Securing healthcare organizations: The challenges CISOs face
Healthcare organizations are ideal targets for criminals looking to steal personal and other sensitive information, as the industry is lagging behind when it comes to cybersecurity.
Healthcare breaches involving ransomware increase year-over-year, but this is just one of the problems information security professionals in the healthcare need to face, minimize or, better yet, head off.
Challenges specific to the healthcare industry
To be sure, healthcare CISOs’ work is not easy: one of the biggest challenges they face is the open and diverse IT environment of the industry.
“Healthcare systems’ internal IT architecture are comprised of complicated, vast networks that are extremely vulnerable by design. For example, when trying to secure one hospital, CISOs need to consider and secure a seemingly endless number of data access points crossing all lines of businesses,” says Mark Beckmeyer, Director of IT Security at Binary Fountain.
“Within a hospital’s health IT environment, data can be accessed by a plethora of personnel including, but not limited to: physicians, nurses, clinicians, administrative, information technologists, compliance, receptionists, patients and numerous other medical and support personnel. If the hospital is part of a larger network, other remote campuses may require access to a patients’ personal and protected healthcare information (PHI). Additionally, ancillary locations (i.e., pharmacies, physician offices, insurance companies) need access to patients’ data. In general, the larger the network the more risk that’s associated with trying to keep networks/systems secure.”
Another challenge with fending off targeted healthcare attacks involves the industry’s open IT permission culture.
“Healthcare systems tend to grant multiple people (e.g., students, vendors, etc.) ‘permanent access’ to various systems/networks and these permissions largely go unchecked. Healthcare organizations need to better monitor and limit who they grant IT access to as well as place time-limits on employees’ ability to access certain networks,” he notes.
One of the security challenges specific to the healthcare industry is the wide open physical environment intentionally designed into hospitals. With all the unguarded points of ingress/egress and lack of any real visitor control, these organizations are subject to theft/damage of IT assets, unauthorized access to patent medical files (both electronic and hardcopy) as well as many other threats to assets and people that may result in a breach of PHI.
Finally, healthcare data can be found in a multitude of medical devices and instruments, and both legacy and modern devices often don’t come equipped with access controls and data safeguards capable of providing the proper level of security and privacy protection.
Preparing the ground
For those that took on the role of CISO at a healthcare organization with a large workforce, a plethora of departments and decision makers, Beckmeyer advises getting executive management attention buy-in, getting to know and understand the organization’s IT environment, supply chain and office.
“CISOs need to know the entire architecture of a healthcare organization’s IT environment and how it supports each line of business. They need to fully understand the environment’s technological composition and nature of all the data contained therein, the process for storage and transmission, as well as the process of all critical and sensitive data and the complete flow of data in and out of the organization,” he says.
Knowing and securing the supply chain is of vital importance, as a security breach of a supplier can have tremendous legal consequences for the organization. “CISOs need to know the security posture of their suppliers, especially where PHI is involved, and to establish and implement a comprehensive supplier risk management program,” he advises.
Beckmeyer also argues that employees must be made to feel comfortable asking questions and/or reporting security situations that arise to the CISO.
To achieve that step, the CISO should put together a clear, concise and comprehensive set of security policies that is easily accessible to the entire company and, if possible, he or she should conduct in-person, mandated, classroom training for all employees. If it’s a large organization, the training should be divided into different departments and/or staff levels so the CISO can provide customized, targeted training with real life examples for each group.
“Security protocol is something that should be discussed on a weekly, if not monthly, basis so the staff is constantly reminded that your organization takes security very seriously,” he adds.
Addressing current and future threats
Beckmeyer believes that, in the next five years, CISOs should play close attention to the significant increase in functionality and use of patient portals, IoT technology, continued increase in the number of sophisticated medical devices and the use and storage of genetic information as vulnerable to potential threats.
“CISOs will never be ‘ahead of the curve’ when it comes to defending incoming threats; however, CISOs should aim to be as close to ‘the curve’ as possible,” he notes.
At the moment, though, data compromise and ransomware are the most imminent threats. The latter especially because healthcare organizations often used a plethora of equipment running a variety of operating systems and software that sometimes can’t be patched.
When it comes to defending the organizations against ransomware attacks, Beckmeyer advises establishing a comprehensive security incident response program (SIRP) and investing in a robust data back-up and recovery program .
The former can help detect, analyze and identify threats, contain exposure, eradicate the problem and begin the recovery process, and the latter can minimize the depth and breadth of a ransomware attack.
“The SIRP requires an enormous level of effort to develop with the need for frequent training and testing (incorporating real life scenarios) to ensure the maximum potential for successfully combating a ransomware attack,” he forewarns.
“The data backup and recovery plan should be directly based on a thoroughly conducted business impact analysis (BIA), which will help determine the accurate restoration sequences and timeframes of the hospital’s critical clinical and business functions, as well as their supporting IT operations. This BIA will provide the needed information that will allow the CISO to select and adopt the correct recovery strategy on which the data backup/recovery plan will be based.”