Guest Column | October 26, 2018

Cybersecurity For C-level Healthcare Executives

By William Chalk, Top10VPN

Procurement Cybersecurity

When we consider the most serious consequences of industry-level cybersecurity breaches the impact on our healthcare system must be at the top of the list. Inadequate planning or poor resource management could result in a hospital outage, a multi-site catastrophe, the loss of high-risk data, or a threat to patient health.

Along with mitigating risk at an individual level, there’s an obvious requirement to ensure the systems, networks, and devices we rely on are protected against attacks from an ever-increasing number of malicious actors. Several attacks have gained ground in recent months to devastating effect, and its C-level executives that carry the ultimate responsibility for resolving these issues and preventing future catastrophe.

Carrying The Can For Cybersecurity In Healthcare

C-level staff are responsible for creating the right technological framework and the appropriate cultural awareness of cybersecurity among healthcare staff. Typically, we’d consider roles like the Chief Compliance Officer (CCO), Chief Learning Officer (CLO), and Chief Medical Information Officer (CMIO) to be gatekeepers responsible for putting these measures in place across a range of possible attack vectors.

Patient data is an obvious honeypot for hackers looking to commit identity theft, social engineering attacks, or even blackmail. But we’ve also seen the potential for hacks on connected healthcare devices, or the potential of ransomware to interrupt patient care at the coalface. Any attack at a network level could bring multiple sites to their knees, with potentially life-threatening effects on the people reliant on those services.

How can the various risks be managed in a practical, affordable and efficient manner?

  1. Data Encryption
    Encryption is the best defense against unauthorized access to any kind of data; in a healthcare setting, it is essential. No patient information should be stored or transmitted in an unencrypted form, and strict controls should be in place to guard against unauthorized access to encryption keys.
     
  2. Antivirus/ Malware Systems
    Viruses and malware are not just the reserve of the office PC; they can be maliciously installed on any internet-connected device. As online updates make their way into the healthcare space, there is a real risk that patient health could be compromised by malicious software; ‘ethical’ hackers have already proven that certain pacemakers and insulin pumps are vulnerable to attack.
     
  3. Data Loss Prevention (DLP)
    In the age of rapid online sharing and almost ubiquitous reliance on digital communications, accidental data breaches are all too common. There’s also the chance that a rogue employee could share confidential data with unauthorized parties on purpose.

    Data loss prevention solutions need to cover the most vulnerable data that organizations handle; protected health information (PHI) is a key candidate.
     
  4. Healthcare Security Information & Event Management (SIEM)
    No matter how robust a network, social engineering attacks pose a risk. It only takes one person on the network to open a compromised file and potentially infect many others with malicious software, as has been proven in many high-profile cases in recent months.

    Along with the compliance benefits of SIEM, real-time monitoring of networks and systems is vital to detect and contain phishing and ransomware attacks as soon as they take hold. Rapid detection is essential to deal with the threat before it becomes an issue for multiple devices or even multiple sites.
     
  5. HITRUST Security Framework/ SANS CIS Controls
    Healthcare systems require a specific security response, a high level of compliance, and a robust response to new threats. Data security frameworks help to relieve some of the complexity of the threat landscape in healthcare by providing predetermined and highly effective principles for management and ongoing operations.
     
  6. Cyber Liability/ Breach Insurance And Policies
    When sensitive patient data is jeopardized, the threat of legal action can follow. As part of the hospital, site, or network’s disaster planning there should be a comprehensive insurance policy in place, along with dedicated breach incident team to quickly manage and contain attacks so that the potential for lawsuits is minimized. This is also paramount in isolating and resolving issues before they get out of hand.
     
  7. Prioritizing IT Budgets To Security Spending
    In any organization — but particularly when healthcare budgets are pressurized — it can be tempting to concentrate resources on the ‘here and now’. That being said, it is much less costly to prevent a security breach than it is to deal with one that has already happened. As hackers and malicious actors become more sophisticated in their techniques, allocating the necessary budget in advance is essential to avoiding costly clean-ups, catastrophic data loss, or fines for non-compliance. Maintaining an effective cybersecurity strategy isn’t a singular act, it’s a chronic process.
     
  8. Training And Security Education Courses
    Having policies is all well and good, but do your employees understand the implications of this legislature in their day-to-day work? Cybersecurity is vital but is all too easy to toss aside when employees are under pressure. All staff must understand why adherence is crucial, and how these rules will apply to them daily.

    Accredited courses, in-house training, and e-learning initiatives are all good ways to stress the importance of cybersecurity in healthcare and bring about the essential culture change that makes accidental or intentional security breaches less likely.
     
  9. Frequent External Risk Assessments
    Risk assessments are a core component of government requirements, and in the fast-changing security landscape, it’s important to ensure that all facets of the organization are adequately protected. From patient data to multi-site networks, external assessment -- carried out to objective standards -- is key in driving continuous improvement.
     
  10. Control Outside Of The Hospital
    All organizations face the challenge of meeting flexible working requirements, as well as capitalizing on the benefits of allowing employees to work remotely. But when dealing with sensitive data, it’s important to have the correct software and policies in place to ensure that data does not escape your control. High-level executives are often the most vulnerable to these attacks given the frequency with which they handle sensitive information.

    Any employee that uses devices for their work while away from the hospital or working remotely should have them sanctioned and secured by in-house IT. This includes Bring Your Own Device arrangements, where an employee is permitted to use their own hardware for work.

Conclusion

Healthcare organizations face unique cybersecurity risks, and the stakes are high on all sides. Every patient touchpoint is a potential breach; every email attachment a potential for malicious intrusion.

As more of our healthcare services go digital and more data is shared between distant sites and services, a robust and holistic approach is the only defense. With the IoT and perpetually-connected patient health devices already in the picture, C-level staff need to be constantly aware of the changing landscape.

By proactively working to manage and control patient data and system security, as well as educating healthcare staff, C-level executives must take responsibility for preventing threats and improving incident response across our healthcare system.

About The Author

William Chalk is a security researcher and writer at Top10VPN, the world’s largest VPN comparison service. It rates and reviews the best VPN services to help protect consumers’ privacy online. The company also aims to educate the public about privacy and cybersecurity risks through free online resources.