The last few years have seen a rapid uptake in new technologies within the healthcare sector. A trend accelerated by the need to rapidly adopt telemedicine due to the pandemic. This led to many quick decisions around IT procurement and deployment to get remote services up and running. The need to deliver for patients was paramount, and this justified the rapid deployment of IT assets. But as time goes on, these new technology deployments can turn into technical debt, especially when considering cybersecurity.
Cybersecurity in healthcare (and other sectors) requires an approach and strategy with both top-down and bottom-up components. Everyone within a healthcare provider plays a part in delivering cybersecurity to protect patients from criminals and malicious cyberattacks.
Earlier this year, John Delano, VP CHRISTUS Health & Critical Insight Healthcare Strategist, connected with consultants from the FTI Journal to discuss how healthcare organizations can deal with the dual challenge of rapid IT procurement while ensuring cybersecurity is maintained. The five ideas they outlined on how to deliver on these dual requirements are summarized below.
Bring IT and Cybersecurity into the Boardroom
Getting senior leadership buy-in for strategic decisions around IT procurement and cybersecurity is essential. Doing so establishes a partner relationship that can make it easier to get the go-ahead and funding required from leadership to deliver ongoing cybersecurity projects.
With board support, the IT teams in healthcare organizations can develop long-term cybersecurity plans that cut across all departments. Doing this allows IT services to have ongoing improvements year on year while at the same time maintaining cybersecurity and delivering the requirements of regulations such as HIPAA.
Identify, Classify and Monitor Assets Continuously
You can’t protect what you can’t see is a maxim often repeated in cybersecurity circles. In a nutshell, it points to the fact that you must know what’s on your network and what is connecting remotely to access and mitigate risk. The last few years have seen a significant increase in both the number of devices connecting to healthcare systems and in the number doing so remotely. All indications are that telemedicine and remote working for admin staff will continue via a hybrid model. The pre-pandemic working models are gone for many healthcare organizations.
This means that securing protected health information (PHI) will remain challenging for cybersecurity teams. A significant part of doing so will be to use continuous discovery and classification of assets on the network (both locally and remotely connected) to understand what’s connected and what the risks are. Managed Detection and Response (MDR) services that operate from dedicated 24x7 Security Operations Centers (SOC) are a good way for many healthcare providers to obtain and deliver the required level of monitoring. Ideally coupled with a Security Information and Event Management (SIEM) system that captures security data from every system and device connected, analyses trends, and presents the overall security picture in real-time with alerts generated regarding any analogous behavior.
Quantify the Risk of an Attack
All cybersecurity vulnerabilities have an associated risk, but not all these risks are equal. In the same way that triage occurs in a hospital emergency department so that critical cases can be dealt with first, IT teams need to triage their cybersecurity risks and deal with the one with the highest risk before the others. A vulnerability that requires physical access to hardware in a hospital should get fixed after a vulnerability that attackers can exploit remotely (assuming the impact of both attacks would be the same).
When assessing risks and prioritizing the order to address them on a plan, healthcare organizations should consider the probability of exploitation and multiply it by the impact. If the result of having a system compromised is small, then it can be further down the list. If the impact would affect healthcare delivery, it will be a higher risk and need addressing quickly. You can’t fix everything at once and need to create a plan that addresses risks over time without impacting patient care.
Critical Insight has decades of experience assessing and evaluating risks in healthcare and other critical infrastructure providers. We can work with your team to determine your current situation and devise a timeline to address all risks via a sensible plan. We can also help you apply for emergency cybersecurity funding via schemes set up via IIJA (Infrastructure and Investment Jobs Act).
Combat Third-Party Cyber Risks
Critical Insight research shows that 43% of healthcare cyber breaches originated via third-party and supply chain partners. This means that when considering cybersecurity, you must include the security posture of your partner organizations in risk assessments.
Healthcare organizations should ask for cybersecurity assurances before working with a third-party vendor or supplier. The information requested might include:
- A Systems and Organizations Controls (SOC) 2 report demonstrating compliance with the American Institute of Certified Public Accountants covered controls. Note that this use of SOC is different from its Security Operations Centre use.
- HITRUST Certification Framework.
- Documented external penetration test of the vendor network by a reputable external security company.
- A business process agreement that requires vendors to disclose cyberattacks and breaches.
The goal for all healthcare organizations working with vendors and suppliers should be to continuously monitor third parties they connect with electronically (even if that is only via email) for changes in risk posture and ensure that they operate at the same high level of cybersecurity protection.
Craft a Plan from A to Z
Creating a plan before a cybersecurity incident occurs is vital to ensure that the impact gets reduced and that a healthcare organization can continue to deliver patient care. When everyone knows what to do in an incident, the response and the outcome will be better.
Healthcare organizations should have well-documented response plans that all stakeholders should be aware of and have practiced. This includes executives in the leadership team, clinicians on the front line, and everyone in between. These plans should cover how IT teams will respond to protect and clean up systems and how clinical teams can continue to operate if an attack disrupts systems. Plans need to be regularly practiced via tabletop exercises and need refreshing annually to remain effective.
Contact Critical Insight for Advice and Help
Today’s reality is that healthcare providers need to stay in step with advances in medical treatments as well as the changing cybersecurity landscape. Cybersecurity teams need to stay ahead of the changing tactics used by cybercriminals. This can be a challenge, but it is essential to ensure the continued functioning of healthcare provision in this age where technology plays such an important role.
Delivering cybersecurity services to protect critical infrastructure and IT systems in organizations such as healthcare providers is why Critical Insight exists. We have decades of experience in our team across the health sector, local government, state government, and private sector critical infrastructure providers. We can provide cybersecurity services and assistance to healthcare providers across their whole operation. We can work with your IT and leadership teams to assess, plan, and improve your cybersecurity posture over a timescale that makes sense for your organization. Contact us to start a conversation.