The digital modernization of healthcare across patients, staff, physicians and technology is challenging the skills and capabilities of security teams on a scale not seen in the past.
In the US in July of this year, there were 66 data breaches of 500 or more exposed records reported to the Office of Civil Rights of the Department of Health and Human Services. Although the number of violations was down slightly from June, the total was still above the 2022 monthly average rate of 57.
One reason for this surge in attack activity is that digital transformation has outpaced current healthcare security controls, creating loopholes for bad actors to exploit. The explosive growth of the interconnected Internet of Things (IoT) and advanced medical devices designed to improve patient care have also expanded attack surfaces—and cybercriminals are taking advantage.
The danger to medical IoT devices is so great that The FBI recently released recommendations specifically protecting medical devices.
The good news is that there are protective and preventative measures that can be put in place, but this does not guarantee resilience. To do so, however, they must balance patient health with data protection and move past outdated security practices to keep up with the pace of innovation.
Hospitals and healthcare are evolving the role of cybersecurity in their business to successfully address digital resilience. The CISO’s relationship as a business partner and partner with executive leadership is critical to success.
The Rise of Telehealth and IOT Technologies in Healthcare
Driven by the Covid pandemic, telehealth services have grown exponentially in recent years, with adoption jumping from 11 percent in 2019 to 46 percent in 2022. This has led to an increase in the hospital’s threat surface.
hBut telehealth is not the only factor contributing to the expanded threat surface. Medical facilities of all types are using a variety of advanced, life-saving IoT technologies, such as robotic surgical devices, glucose or heart rate monitors, automated insulin delivery systems, and automated medical dispensers. While these critical additions improve a patient’s accessibility to their healthcare services, they also provide an attacker with a wide variety of paths into the hospital’s computing ecosystem.
This means that hospitals must implement more proactive, predictive organizational risk assessment and management techniques tailored to their environment. What works for a university hospital system may not work in an urgent care facility or local doctor’s office.
By securing the entire perimeter of a hospital or healthcare organization, security teams can reduce overlapping cybersecurity controls, mitigate critical risks, and notify teams of security threats—whether inside or outside the organization, such as insurers and third-party vendors .
Healthcare security requires a team mentality
As noted earlier, the key to installing an appropriate security program is to ensure that the program takes into account the security of patient data while providing the highest quality of patient care. These controls must also meet HIPAA standards to allow only authorized individuals to access patient data.
The problem that many healthcare security professionals fall into is the “tick the box” syndrome. It’s easy to think that one is making one’s environment safe by simply going through a list of steps.
Every healthcare organization must work to understand the specific risks that may come with the technologies used to support day-to-day operations and patient care. These goals should be communicated beyond just IT teams and staff to extend to affiliates and network vendors so that the organization can ensure that there are no security gaps and that risks are effectively mitigated.
The danger of business and personal email
Today, email is the primary threat vehicle actors use to access networks across industries, and threat actors no longer limit their creativity to business email accounts.
It is important and must be conveyed to employees that technology alone is not the only line of defense to ensure security. Developing security awareness and training of staff and patients is important to account for some of the latest trends in successfully compromising individual business and targeted personal email accounts. Individuals are also targeted through texts masquerading as executives and influential employees.
Predictive risk management can help identify weaknesses in a hospital’s network of people and technology, which in turn will unify that hospital’s cyber strategy and increase visibility across the entire IT environment.
Regardless, it’s important to keep in mind that we’re all human – and that fact remains one of the biggest threats to an organization’s security. The behavior of individual employees is critical. Therefore, access controls such as multi-factor authentication or biometrics should be implemented to add an additional layer of protection that accounts for human error and prevents potential security incidents, thereby helping to save time, money and even lives.
To help minimize the inherent security weakness that people bring to the party, healthcare organizations should have a strong cybersecurity training plan for all employees to catch unusual email requests. We cannot rely solely on internal IT departments or an external cybersecurity vendor. The goal is to build a more resilient team while reducing inherent internal and external risks through strong cybersecurity training.
What is the future of medical data security?
Many, if not most, hospitals are in the process of moving their data to the cloud. This is forcing healthcare providers to adjust how they implement new, innovative technologies into their services to reduce risk to patient health, privacy or regulatory compliance.
This shift is forcing a security-first mindset across the organization.
As with most industries, healthcare should consider adopting a zero trust Approaching. This security measure can help reduce an organization’s attack surface, create accurate response automation, and prevent compromise. With zero-trust security, users are authenticated, authorized and validated every time they request access to information, no matter where they are on the network.
The next step for organizations to ensure their security measures can withstand an active threat is to host virtual and in-person penetration tests. This ensures that criminals cannot enter a facility – physically or digitally – to obtain sensitive information or carry out future cyber attacks. These cyber hygiene checks can test staff responses as well as system and network security capabilities against threats so that organizations emerge from the experience with actionable information about any remaining areas of weakness.
The future of healthcare security will depend heavily on the ability of organizations to align patient privacy and compliance standards with the ever-changing technology landscape. As accessibility and capabilities expand and the healthcare industry continues to modernize its practices, organizations must remain agile in their cybersecurity practice, including a robust data management plan, regular training and penetration testing, and continuous education about the latest threats. It will be a team effort to continue to maintain the safety and security of sensitive patient data.