-
March 21, 2022
-
The rapid adoption of new healthcare technologies is outpacing the protective measures providers must take to reduce the risk of cyber attacks.
The negative effects of the pandemic’s disruption on the healthcare industry are widely known. But there is a positive side to that disruption — it accelerated the evolving technological landscape for healthcare organizations.
Providers already in transition to this new state are delivering care to patients through telehealth offerings and online portals that increase engagement. They’re employing connected devices that improve the safety and efficacy of medical procedures. And they’re also adapting to serve their workforces, now semi-remote since the pandemic1.
While the future appears bright, this shift comes with distinct challenges. Scarce resources and tight budgets prevent many providers from upgrading or replacing outdated systems, even when software updates are no longer available2. The rush to deploy technology, as witnessed during the pandemic, often means that patient focus takes priority over ensuring systems have implemented proper cybersecurity measures.
Of course, the patient always comes first in healthcare, but the vulnerability to cyber attacks within an industry transitioning toward a large-scale technological model is too great to ignore.
How can the twin challenges of procurement and cybersecurity awareness be overcome? Here are five ways to get started.
Bring IT and cybersecurity into the boardroom
Involving security leadership in strategic decisions at the onset establishes a partner relationship that can reduce resistance from the top. Gaining support and input allows IT to consider security concerns prior to implementing any tools and subsequently adjust as needed. Working with the board should be approached in the same manner.
With buy-in from the board, healthcare organizations can establish a proactive cybersecurity mentality that drives collaboration across all departments. By bringing senior leaders into the fold, security risks can be mitigated, patient care can be prioritized and business objectives can be met — all while improving cyber threat detection and prevention.
Identify, classify and monitor assets continuously
Knowing which technologies are deployed, where they sit within the network and how they are connected with systems that handle protected health information (PHI) is the first step in remediating cybersecurity vulnerabilities. While major hospital systems have shifted resources to cloud service providers, many still have large on-premises networks and infrastructures. This is because most are hesitant to move PHI outside of their own facilities. What’s more, the number of connected assets used daily has prevented hospitals from achieving effective inventory controls4.
Organizations need to leverage technology for continuous discovery and classification of assets if they want to reduce entry points and tighten security. Given that connected devices continuously change within a network, automation should be deployed to monitor each network device for abnormalities around the clock — all of which can be done from a security operation center.
Quantify the risk of an attack
Every cyber vulnerability or weakness presents a risk. But just like in a hospital emergency department, it is important to triage the risks based on their potential for success and impact. A vulnerability that can only be exploited with physical access to hardware, for instance, should be triaged behind a system that is exploitable through remote access to the hospital’s network — even if the negative impact of successful exploitation is the same.
To quantify the risks, organizations should take the probability of exploitation and multiply it by the impact. In other words, if the exploit would have a small impact, it is less important to prioritize. However, if the impact would stall operations, then a healthcare organization needs to determine the steps required to limit the impact through immediate detection and remediation.
Combat third-party cyber risks
System penetration of business associates now accounts for 43% of all healthcare cyber breaches — a continuation of a three-year upward trend according to Critical Insight5. The growing number of third-party breaches demonstrates an industry failing to protect critical weaknesses. Healthcare organizations must respond by carefully assessing the cybersecurity risk of any and all connected entities.
Before agreeing to services from a third-party vendor, hospitals should ask for specific compliances, such as an SOC2 report and a HITRUST certification. At a minimum, organizations should request an external penetration test to reduce security risks. Additionally, organizations should consider negotiating business associate agreements that require vendors to report breaches within a service-level agreement. The overarching goal here is to continuously monitor all vendors for evolving risks and ensure they follow the same rigorous security controls laid out by the hiring healthcare organization itself.
Craft a plan from A to Z
Whether it is bringing multiple teams together to remediate a critical “zero-day” vulnerability6 or responding to a vulnerability already exploited, a security leader is only as successful as his or her ability to respond and recover in the face of a security incident.
Healthcare security leaders must ensure that all stakeholders — executives, end users and those in between — are well rehearsed in how to respond when critical systems are interrupted by a cybersecurity incident. It’s important to regularly practice table-top exercises and refresh plans annually.
Staying Ahead
The reality is that it is no longer enough for healthcare organizations to stay in step with today’s evolving technology. Cybersecurity teams must outpace disruption repeatedly if they want to stay ahead of the threat landscape. Strengthening cybersecurity can be challenging, but it is an imperative. When done right, it not only improves a hospital’s operating model, but it also improves patient safety.
This article was drafted in collaboration with Critical Insight. Authors from Critical Insight include:
John Delano
VP CHRISTUS Health & Critical Insight Healthcare Strategist
John.Delano@criticalinsight.com
Footnotes:
1: Rebecca Pifer, “Telehealth use increased amid omicron as 2021 drew to a close,” Healthcare Dive (March 7, 2022), https://www.healthcaredive.com/news/telehealth-use-omicron-december-2021-fair-health/619922/
2: Shweta Sharma, “Outdated IoT healthcare devices pose major security threats,” IDG Communications, Inc. (January 31, 2022), https://www.csoonline.com/article/3648592/outdated-iot-healthcare-devices-pose-major-security-threats.html.
3: “Resilience Barometer 2021,” FTI Consulting, Inc. (2021), https://ftiresiliencebarometer.com/report.
4: John Orosco, “How Healthcare Consumerism is Driving Integration in 2022,” HIT Consultant Media (February 2, 2022), https://hitconsultant.net/2022/02/02/healthcare-consumerism-driving-integration/#.YgKSyOrMI2w.
5: “Healthcare Breach Report: Jan-June 2021; Security Research Data and Analysis,” Critical Insight (2021).
6: A “zero-day” vulnerability is a software or hardware vulnerability that is either unknown to the manufacturer or owner, or is known and a patch has not been developed.
7: “Resilience Barometer 2021,” FTI Consulting, Inc. (2021), https://ftiresiliencebarometer.com/report.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
About The Journal
The FTI Journal publication offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.
Related Insights
Published
March 21, 2022
Key Contacts
Senior Director