Healthcare’s digital modernization across patient, staff, doctors, and technologies is challenging security teams’ skills and capacity at a scale not seen in past.
In the U.S. in July of this year, there were 66 data breaches of 500 or more exposed records reported to the Department of Health and Human Services’ Office for Civil Rights. While the number of breaches was down slightly from June, the overall number is still above the monthly average of 57 for 2022.
One reason for this surge in attack activity is that digital transformation has outpaced current security controls in healthcare, creating holes for bad actors to exploit. The explosive growth of the interconnected internet of things (IoT) and modern medical devices designed to improve patient care has also expanded attack surfaces – and cybercriminals are taking advantage.
The danger posed to medical IoT devices is so great that the FBI recently released recommendations specifically protecting medical devices.
The good news is there are protective and preventive measures that may be put into place, but it does not guarantee resilience. However, to do this, they must balance patient health with data protection and move past outdated security practices to keep up with the pace of innovation.
Hospital, and healthcare, are evolving the role of cyber security within their business to successfully navigate digital resilience. A CISO’s relationship as a business partner and peer with executive leadership is critical for success.
The rise of telehealth and healthcare IOT tech
Driven by the Covid pandemic, telehealth services have grown exponentially in recent years, with adoption jumping from 11 percent in 2019 to 46 percent in 2022. This has led to an increase in a hospital’s threat surface.
hBut telehealth is not the the only factor contributing to an expanded threat surface. Medical facilities of all types use a plethora of modern, lifesaving IoT technology, such as robotic surgical devices, glucose or heart rate monitors, automated insulin delivery systems, and automated medical dispensers. While these critical additions improve a patient’s accessibility to their healthcare services, they also give an attacker a wide variety of paths into the hospital’s computer ecosystem.
This means hospitals must implement more proactive, predictive, organizational risk assessment and management techniques customized to their environments. What is proper for a university hospital system might not work at an urgent care facility or a local doctor’s office.
By securing the entirety of a hospital or healthcare organization’s perimeter, security teams can reduce overlapping cybersecurity controls, mitigate critical risks, and notify teams of security threats – whether that be from within or outside the organization, such as third-party insurers and suppliers.
Healthcare security requires a team mentality
As previously noted, the key to installing a proper security program is ensuring that the program takes into consideration the security of patient data while providing the highest quality patient care. These controls should also comply with HIPAA standards to only let authorized individuals access patient data.
The problem many healthcare security practitioners fall into is the “check the box” syndrome. It’s simple to think one is making their environment safe by just going down a list of steps.
Each healthcare organization should work to understand the specific risks that may come with the technologies used to support daily operations and patient services. These goals should be communicated beyond just the IT teams and staff to extend to affiliates and vendors in the network so that the organization can ensure there are no gaps in security and that risks are mitigated effectively.
The danger of business and personal email
Today, email is the primary avenue threat actors use to access networks across industries, and threat actors are no longer limiting their creativity to business email accounts.
It is essential and must be imparted to employees that technology alone is not the only line of defense to ensure security. Evolving security awareness and education for staff and patients is important to account for some of the latest trends in successful compromise of individuals business, and targeted personal email accounts. Individuals are also being targeted through texts masquerading as executives and influential personnel.
Predictive risk management can help identify weaknesses in a hospital’s network of people and technologies, which will in turn unify that hospital’s cyber strategy and increase visibility across the entire IT environment.
Regardless, it’s important to keep in mind that we’re all human – and this fact remains one of the biggest threats to an organization’s security. The behavior of individual employees is crucial. Therefore, access controls like multi-factor authentication or biometrics should be put in place to add an additional layer of defense that accounts for human error and prevents potential security incidents, helping to save time, money, and even lives as a result.
To help minimize the inherent security weakness humans bring to the party, healthcare organizations should have a strong cybersecurity training plan for all employees to catch unusual email requests. We cannot rely solely on internal IT departments or an outside vendor for cybersecurity. The goal is to build a more resilient team while reducing inherent internal and external risks through strong cybersecurity training.
What is the future of medical data security?
Many, if not most, hospitals are in the process of moving their data to the cloud. This forces healthcare providers to adjust how they implement new, innovative technologies into their services to mitigate the risk to patient health, personal data, or compliance with regulations.
This change necessitates a security-first mindset across the organization.
As with most industries, healthcare should consider adopting a zero-trust approach. This security measure can help decrease an organization’s attack surface, create accurate response automation and prevent the compromise. With zero-trust security, users are authenticated, authorized, and validated each time they request access to information, regardless of where they are located in the network.
The next step for organizations to ensure their security measures can stand up to an active threat is to host virtual and in-person penetration testing. This makes certain that criminals cannot enter a facility – physically or digitally – to obtain sensitive information or conduct future cyberattacks. These cyber hygiene checks can test staff responses as well as system and network security capabilities against threats so that organizations will come out of the experience with actionable insight for any remaining areas of weakness.
The future of healthcare security will depend closely on organizations’ ability to align patient privacy and compliance standards with the ever-changing technology landscape. As accessibility and capabilities expand and the healthcare industry continues to modernize their practices, organizations must stay agile in their cybersecurity practice, including a robust data management plan, regular training and penetration testing, and continued education on the latest threats. It will be a team effort to continue to maintain the safety and security of sensitive patient data.