. Healthcare IT companies regularly release updates to fix identified vulnerabilities. It is critical that practices remain current on these security updates, as any lapse in protection can expose sensitive information.
Chandra Kalle, Vice President of Security and Compliance at LeanTaaS
The healthcare sector is a prime target for cybercriminals due to the sensitive nature of the information stored in electronic health records (EHRs) and the high value of medical data. Malware, phishing scams, and social engineering are commonly used tactics to gain access to healthcare systems, and ransomware attacks have only worsened since 2022.
Although healthcare has historically been slow to adopt new technologies, the potential cost savings from preventing cybersecurity incidents far outweighs the upfront cost. To prevent cybersecurity breaches, healthcare organizations should develop a defense-in-depth security program by replacing outdated and vulnerable software with more secure operating systems like MacOS or Linux, where possible, and deploy always-on security tools like anti-malware and anti-ransomware software and firewalls, and encrypt sensitive data. These changes require budgetary allocation and a willingness from leadership to invest in new technology.
By offering regular training and awareness programs, organizations can help employees stay up-to-date with the latest security protocols and identify potential security risks. A simple way to train staff to be more aware of their role in security is to conduct regular phishing simulations. Phishing simulations involve sending mock phishing emails to employees to test their awareness and educate them on how to identify and report phishing attempts. These simulations can help employees become more vigilant and better equipped to spot potential security threats. Regular security training and awareness programs can also help employees stay up-to-date with the latest security protocols and identify potential security risks.
Dave Bailey, VP of Security Services at Clearwater
Continually making staff aware of what the adversary is doing with phishing exercises and awareness campaigns are must-do behaviors. One simple, but extreme option would be to take away someone’s computer for 2 weeks (simulating the impact to a ransomware attack). I am confident the awareness and importance of their role in security would be realized with 2 weeks of zero productivity.
In all seriousness, the key to awareness is regular and continual engagement with staff.
Ryan Orsi, Global Head of Cloud Foundational Partners for Security at Amazon Web Services
As healthcare organizations continue to accelerate their pace of digital transformation, unlocking operational efficiencies and better patient experiences, a holistic business strategy on resilience, with cyber resilience as a focus area should be a top priority. In general, cyber resilience refers to the ability of an organization to continue to operate and deliver their products or services even during unexpected security events such as ransomware or malware attacks and edge attacks (DDoS). As a framework, most organizations can assess and improve their cyber resilience along three areas:
- Design – which includes implementing the latest security controls.
- Operations – is the capability of people, processes, and tools to monitor, triage, and response to cyber threats 24×7. For organizations lacking sufficient internal resources, Managed Security Service Providers (MSSPs) can assume all or a portion of this responsibility.
- Recovery – is the ability for hybrid cloud assets to recover, minimizing downtime and data loss.
One example of a simple security measure that is not used enough in healthcare is multi-factor authentication (MFA). Multi-factor authentication (MFA) is one of the simplest security controls to implement and in many cases would stop stolen credentials from being leveraged further by bad actors seeking to elevate privileges and move laterally in the network.
JR Riding, Vice President, Chief Information Security Officer at MultiPlan
Cyber threats will continue to innovate and evolve with ever bigger, faster, more effective tactics and ever more devastating impacts. However, not all attacks work. Because threat actors typically only bother when they get good return on investment, it is imperative that enterprises continue to evolve and adapt as well, investing in security to improve their defenses and increase the failure rate of attacks and the associated costs to attackers. There is no finish line here. It is an ongoing effort to apply good security hygiene practices, prioritizing specific risk reduction efforts to enable business objectives in line with risk appetite, and ultimately, preparing for the worst.
Jeff Zampieron, Solution Architect at MedAcuity
Organizations need to treat software supply chain in the same way as they have physical supply chain for decades. Third-party software components need to be vetted, audited, authenticated, and tracked in a Software Bill of Materials (SBOM). Vulnerability scanning tools should be employed against the SBOM continuously for all released and in-development software to ensure timely identification, triage, and mitigation of new vulnerabilities.
John Gomez, Chief Security and Engineering Officer at CloudWave
Some of the latest security approaches that healthcare organizations should have in place to address cybersecurity threats include:
- Updated incident response plans to protect in today’s current threat landscape. Test those plans – this step is often overlooked and therefore plans fail when needed because they are outdated.
- Monitoring the environment – there are still many organizations that don’t monitor traffic on their network. Honeypots are a minimum requirement here.
- A focus on securing cloud infrastructure.
An old technology or process that not enough in healthcare are using in their cybersecurity efforts is human understanding. You should truly understand what attackers are doing and have sources for threat intelligence to be aware of what you can do to protect against those attacks.
A simple example of something you can do to train staff to be more aware of their role in security is to hold regular security training meetings across multiple roles, including clinicians, and share examples of real breaches/attacks that have happened. Role play how they would respond. This can help quickly uncover gaps in your incident response plan and make people more aware that cybersecurity touches all areas of the organization.
So many great ideas and insights! Thank you to everyone that submitted a quote, we couldn’t do this without you. As for our beautiful readers, are there any areas that we missed or a different angle we should use? Let us know down below or on social media!
