Software

Strategies to Strengthen Corporate Resilience in Healthcare with ChromeOS

Health systems can ill afford to experience downtime after a cyberattack or natural disaster. The healthcare lead for ChromeOS offers practical tips for improving resilience across the enterprise.

Brian Eastwood

Twitter

Brian Eastwood is a freelance writer with more than 15 years of experience covering healthcare IT, healthcare delivery, enterprise IT, consumer technology, IT leadership and higher education.

As cybersecurity attacks become more sophisticated and natural disasters grow in severity and frequency, healthcare organizations need a more refined approach to resilience. This is a multifaceted effort to mitigate health system downtime and ensure that people, processes and technologies can operate when an incident happens.

“Corporate resilience is a sense of preparedness to be able to anticipate and respond to something unexpected,” says Sebastian Estades, healthcare lead for Google ChromeOS. It helps health systems limit an incident’s negative impact on patient safety, business continuity and their trust within the community.

Organizations may struggle to build resilience because it touches so many core functions and business processes. Simply put, everyone in the organization should be involved, and incident response plans need to be put to the test frequently. “The only way you know you’re ready is if you’re running drills,” Estades says.

Fortunately, the necessary steps for addressing resilience are well known, whether it’s advocating changes that make corporate culture more resilient or adopting modern technology that’s inherently more secure, such as ChromeOS.

DISCOVER: How can healthcare organizations benefit from Google ChromeOS and its built-in security?

Overcoming the Most Common Obstacles to Corporate Resilience

Building organizational resilience isn’t something that can happen overnight. Health systems can expect to encounter many roadblocks along the way. Estades describes seven strategies to help address some of the most common challenges organizations are likely to face.

Get cross-functional buy-in: Organizations are ill served if they view resilience purely from an IT or operational perspective. “Few people think of end-to-end resilience,” Estades says. “They don’t understand how the IT plan impacts how nurses care for patients.” Improving resilience and incident response is a collaborative effort; clinical staff, frontline workers and even executive leadership need to be involved.
Update plans frequently: As key enterprise applications move to the cloud, vendors can issue updates every few months. Business continuity and incident response plans should be updated on a similar cadence to ensure they align with the most recent software version. Along the same lines, plans should be refreshed when an organization’s executive team changes or after an incident happens. “You need to be able to adapt,” Estades says.
Learn from others: Amid healthcare’s low margins, organizations are better off implementing existing best practices than reinventing the wheel. “Constant collaboration” helps make this possible, Estades says. “Healthcare is one of the few industries where leaders from different organizations are willing to help each other and talk about how they solve problems. Yes, they compete, but their mission is driving better patient outcomes and keeping patients safe.”
Push the training threshold higher: Loopholes are common in employee security training requirements. Some are written policies, such as an 80% completion threshold for all employees. Others may be informal, such as exceptions for C-level executives or high-earning surgeons. Few organizations truly require 100% of employees to complete training. Despite the potential for pushback, Estades says it’s worth holding out for a higher threshold.
Hold vendors accountable: From cloud configurations to authentication requirements and kernel access, there are many third-party software policies — or lack thereof — that can leave a health system vulnerable. Organizations must take the time to understand what their preferred vendors are doing, Estades says. If any policies or behaviors are found to be lacking, it’s time to speak up.
Educate patients: If there’s a downside to the popularity of patient portals and digital health apps, it’s that they give attackers another entry point into the health system. To help patients avoid scams, Estades recommends organizations help them understand what legitimate outreach looks like. Explain what the hospital will and won’t ask for over the phone or in an email.
Adopt zero trust: In zero-trust architecture, any attempt to access a network, data or applications requires verification and approval. Zero trust aligns closely with organizational resilience because it provides visibility into who’s trying to access what, which helps IT teams identify issues right away. Additionally, the zero-trust principle of least privilege means attackers who do obtain access can’t spread laterally across the hospital network.

Click the banner below to learn why cyber resilience is essential to healthcare success.

x-cyberresillience3-static-2024-na-desktop

x-cyberresillience3-static-2024-na-mobile

ChromeOS: Built to Improve Corporate Resilience

One of the easiest ways to improve corporate resilience is taking proactive steps to prevent incidents in the first place. According to Estades, there are many reasons adopting ChromeOS offers an opportunity to do just that.

ChromeOS encrypts data by default, which is critical for meeting the requirements of the HIPAA Security Rule.
Health systems can deploy ChromeOS Flex on existing PCs and Macs to benefit from the operating system’s security without having to make new hardware purchases.
ChromeOS doesn’t allow root or admin-level users with elevated privileges. This aligns with zero-trust principles and reduces the attack surface if an account is compromised.
Similarly, ChromeOS isolates firmware and other system files so they’re not affected if users inadvertently access malicious files. On ChromeOS, each web page and application runs in a restricted environment called a sandbox. If the ChromeOS device is directed to an infected page, it can’t affect the other tabs or apps on the computer or anything else on the machine. The threat is contained.
With built-in security features, ChromeOS is easy to deploy and manage securely.
Updates to ChromeOS run automatically in the background. ChromeOS updates two copies of the operating system to ensure a smooth transition between updates. The process includes:
- Active Partition: The system boots into the active partition, which is the copy with the higher priority at boot time.
- Inactive Partition: When a new update is available, it's written to the inactive partition.
- Reboot: After a successful reboot, the inactive partition becomes active, and the active partition becomes inactive.

Altogether, a 2024 Atredis Partners report notes that ChromeOS came with “hardened default configuration and behaviors,” due in large part to its roots as an operating system for cloud-hosted applications and data. Further, the report says, “ChromeOS users do not need to understand the low-level security configuration or hardening options available to their device’s operating system in order to have the most secure experience available.” Meanwhile, a 2023 Forrester analysis shows that ChromeOS experienced 24% fewer security attacks than other operating systems, along with a 44% lower cost of operations over a three-year period. In addition, ChromeOS has had zero reported ransomware attacks

“With ChromeOS, organizations are no longer running an operating system that requires multiple vendors on top of it for management and security,” Estades says. “By reducing costs as well as risks, we’re allowing organizations to focus on other critical elements of security and resilience.”

Brought to you by: