Security

Strengthening Healthcare Security: 3 Vital Ideas for a Comprehensive Game Plan

Healthcare organizations must start thinking differently about cybersecurity and operational efficiency, and how these two elements can be linked together.

Nathan Eddy

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

As healthcare IT environments grow more complex with an ever-expanding attack surface, departments must consider a holistic approach to security. IT teams have more than just malware and phishing to worry about — there’s also a wealth of connected medical devices, mobile devices, telehealth tools and remote patient monitoring solutions to protect.

By embedding security and governance within the organization during digital transformation, healthcare IT teams ensure all aspects of the organization are being monitored.

"Whether it’s patient scheduling or departments such as radiology, everything is connected to an electronic ecosystem," says Fortinet CISO Troy Ament. "What the adversaries are able to do — and this is why health systems have become a big target — is to very easily shut down operations, which can harm patients and health systems."

EXPLORE: How Fortinet delivers security to healthcare organizations without compromise.

1. Start with a Strong Security Foundation

A critical part of a holistic security approach, Ament says, is adopting some type of security framework that has a maturity cycle, such as the one offered by the National Institute of Standards and Technology. The NIST Cybersecurity Framework has five levels of maturity: identify, protect, detect, respond and recover.

"Organizations should have a layered approach to security and build their security maturity with something foundational, like inventory management and network segmentation," he says.

Building on that foundation — for example, adopting a zero-trust framework — are all things that move an organization up the maturity scale toward more advanced security practices, Ament adds. "Then, you can look at introducing technologies like artificial intelligence and automation, so you can move another step ahead," he says.

Click the banner below for more HealthTech content on security and zero trust.

2. Consolidation Allows for Innovation in Healthcare

Another important approach is to focus on consolidating many point-based solutions into one cohesive, consolidated network security platform. From a cost perspective, this lets organizations invest more deeply in security because it frees up budget to purchase more technologies for automation and orchestration. Ament calls this a key factor to any successful security strategy because malicious actors are using these very same tools to try to break through defenses.

“There are going to be more adversaries, more threats and an increased number of attacks, so if you're an organization that's become very operationally efficient, you've got a very efficient security plan — or security fabric, which is what we call it here at Fortinet,” Ament says.

EXPLORE: Why healthcare organizations should begin their zero-trust implementations with identity.

This fabric allows for more investment in automation, which can in turn resolve more security issues, incidents or potential breaches before they happen — with fewer resources internally, at a lower cost.

"If you can embed security from the beginning so that you're not having to go back and bolt on security or reassess your entire technology strategy, you're going to be able to continue to move up that maturity scale much faster," Ament says.

3. Scrutinize Data Management and Shed Duplicate Systems

From a patient data perspective, Ament says lack of governance over data sprawl is often an issue for healthcare providers who have moved from one electronic medical record to another.

“They've got the same data stored in many different ancillary, legacy systems,” he says. "One area of governance that's really important is, as you're adopting a new EMR, ensuring you're archiving the old data and getting it out of the environment."

Organizations that store sensitive data in 10 different places have increased their attack surface, he says.

"You've given adversaries more areas to attack, as well as more areas you need to defend," Ament says. "Just think about the vulnerability management and all the security layers that go into protecting those systems."

Healthcare organizations need to take a closer look at tech consolidation to ensure they're not wasting resources guarding underused or duplicate systems. "I think it's more important than ever for healthcare organizations to deploy an effective cybersecurity strategy because we’ve seen in the past 18 months — week after week, really — one health system after another fall victim to ransomware attacks that are affecting patient care and causing harm," he says.

In addition to the impact this has on information security and patient care, there is also a significant financial cost that must be considered, Ament adds.

"When we look at the average impact of a cyberattack on health systems, it used to be these would affect organizations for maybe 12 to 24 hours. But what we're seeing on average is health systems with one to four weeks of downtime," he says. "That's significant to the bottom line and affects revenue for these health systems, with delayed or canceled elective surgeries."

Brought to you by: