10 questions healthcare organizations can answer to help align themselves with the right solutions
Healthcare organizations have so many considerations when trying to address their security needs, so it’s important to ask the right questions when evaluating cybersecurity solutions. These can help lead an organization to the right conclusions based on their unique environment. Details and specifics regarding network infrastructure, types of data collected, stored and processed and procedures used to provide an adequate cybersecurity defense need to be considered so healthcare organizations can choose solutions that will protect them from external attacks like ransomware or mitigate the risks associated with insider threats, especially when insiders have access to sensitive information like PHI. With this in mind, here are several questions to help narrow the scope on security requirements based on environmental factors in your organization:
1. How would a ransomware attack impact the organization?
- It would be dealt with - we have a complete (and tested) mitigation and recovery strategy
- It would be devastating - we have no tested mitigation or recovery plans
- It would be difficult but think we’d manage by reverting to paper records and/or recovering from backups
- We have incident response plans but they haven’t been tested
Requirement: Incident Response, Disaster Recovery and Ransomware Mitigation
Ransomware attacks are common across many industries today, but the recent past has shown us that hospitals and other healthcare organizations are especially vulnerable both because of the amount of sensitive data they store as well as the potential impact to patient care from system outages. Therefore, if you don’t have proper backups and a tested incident response plan in place, there may not be many options available other than considering ransom payment. And, in many regions, ransom payments may become prohibited by law. This makes solutions for ransomware avoidance, response and mitigation one of the most crucial areas for healthcare security teams to devote resources in order to protect itself against digital attacks.
2. Is our security team resourced to mount an expedient response to a cyber attack?
- We have team members with relatively light workloads that can be available for response at a moment’s notice
- Our team is busy but trains regularly and has demonstrated they can respond effectively without burnout
- We don’t have a security team and our IT team can barely keep up with their issue tracker workload
- We don’t have a security team, and our IT team is outsourced
Healthcare organizations have a increased risk associated with digital attacks in that they are mandated to maintain vast amounts of sensitive data and also have relatively large attack surfaces. For these reasons, 24x7 monitoring operations with visibility into the flow of data and access to data that can ensure all actors are working within the confines of their role is critical to maintaining operations in healthcare environments. MDR solutions leverage expert teams that are tasked with the real-time identification and response to attacks and behavior of bad actors, allowing the organization to focus on providing quality healthcare while keeping data and networks safe by responding to attacks immediately.
3. Are our devices inventoried and managed within the same platform and under uniform security policies?
- We can manage employee endpoints in a single solution, but that solution doesn’t support our medical devices and other specialized IoT devices
- We try to get all devices under one platform, but often times we are unable to do so and therefore have a few disparate solutions managing our different device types
- We have been able to get all of our devices under one platform and found a solution that is suitable for our enterprise endpoints as well as our medical devices
- We outsource asset management to a 3rd party
Requirement: Asset tracking, endpoint management and IoT security
Asset tracking is a foundational element in enterprise cybersecurity, but in a healthcare organization, medical device security can mean life or death. A reliable and effective cybersecurity solution which can help manage and defend IoT devices including specialized medical devices is a must-have in any healthcare environment. While the healthcare organizations have to manage enterprise endpoints like laptops, desktops, tablets, mobile phones and printers the same as any other organization, they also have to secure connected IV pumps, insulin pumps, test equipment, medication administration devices and other connected life-saving technology. It is of the utmost importance that healthcare organizations vet and test their endpoint security solution(s) before implementation, but it is equally important that they maintain and adopt new strategies to protect these devices, so a cybersecurity solution provider should be able to demonstrate the ability to protect the organization effectively now and in the future.
4. How are we currently managing security logs?
- We have a SIEM, but it’s not fully deployed as integrations are difficult to setup and tuning doesn’t ever seem to end
- We have a SIEM solution that is able to get our most important logs and events to analysts in a single pane of glass
- We have adequate storage for some security logs, but we’re not sure that we have everything managed properly and we don’t currently have visibility into events across our log sources
Requirement: SIEM or SIEM integration
Security Information and Event Management solutions are essential for log analysis and reporting, especially in the healthcare industry where finding ‘needles in haystacks’ can be critical to protecting PHI. SIEM solutions should allow for the integration and collection of all log and event sources to provide security personnel the ability to quickly identify problems that potentially indicate threats to the confidentiality or integrity of PHI. The ability for a solution to provide the appropriate level of insight into network, software and device events grants operators an extremely important tool identifying possible misconfigurations, attacks and design flaws when implemented properly. It can be a gruelling process, but it’s worthwhile to vet each SIEM solution's capabilities to ensure they provide the level of detail and accuracy that is needed and to avoid the time-consuming and costly mistake in making the wrong product choice.
