The healthcare sector has been in the midst of digital transformation for some time – the COVID-19 is also accelerating the use of cloud services and digital tools. Another change in the industry: More and more digitally native so-called “health tech” companies are entering the market and enabling the digitization of health services.
The advantages of digital transformation are undisputed in the industry, but the healthcare sector, in particular, is increasingly becoming the target of cyberattacks. Cyber attacks can have severe consequences in this area in particular: In addition to the effects on the attacked company or institution, such attacks can, in case of doubt, lead to delays in medical care or even to the loss of human life.
Since the beginning of the COVID-19 pandemic, hackers have moved even more into the focus of hackers to exploit the vulnerable phase specifically. An example from the US: The US Department of Health and Human Services recently reported a 50 percent increase in cybersecurity violations in hospitals and health care networks, indicating an increased focus on the health care industry. In September 2020, a ransomware attack in Düsseldorf paralyzed the university hospital and resulted in the death of a patient.
Healthcare IT systems are exposed to an increased security risk because more and more end-users rely on technologies such as telemedicine or unique health apps – and thus share sensitive personal data. In addition, much of the medical infrastructure consists of outdated and heterogeneous systems with obvious security restrictions.
But the industry itself is also an attractive target for cyber attacks: Health service providers are increasingly offering telemedicine, apps, services, and networked end devices, thus generating large amounts of so-called Protected Health Information (PHI). This sensitive data is highly traded on the dark web. And high-value assets like vaccine research and development are also valuable targets for commercial and political purposes.
There is no doubt that healthcare is a systemically essential and critical service. Health organizations and service providers have to improve their security and strengthen cybersecurity in the middle of the pandemic. While most cybersecurity solutions are industry-independent, there are specific nuances that the healthcare industry needs to consider.
Health Care & IT Hygiene
Healthcare organizations must take a “zero-tolerance approach” to IT hygiene and provide the necessary control systems for third-party risk management. The existing guidelines for high-risk procedures such as life support systems or sensitive assets such as vaccine trials must be drastically tightened.
Organizations should strictly adhere to the software and hardware security, such as keeping applications and operating systems up-to-date, replacing outdated or unsupported medical devices, and implementing security measures for remotely networked devices.
Zero Trust Model
With the increasing spread of telemedicine and the increased remote work of healthcare professionals, it is no longer enough to guarantee the security of the perimeter. Instead, companies need new, resilient models that are adapted to the new environment.
Healthcare organizations should generally only grant limited privileges. For example, only people have access to data that they need to complete their tasks. In addition, only necessary applications should be released for remote access. With the help of network segmentation, companies can also ensure that business-critical systems – for example, for life support or research and development – are separated from the rest of the IT setup.
Data Security
Businesses should focus on data minimization. In this way, only necessary data is collected, processed and (if possible) anonymized. To ensure the security of sensitive data such as PHI and research and development assets both at rest and in transit, companies need to build automated systems for data identification and classification and data loss prevention.
The healthcare industry must also introduce stricter data access controls. These restrict access only to the individual and health care provider and, if applicable, a government agency to manage community health care as in the case of COVID-19. Highly developed encryption standards, data masking solutions, and normal controls ensure that only authorized users have access.
Secure By Design
Modern companies must ensure that cybersecurity is already considered in the development phase (security by design) and not just afterwards. This requires the establishment of secure coding guidelines and the introduction of practices such as DevSecOps.
Ongoing compliance management with real-time patching and a focus on threats, vulnerabilities, risks and incidents is also essential. Employees must also be involved: Employees can only intuitively defuse security risks with a thorough understanding of and sensitivity to IT security – a solid corporate security culture rounds this off.
Compliance And Risk Management
The healthcare ecosystem consists of a large number of partners and providers within the value chain. In this networked – but unequal – structure, everyone involved has to take care of cybersecurity individually.
Organizations must develop and implement effective partner risk management programs to secure data and protect it from cyberattacks. This can be achieved by evaluating the security situation of partners, followed by risk-based partner segmentation and the definition of “zero trust” principles in terms of connectivity and access management for partners.
Managed Detection And Response
The cyber threat landscape is constantly evolving. As a result, new threats pop up almost every other day. Therefore, having a well-defined playbook for quickly identifying and responding to threats and security breaches is critical.
Healthcare organizations need to use AI systems with machine learning and behavioural analytics to proactively identify anomalies and threats and develop fast sandboxing and recovery processes. Only then can they position themselves as “cyber-resilient” (resistant) and protect themselves.
Also Read: Artificial Intelligence At Work For Health
