2. Lack of Senior-Level Investment in Network Monitoring
Sometimes senior-level executives fail to commit to investing in network monitoring, according to Gregory.
Plans may not align with their business, or they may lack a clear understanding of the need for healthcare monitoring in their organizations, Gregory says.
“When we don’t see the investment in the right-sizing of the resources in house —and remember, this has to be a 24/7 capability — that’s one of the largest mistakes,” Sickles says. “If you can’t do it yourself with a commitment of resources, you have to have a partner to help you with this.”
Gaining commitment from stakeholders involves education, says Itai Greenberg, chief strategy officer at Check Point Software Technologies.
“Healthcare organizations need to develop a security strategy and educate users, management, operations and system developers on what the policy is and their role in keeping patient information safe,” Greenberg says.
DISCOVER: How CDW services can help healthcare organizations implement zero trust.
3. Implementing Incompatible Technologies in the Network
Many healthcare organizations have legacy systems that are no longer compatible with existing technologies. They can’t be patched and may lack code, but the technology is still left in place, according to Gregory.
“To implement zero trust, there has to be interoperability and orchestration between the applications and networking components and devices,” Gregory says. “Anything that is on the network needs to be able to talk with everything else.”
Zero trust also involves securing all the Internet of Medical Things (IoMT) devices on the network, according to Greenberg.
“With no security, attackers will use vulnerable IoMT devices to breach your perimeter defenses. Zero trust starts with discovery of IoMT devices and then autonomously applies a least-privilege zero-trust security policy,” Greenberg says.
4. Proper Deployment and Communication of Controls
Sometimes healthcare organizations are unable to properly implement network controls because they can’t advocate for what the controls will do, Gregory says.
In addition, security controls must be deployed so they keep up with the speed of business innovation, Greenberg says.
“If security cannot move at the speed of business innovation, the security controls will most likely be disabled, exposing the business to attack,” Greenberg says. “There needs to be a balance. To make it easier, Security as Code should be integrated into the application DevOps process as early as possible.”