5. What does our IT infrastructure look like?
- Physical Infrastructure
- Virtualized infrastructure on-premise
- Cloud infrastructure
- Hybrid cloud infrastructure (split between on-prem and cloud)
Requirement: SD-WAN or SASE
SASE solutions with secure SD-WAN infrastructure can greatly reduce the risk posed to healthcare organizations by enabling network segmentation and flexibility while avoiding some of the security disadvantages of legacy remote access solutions. When organizations need to offer public facing interfaces, it is important that the route the data travels is secure and that all interactions can be secured and monitored to protect PHI. The flexibility and visibility offered by these next-generation network security solutions can be a game changer when trying to direct WAN traffic through security infrastructure and orchestrate large changes in network configuration, which can be common in healthcare organizations that grow quickly.
6. Are our employees fully knowledgeable about their responsibilities when it comes to cybersecurity and specifically HIPAA?
- We have periodic training courses that all employees must complete as a condition of employment
- We have HIPAA training covered, but most of our employees may not be aware of the rest of our information security policies or cybersecurity best-practices
- We have a 3rd party compliance and training supplier that works with our teams to ensure they are in compliance with all regulations
Requirement: People Education and Training
Security education and training to ensure that employees maintain good cybersecurity hygiene is important in all organizations, but in healthcare, organizations are specifically required to understand and comply with HIPAA requirements. Lack of training is a compliance issue and poor quality training can be even worse if it leads to mistakes and improper handling of PHI or PII. Not all solutions will be equal when it comes to managing training, so it is important that any healthcare organization understands the amount and level of training required and ensures that they deploy a training or learning management solution aligned with their needs.
7. Does our organization use internal teams to build healthcare software applications or medical devices?
- We have DevOps teams that build applications for internal use and we support our own hosted internet-facing web applications.
- We use proprietary software solutions and vendors to maintain, customize and integrate our solutions.
- We build medical devices and write software or firmware to operate the devices
- We use proprietary software but our IT teams often write their own integrations for interoperability
DevSecOps is a transformative approach to software development where security is built-in to the software development lifecycle. A secure software development lifecycle is necessary for any healthcare organization developing software, integrations, or medical devices for internal or external use. DevSecOps platform solutions can help organizations with legacy engineering teams increase productivity and efficiency while maintaining the security of all development stages from idea to production and throughout the product’s lifecycle.
8. Do we have an extensive list of vendors and suppliers that frequently access our devices, systems and/or physical locations?
- Yes, we have a huge number of people who aren’t employees that enter our premises to perform maintenance and services.
- We have a limited number of approved service providers that we have working on our systems
- We handle as much as possible internally and only allow approved vendors onto our premises or systems
- We track and monitor all the activity of any vendor whose individual employees are vetted and approved before arrival
Requirement: Vendor Risk Management
It’s vital that healthcare organizations invest in security assurance for their 3rd party personnel that are inevitably going to be working in sensitive areas or on sensitive systems and devices. There are a variety of solutions out there specifically designed for this task, while others are often bundled with IAM or HR solutions.
9. How does our organization manage the overall technology stack?
- We let departments operate and manage them independent of each other
- Some applications are made to work with each other but we’re not a technology company, so integration can be difficult and we don’t spend time on it without business justification
- We like to make sure everything works together, but integrations add complexity that we find difficult to stay on top of
- We ensure that every solution we deploy is as open and easy to integrate to our existing and future solutions, when possible
In larger healthcare organizations which may regularly engage in M&A (merger and acquisition) activity, it is important to look at the overall technology stack as a living organism with individual systems and components that all work together to provide comprehensive solutions for the business. The security stack is the same – it’s a living and evolving system of solutions that co-exist to protect the organization, its staff and its patients in an adaptive and cooperative manner. Ease of integration and interoperability can be overlooked, but in the healthcare industry it is especially important to ensure interoperability – otherwise maintaining compliance or visibility for the security team can become impossible.
10. Does our organization tend to stick with legacy solutions for long periods?
- We do not have the ability or desire to change systems or solutions once they are implemented
- We don’t mind changing solutions frequently and we regularly try new and creative ways to solve our problems
- We like to stay current and make sure we’re compliant and protected, but making organization-wide changes can be slow
- We do what we are required to do and sometimes that does mean changing our cybersecurity solutions, but that’s only when there are new regulations
Organizations should be vetting vendors thoroughly to make sure that they have a reliable, long-term solution as organization-wide changes are extremely complicated and expensive. In regulated industries such as healthcare, organizations researching new solutions should ensure that they choose providers with demonstrated longevity. This is important because with such stringent policies regarding an ever-changing threat landscape, solutions must be able to keep up with new threats and methodologies over long periods. It is acceptable to utilize specialized and unique tools to accomplish unique goals or toimplement cutting-edge solutions where practical to a particular organization. However, it is advised to ensure that these solutions aren’t considered core components of the technology stack if it may not be able to easily and quickly adapt to organizational changes.