Compare SD-WAN Services for Healthcare

What are the healthcare regulations across cybersecurity and SD WAN?

Healthcare organizations have the important responsibility of handling peoples’ health and wellness. On top of being responsible for improving or even saving lives, healthcare organizations also have the responsibility of maintaining and protecting accurate records for every patient’s visits, tests, procedures, medical history, insurance policies and so on. These responsibilities are mandated and highly regulated by local, national and international organizations. This is for good reason though, as these organizations are unlike most others in the sense that they are required to maintain and protect sensitive records for much longer periods of time than most. In fact, in most industries it is indeed mandated that they must not keep records for extended periods beyond reasonable need. Also, the private information healthcare organizations maintain is generally considered the most sensitive and private data for individuals and it can also be highly valuable on the black market. As organizations work toward security maturity, mapping out a clear path to secure patients’ protected health information (PHI) and maintain regulatory compliance can seem overwhelming.

With all of the regulations around the handling of PHI in healthcare organizations, there are resources and frameworks available, many free, that help bring an organization into compliance and improve security posture. So, when choosing cybersecurity solutions for healthcare organizations, it is important to first work with business and legal stakeholders to identify the entirety of the organization’s needs and obligations. Once the organization's compliance requirements are identified, healthcare security frameworks like HITRUST or those which map to healthcare requirements like the NIST Cybersecurity Framework (CSF) or Center for Internet Security Controls (CIS Controls) should be analyzed for feasibility before considering product solutions and vendors. Once a healthcare organization has adopted a recognized security framework, decision making on products and solutions for meeting requirements can be much more straightforward.

What are Healthcare Cybersecurity and SD WAN regulations in 2022?

Applicable healthcare cybersecurity regulations:

• HIPAA (Health Insurance Portability and Accountability Act of 1996)
• UK NCSC Cyber Essentials (National Cyber Security Centre)
• PCI DSS v3.0 (Payment Card Industry Data Security Standard)
• SOX (Sarbanes-Oxley Act of 2002)
• CPRA (California Privacy Rights Act)
• GDPR (General Data Protection Regulation)
• FDA QSR (US Food and Drug Administration Quality System Regulation)

Compliance and cybersecurity resources:

• HITRUST CSF (HITRUST Cyber Security Framework)
• FDA Cybersecurity Premarket Guidance (US Food and Drug Administration) ISO 27001

Attacks aimed at healthcare organizations have proven very costly for those affected, with some attacks causing tangible impact to patient care. While many healthcare organizations may feel as though they are overburdened with regulation, plenty of security practitioners argue that there aren’t enough.

Some of the most significant regulations applicable to healthcare organizations focus on information security, specifically for PHI. Some may have more focus on physical security while others are aimed at application security and most try to be as comprehensive as possible which creates a lot of overlap. For this reason, it is important to consider all the applicable regulations to your specific organization and identify frameworks with mapping across regulatory requirements to help tie things together and if necessary, develop a supplemental roadmap toward a complete cybersecurity solution that supports the organization’s business needs, compliance obligations and the security of patient data.

HIPAA (Health Insurance Portability and Accountability Act of 1996) applies to healthcare organizations dealing with patient PHI as well as PII (Personally Identifiable Information) and was originally designed around health insurance requirements since insurance companies require so much sensitive data to verify eligibility for their clients’ procedures and visits. Since its inception, the U.S. Department of Health and Human Services have expanded its applicability to covered entities ranging from large hospital groups and insurance companies to individual healthcare practitioners. Additionally, new rules have been created under the authority of the HITECH Act to establish more concrete security standards, including cybersecurity standards, enforcement rules and breach notification requirements.

Healthcare organizations can be subject to local or national privacy regulations like CPRA (California Privacy Rights Act) and GDPR (General Data Protection Regulation) in the European Union or United Kingdom. Privacy regulations can have similar requirements to HIPAA in areas like safeguarding personal information and breach reporting, although they’re not specific to PHI like HIPAA.

In contrast to HIPAA which is largely an information security regulation, the U.S. Food and Drug Administration’s QSR (Quality System Regulation) is designed to ensure quality standards in the development of medical devices, in order to protect their users. QSR is applicable to manufacturers of medical devices as these devices, if breached in any way, can have life-threatening consequences. As you may expect, many of QSR’s requirements and prescriptions are strict and specific as opposed to regulations like HIPAA which uses broad language that can leave many statements to interpretation.

Also, larger public healthcare organizations who are publicly traded are required to comply with SOX (The Sarbanes-Oxley Act of 2002).

Finally, any size healthcare organization or even individual practitioners who process or store payment card data are regulated by PCI DSS (Payment Card Industry Data Security Standard) and specifically, PA-DSS (Payment Application Data Security Standard) which is aimed at applications dealing with payment transactions.

Again, a laundry list of potentially applicable regulations can seem intimidating, but it is important to remember that there is generally a lot of overlap among requirements and there are plenty of resources available that make it possible to map requirements across regulations. As mentioned earlier, there are several frameworks designed to tie as many of these regulatory controls, policy management and compliance tracking into a single, user-friendly space. For instance, HITRUST CSF (which is HITRUST’s cybersecurity framework) aims to be comprehensive by incorporating the NIST CSF (The National Institute of Standards and Technology’s Cybersecurity Framework) as well as other widely adopted information security standards like ISO 27001, PCI DSS, and HIPAA and privacy regulations like GDPR/CPRA. The CIS Controls are also a great free resource which maps to all of the aforementioned standards and regulations.

Which SD WAN & cybersecurity services fit Healthcare requirements?

When choosing security products, services and vendors, it may seem like every manufacturer and vendor has something specifically geared toward the healthcare industry. While some companies have more healthcare experience than others, the availability of solutions catered to the industry is a great thing thing because healthcare organizations have to worry about the entire gamut of cybersecurity threats including some of the most prevalent from ransomware, to IoT security, application security and vendor risk management. So, while there’s no shortage of commercial solutions for every aspect of a healthcare organization’s cybersecurity needs, it is vital that the organization adopts a robust cybersecurity framework to align business and regulatory needs with solutions to stay secure and remain compliant.

Once an organization has started working toward implementing a cybersecurity framework, there is a direction to drive decision making on choosing specific solutions to best fulfill your needs. One strategy to consider is looking for solutions with strengths that match the weaknesses of the organization. For instance, in healthcare one of the most common and potentially most costly attacks on organizations are ransomware attacks. So, it is important that the organization deploys solutions to ensure that any ransomware attack will be identified quickly, stopped from propagating and the affected data recovered seamlessly once the threat has been eliminated.

E-mail security and secure collaboration solutions should be high on a healthcare organization’s priority list, given that e-mail and other messaging mediums are often attack vectors for the initial access needed to successfully execute a ransomware attack. Organizations should consider MDR (Managed Detection and Response) and/or XDR (Extended Detection and Response) solutions to maximize their chance of successfully detecting and properly responding to ransomware attacks in real-time. Log management and SIEM solutions can also be used for threat detection as well as meeting compliance requirements. Data loss prevention (DLP) solutions can be used to identify and track the flow of protected information like PHI to detect and prevent breaches while providing reporting capabilities to support compliance audits.

Software application development and medical device manufacturing is another huge area of concern for healthcare organizations who develop applications or devices for their own use or commercially. While the tools and processes used to secure the software development lifecycle are different than those used for securing traditional IT infrastructure, these efforts need to be coordinated to ensure security and compliance. While some of the more progressive organizations are already practicing DevSecOps (the combined execution of Development, Security, and Operations), others will need to transform quickly to remain competitive. Fortunately, there are complete DevSecOps platforms with numerous integrations that allow them to be seamlessly implemented alongside existing development pipelines and technology stacks.

Finally, the importance of vendor risk management in the healthcare industry cannot be overstated. There are so many moving parts in most healthcare organizations and there are often full-time vendors on-site for handling a variety of operations. A long list of vendors significantly increases the organization’s attack surface, so it’s important to ensure that you’ve got your people, processes and technology working together like a well-oiled machine when it comes to vendor management.

10 questions healthcare organizations can answer to help align themselves with the right SD WAN & Cybersecurity services

Healthcare organizations have so many considerations when trying to address their security needs, so it’s important to ask the right questions when evaluating cybersecurity services. These can help lead an organization to the right conclusions based on their unique environment. Details and specifics regarding network infrastructure, types of data collected, stored and processed and procedures used to provide an adequate cybersecurity defense need to be considered so healthcare organizations can choose solutions that will protect them from external attacks like ransomware or mitigate the risks associated with insider threats, especially when insiders have access to sensitive information like PHI. With this in mind, here are several questions to help narrow the scope on security requirements based on environmental factors in your organization:

1. How would a ransomware attack impact the organization?

1. It would be dealt with - we have a complete (and tested) mitigation and recovery strategy
2. It would be devastating - we have no tested mitigation or recovery plans
3. It would be difficult but think we’d manage by reverting to paper records and/or recovering from backups
4. We have incident response plans but they haven’t been tested

Requirement: Incident Response, Disaster Recovery and Ransomware Mitigation

Ransomware attacks are common across many industries today, but the recent past has shown us that hospitals and other healthcare organizations are especially vulnerable both because of the amount of sensitive data they store as well as the potential impact to patient care from system outages. Therefore, if you don’t have proper backups and a tested incident response plan in place, there may not be many options available other than considering ransom payment. And, in many regions, ransom payments may become prohibited by law. This makes solutions for ransomware avoidance, response and mitigation one of the most crucial areas for healthcare security teams to devote resources in order to protect itself against digital attacks.

2. Is our security team resourced to mount an expedient response to a cyber attack?

1. We have team members with relatively light workloads that can be available for response at a moment’s notice
2. Our team is busy but trains regularly and has demonstrated they can respond effectively without burnout
3. We don’t have a security team and our IT team can barely keep up with their issue tracker workload
4. We don’t have a security team, and our IT team is outsourced

Requirement: MDR

Healthcare organizations have a increased risk associated with digital attacks in that they are mandated to maintain vast amounts of sensitive data and also have relatively large attack surfaces. For these reasons, 24x7 monitoring operations with visibility into the flow of data and access to data that can ensure all actors are working within the confines of their role is critical to maintaining operations in healthcare environments. MDR solutions leverage expert teams that are tasked with the real-time identification and response to attacks and behavior of bad actors, allowing the organization to focus on providing quality healthcare while keeping data and networks safe by responding to attacks immediately.

3. Are our devices inventoried and managed within the same platform and under uniform security policies?

1. We can manage employee endpoints in a single solution, but that solution doesn’t support our medical devices and other specialized IoT devices
2. We try to get all devices under one platform, but often times we are unable to do so and therefore have a few disparate solutions managing our different device types
3. We have been able to get all of our devices under one platform and found a solution that is suitable for our enterprise endpoints as well as our medical devices
4. We outsource asset management to a 3rd party

Requirement: Asset tracking, endpoint management and IoT security

Asset tracking is a foundational element in enterprise cybersecurity, but in a healthcare organization, medical device security can mean life or death. A reliable and effective cybersecurity solution which can help manage and defend IoT devices including specialized medical devices is a must-have in any healthcare environment. While the healthcare organizations have to manage enterprise endpoints like laptops, desktops, tablets, mobile phones and printers the same as any other organization, they also have to secure connected IV pumps, insulin pumps, test equipment, medication administration devices and other connected life-saving technology. It is of the utmost importance that healthcare organizations vet and test their endpoint security solution(s) before implementation, but it is equally important that they maintain and adopt new strategies to protect these devices, so a cybersecurity solution provider should be able to demonstrate the ability to protect the organization effectively now and in the future.

4. How are we currently managing security logs?

1. We have a SIEM, but it’s not fully deployed as integrations are difficult to setup and tuning doesn’t ever seem to end
2. We have a SIEM solution that is able to get our most important logs and events to analysts in a single pane of glass
3. We have adequate storage for some security logs, but we’re not sure that we have everything managed properly and we don’t currently have visibility into events across our log sources

Requirement: SIEM or SIEM integration

Security Information and Event Management solutions are essential for log analysis and reporting, especially in the healthcare industry where finding ‘needles in haystacks’ can be critical to protecting PHI. SIEM solutions should allow for the integration and collection of all log and event sources to provide security personnel the ability to quickly identify problems that potentially indicate threats to the confidentiality or integrity of PHI. The ability for a solution to provide the appropriate level of insight into network, software and device events grants operators an extremely important tool identifying possible misconfigurations, attacks and design flaws when implemented properly. It can be a gruelling process, but it’s worthwhile to vet each SIEM solution's capabilities to ensure they provide the level of detail and accuracy that is needed and to avoid the time-consuming and costly mistake in making the wrong product choice.

5. What does our IT infrastructure look like?

1. Physical Infrastructure
2. Virtualized infrastructure on-premise
3. Cloud infrastructure
4. Hybrid cloud infrastructure (split between on-prem and cloud)

Requirement: SD-WAN or SASE

SASE solutions with secure SD-WAN infrastructure can greatly reduce the risk posed to healthcare organizations by enabling network segmentation and flexibility while avoiding some of the security disadvantages of legacy remote access solutions. When organizations need to offer public facing interfaces, it is important that the route the data travels is secure and that all interactions can be secured and monitored to protect PHI. The flexibility and visibility offered by these next-generation network security solutions can be a game changer when trying to direct WAN traffic through security infrastructure and orchestrate large changes in network configuration, which can be common in healthcare organizations that grow quickly.

6. Are our employees fully knowledgeable about their responsibilities when it comes to cybersecurity and specifically HIPAA?

1. We have periodic training courses that all employees must complete as a condition of employment
2. We have HIPAA training covered, but most of our employees may not be aware of the rest of our information security policies or cybersecurity best-practices
3. We have a 3rd party compliance and training supplier that works with our teams to ensure they are in compliance with all regulations

Requirement: People Education and Training

Security education and training to ensure that employees maintain good cybersecurity hygiene is important in all organizations, but in healthcare, organizations are specifically required to understand and comply with HIPAA requirements. Lack of training is a compliance issue and poor quality training can be even worse if it leads to mistakes and improper handling of PHI or PII. Not all solutions will be equal when it comes to managing training, so it is important that any healthcare organization understands the amount and level of training required and ensures that they deploy a training or learning management solution aligned with their needs.

7. Does our organization use internal teams to build healthcare software applications or medical devices?

1. We have DevOps teams that build applications for internal use and we support our own hosted internet-facing web applications.
2. We use proprietary software solutions and vendors to maintain, customize and integrate our solutions.
3. We build medical devices and write software or firmware to operate the devices
4. We use proprietary software but our IT teams often write their own integrations for interoperability

Requirement: DevSecOps

DevSecOps is a transformative approach to software development where security is built-in to the software development lifecycle. A secure software development lifecycle is necessary for any healthcare organization developing software, integrations, or medical devices for internal or external use. DevSecOps platform solutions can help organizations with legacy engineering teams increase productivity and efficiency while maintaining the security of all development stages from idea to production and throughout the product’s lifecycle.

8. Do we have an extensive list of vendors and suppliers that frequently access our devices, systems and/or physical locations?

1. Yes, we have a huge number of people who aren’t employees that enter our premises to perform maintenance and services.
2. We have a limited number of approved service providers that we have working on our systems
3. We handle as much as possible internally and only allow approved vendors onto our premises or systems
4. We track and monitor all the activity of any vendor whose individual employees are vetted and approved before arrival

Requirement: Vendor Risk Management

It’s vital that healthcare organizations invest in security assurance for their 3rd party personnel that are inevitably going to be working in sensitive areas or on sensitive systems and devices. There are a variety of solutions out there specifically designed for this task, while others are often bundled with IAM or HR solutions.

9. How does our organization manage the overall technology stack?

1. We let departments operate and manage them independent of each other
2. Some applications are made to work with each other but we’re not a technology company, so integration can be difficult and we don’t spend time on it without business justification
3. We like to make sure everything works together, but integrations add complexity that we find difficult to stay on top of
4. We ensure that every solution we deploy is as open and easy to integrate to our existing and future solutions, when possible

Requirement: Interoperability

In larger healthcare organizations which may regularly engage in M&A (merger and acquisition) activity, it is important to look at the overall technology stack as a living organism with individual systems and components that all work together to provide comprehensive solutions for the business. The security stack is the same – it’s a living and evolving system of solutions that co-exist to protect the organization, its staff and its patients in an adaptive and cooperative manner. Ease of integration and interoperability can be overlooked, but in the healthcare industry it is especially important to ensure interoperability – otherwise maintaining compliance or visibility for the security team can become impossible.

10. Does our organization tend to stick with legacy solutions for long periods?

1. We do not have the ability or desire to change systems or solutions once they are implemented
2. We don’t mind changing solutions frequently and we regularly try new and creative ways to solve our problems
3. We like to stay current and make sure we’re compliant and protected, but making organization-wide changes can be slow
4. We do what we are required to do and sometimes that does mean changing our cybersecurity solutions, but that’s only when there are new regulations

Requirement: Stability/Longevity

Organizations should be vetting vendors thoroughly to make sure that they have a reliable, long-term solution as organization-wide changes are extremely complicated and expensive. In regulated industries such as healthcare, organizations researching new solutions should ensure that they choose providers with demonstrated longevity. This is important because with such stringent policies regarding an ever-changing threat landscape, solutions must be able to keep up with new threats and methodologies over long periods. It is acceptable to utilize specialized and unique tools to accomplish unique goals or toimplement cutting-edge solutions where practical to a particular organization. However, it is advised to ensure that these solutions aren’t considered core components of the technology stack if it may not be able to easily and quickly adapt to organizational changes.