Jul 19 2019

Why Basic Security Compliance Isn’t Enough for Healthcare Orgs

A “checkbox” mentality can leave crucial data exposed and systems vulnerable, a new report says.

The leading concern of healthcare industry executives is compliance, according to a recent study by endpoint security vendor Carbon Black. But too many organizations — even those that take basic precautions — end up becoming breach victims.

Healthcare facilities increasingly are targeted by cybercriminals for the large amount of protected information they collect and store. And as adoption of the Internet of Things and medical devices grows, so does the potential for attacks.

But there’s good news: Healthcare CISOs, the report found, are more aware of the threat than ever.

To employ that awareness and help organizations move beyond basic compliance, we’ve compiled several key recommendations from Carbon Black to apply when crafting — and maintaining — a security program:

MORE FROM HEALTHTECH: Learn why an effective HIPAA compliance risk assessment is crucial to securing PHI.

Increase Your Organization’s Endpoint Visibility

As adoption of electronic health records and BYOD programs become more mainstream, CISOs must consider the vulnerability of their endpoints.

Carbon Black’s healthcare customers observed an average of 8.2 attempted cyberattacks per endpoint in each month of 2018, the report notes. 

Indeed, bad actors have used endpoints in recent years to shut down everything from a hospital’s access to patient records to their critical systems, making it virtually impossible to administer effective patient care.

“CISOs need to look at any connected asset as a potential target,” the report states. “This includes electronic medical-record systems, medical devices, payment processing systems, and more.”

Increased visibility into endpoints such as these can provide organizations with actionable insights while also helping them to prevent threats.

Perform Regular System Audits and Vulnerability Assessments

Among surveyed healthcare organizations, 66 percent believe that cyberattacks have grown more sophisticated over the past year.

The report examines multiple types of sophisticated intrusions, from fileless attacks and destructive attacks to island hopping, which allows an attacker to set up command posts across a network, rendering it ineffective.

The report states that 33 percent of surveyed healthcare organizations say they’ve encountered instances of island hopping on their enterprise networks over the past year.

One way to counter attacks such as these is by conducting frequent threat hunting.

“With the risk of island hopping ever-present, you should be auditing systems regularly and establishing remediation steps across all your security infrastructure,” notes the report.

DISCOVER: Four cybersecurity threats healthcare organizations need to watch out for this year.

Back Up Your Data to Ensure Its Not at Risk

Even after taking all the necessary steps to prepare for a cyberattack, an organization still might have to face the unthinkable. 

Consider the current landscape: Of the organizations surveyed for the report, 83 percent say they witnessed an increase in cyberattacks in the past year; 66 percent say that they were targeted by a ransomware attack in the past year; and nearly half say they witnessed attacks where destruction of data was the primary motivation.

That’s why healthcare organizations must take a pre-emptive approach with their data and prepare for the worst.

“Destructive attacks, including ransomware, don’t need to destroy your business,” the report states. “Employ best practices for data backup to ensure your data is never at risk.”

whyframestudio/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT