From connected smartphones, connected medical equipment and mobile endpoints used in care delivery, to the platforms and applications that store data, digital transformation is happening in the healthcare industry. Driven by the global pandemic that is forcing healthcare organizations to solve for remote caregiving of the at-risk population they serve, connected healthcare organisations can improve the patient experience as well as enhance communication and collaboration.
Yet, this shift towards digital transformation also means a growing attack surface. And, with this comes the potential for new threats and vulnerabilities which, when exploited, can lead to detrimental scenarios both digitally and physically. Unfortunately, this is not a recent revelation. In 2019, the healthcare industry suffered more cyberattacks than any other, resulting in over $17 billion in damages from data breaches in the US alone. And closer to home, a report indicated that two-thirds of healthcare organisation in the UK were breached in 2019. For healthcare institutions, providing the best care to patients is the most important objective, but this care must also extend to their patients’ sensitive data and assets that deliver that care.
To help safely navigate this digital transformation, close cybersecurity gaps, and deliver a safer and more secure patient experience, there are six key areas healthcare providers must pay attention to:
-
Cybersecurity risk strategy and planning
Having an appropriate cybersecurity strategy to meet the needs of the modern and digital healthcare provider is essential. But, addressing these cyber risks through each phase of strategy, design, and delivery can be complex and difficult to navigate. Healthcare organisations should turn to a trusted advisor for help with tailored services for strategy and plan management to help make sure their end-to-end environment is taken into consideration. Organisations should start with a full overview of their cybersecurity posture and risk maturity. Once this is obtained, healthcare organisations can then plan budgets and implementation strategies for their digital transformation efforts that also account for managing and reducing cyber risks.
-
Mobile device strategy
Mobile devices, including smartphones and tablets, have become an extension of everyday life and people are rarely seen without them. They contain personal and sensitive information, having evolved from basic communication devices into mini handheld computers with endless functionalities and capabilities. They can also gain instant access to internal systems and applications – ideal when sending critical patient data and especially important for first responders and in-home care providers. However, mobile threats are continually mounting and have become a popular target for hackers to exploit. To effectively help protect these devices, and the wider organisation, healthcare enterprises must implement dedicated mobile security for the entire workforce – regardless if they are operating remotely or not – to help reduce the risk of mobile-based threats.
-
Data security compliance
Data security and privacy is an important component for any industry but given the highly sensitive information collected, stored and used within the healthcare sector, providing that your organisation handles this information in accordance with industry standards is vital. It is common practice for healthcare providers to transmit sensitive electronic personal health information (ePHI) across internal networks and share data with third-party suppliers, such as medical labs, over the internet. In doing so, providers must provide that the data is being handled appropriately in adherence to the strict compliance demands of industry regulations like HIPAA, HITRUST & GDPR.
-
Email and internet security
As with most businesses, email is a common form of communication within the healthcare industry. Hackers are more than aware of this with email-based threats like phishing continuing to plague this sector. Research has revealed that 77% of email-based attacks against healthcare companies have contained malicious URLs and attachments. To keep healthcare systems operational, the network needs to be protected by security that can segment and monitor against such risks. But the other element that should not be overlooked is the role of education and building security awareness within the organisation. By providing the workforce with cybersecurity awareness training, a natural human firewall will be created and act as an additional layer of security. The ability for each employee to spot these phishing expeditions before falling victim helps to greatly reduce the potential impact of email-based threats and helps healthcare providers strengthen their cybersecurity resiliency.
-
Cloud security
With the recent COVID pandemic, digital methods became crucial for healthcare providers to reduce in-person contact and still maintain the best quality patient care. This accelerated digital transformation has led to demand for cloud (public and private, and other virtual infrastructures). With the aid of virtual environments, hospitals and general practitioners can schedule appointments, give medical advice and better share and store information. Another common benefit with these cloud providers is that they take responsibility over protecting their physical servers, storage devices, and the cloud infrastructure. While there are many positives to cloud services, it is still the responsibility of the organization who owns the data to maintain the security of that data and its configuration. Cloud solutions also have vulnerabilities that can be exploited, such as the recent spate of cloud-related security breaches that exposed millions of patient records. Security misconfigurations and unauthorized access are among some of the main security concerns when using cloud-based services. To help keep these vulnerabilities from being exploited, healthcare organizations should enlist skilled professionals to help establish cloud security policies and that can continuously monitor their network for emerging threats.
-
Special First Responder Services
Given the current battle against the COVID pandemic, organisations that provide medical care before, during or after an emergency are in need of assistance now more than ever to provide the best patient care in the most highly secure manner possible. To achieve this, healthcare providers should seek out dedicated managed service partners that provide a comprehensive suite of security solutions that offer continuous monitoring, help work toward regulation compliance and can be efficiently deployed to allow doctors, nurses and other key workers to communicate effectively. These service providers can be on hand to step in if an emergency arises, as witnessed with the ransomware attacks of late on healthcare organizations.
Digital innovation in the healthcare industry continues to advance the patient care experience in ways never imagined possible. But along with these advancements, bad actors with malicious intent continue to try to exploit potential vulnerabilities. Organisations must have a security first mindset to protect against this ever-evolving environment where new and increased threats are likely to emerge. By implementing these six key areas of security, healthcare organisations can help make their digital transformation safer and continue to enhance the patient care experience.
Article by: Lisa Ashjian, Lead Product Manager, AT&T Cybersecurity