Caught in the crosshairs, healthcare organisations need to bolster cybersecurity

Gaurav Agarwal, MD, India & SAARC, Symantec, gives insights on what hospitals and healthcare organisations should be doing differently to proactively manage security risks

The delivery of effective and efficient medical services in hospitals and other healthcare facilities depends as much on the information systems and technologies they use, as on the skills of their doctors and nurses they employ. Many of these systems are linked to each other and to the Internet. Moreover, they store and use medical and personal records of patients. It is therefore essential to protect these systems from being compromised in any manner. Unfortunately, the healthcare industry has proven to be a soft target for cybercriminals. These attackers are capable of stealing confidential data, holding hospitals to ransom, disrupting services or even shutting them down. In 2017, ransomware attacks increased by 89 per cent1 over the previous year, globally. Giving in to such demands is not really an option.

The healthcare industry, as much as any other, needs to be protected by robust cybersecurity systems. And not just because they could face audits or fines; there is much more at stake here. The security teams at hospitals must look beyond bits-and-pieces software solutions and adopt a detailed, uncompromising approach towards cybersecurity, with help from external experts if need be. There’s also the fact that healthcare is an industry with an IT infrastructure that’s more complex and varied than any other. This diversity leads to an interwoven ecosystem of systems and devices, running on many different platforms and with differing security maturity, thus creating dependencies and limitations that make security and change management a rather complex task.

Healthcare is also a highly regulated and compliance-driven industry, with unique data protection needs. Complying with medical health insurance requirements and passing an audit doesn’t necessarily mean that an organisation is capable of defending itself against a determined hacker. If auditors are scary, cybercriminals are nothing short of terrifying. The rising number and evolving nature of attacks in recent years is a warning that the healthcare industry is well and truly in the cross-hairs and must be aware of the cyber threat landscape that’s unfolding in the background.

However, heightened awareness doesn’t always translate into effective action. At many times, the industry’s approach to cybersecurity has been far too reactive, to the point where it appears to be management-by-headline. By this time, it’s too late because the bad guys have already won. So, what should hospitals and healthcare organisations be doing differently to proactively manage security risks? Here are some suggestions from Symantec. And obvious as some of them may sound, they are all too often neglected.

Align cybersecurity with business objectives

Senior leadership must step up to the challenge and include cybersecurity amongst the many strategic components that align with overall business objectives. The leadership must also outline the framework for governance, set measurable goals, and clearly define the levels of risk tolerance.

Work around budget constraints with a top-down, risk-based approach

Every organisation may not necessarily have the resources to secure every widget, monitor every employee, or purchase all the latest security technologies. They can, however, work around their budgets by adopting a top-down, risk-based approach. The focus should be on identifying risk priorities, establishing enterprise-wide security objectives and strategies, and then figuring out the budgets, processes, and technical requirements needed to address these needs.

Create a culture of security and responsibility

The onus, again, is on the leadership to establish a culture of security throughout the organisation and implement a comprehensive security programme. They must assign adequate budgets to cover the requirements of staffing and of promoting cyber-education among employees to foster this culture. Security is everyone’s responsibility, whether they realise it or not.

And finally, here are some tips that may be useful for healthcare organisations looking to bring about a positive change in their security postures:

  • Create a security controls policy, which provides a high-level description of objectives along with a framework for those it impacts.
  • Document roles and responsibilities so that each team or department knows who is responsible for what aspect of implementation. Ensure that only authorised users can access clinical and IT systems. This enables a stronger multifactor and risk-based token-less authentication that eliminates up to 80 per cent of breaches.
  • Implement and enforce a security policy whereby all sensitive data is encrypted at rest and in transit. Ensure that customer data is encrypted as well. This can help mitigate the damage of potential data leaks from within the organisation.
  • It is absolutely essential to have security across endpoints, ranging from desktops to IoT-enabled medical devices. At the most basic level, organisations need to have the right security solutions for various endpoints – from anti-virus and anti-malware to IoT security.

Security must become second nature for every individual in the organisation. And if that seems too irksome, just remember that there are human lives in the balance, and that you would rather leave them in the care of fully equipped staff in a smoothly functioning medical facility than at the mercy of a cybercriminal.