Jens Kögler, Healthcare Industry Director EMEA
Cybersecurity is a significant threat in the healthcare industry because of the interconnected nature of modern healthcare networks – something we touched on in a previous blog. The consolidation of so much highly personal and vital data in an ‘organisation’ that everyone uses makes it a target for hackers and cybercriminals. So, how can healthcare organisations immunise themselves against, or at the very least mitigate, such threats?
Data and trust
Whether it’s personal, patient details or information on ground-breaking research, data is an incredibly important asset in helping to deliver patient care and driving the future of patient care. Yet healthcare organisations across Europe all have the same challenge – being able to share this information in a transparent, easy yet secure way where patient trust is not compromised. Yet the last five years has seen a surge of attacks on the healthcare industry, with the largest breaches impacting as many as 80 million people.
The highest threat to the security of a hospital network is probably still the user who opens security holes for potential attackers through conscious or unconscious actions. For IT organizations, this means that IT systems are still manageable for users and do not restrict them in their daily work and make their use as simple and intuitive as possible. In July last year, it was revealed that 150,000 NHS patients’ data was shared over a three-year period following a major breach. In the US, the 2015 cyber-attack on Anthem saw hackers steal 78.8 million patient records, claiming highly sensitive data, including names, social security numbers, home addresses and dates of birth.
But the value of the data is only one half of the equation. The other is that the existing model for IT security – secure the network perimeter with an ever-higher and thicker firewall, then plug any holes that appear due to new technologies with point solutions – doesn’t work anymore. Wearable devices, for instance, require incredible caution when integrating them into critical infrastructures, because manufacturers don’t tend to focus on security in development.
We live in a world of more and more complex interactions, more connected devices and sensors, dispersed workers and the cloud, all of which have created an exponentially larger attack surface than has historically been the case. And, where is the perimeter now? Modern-day security requires an investment shift away from trying to prevent breaches at all costs and towards building intrinsic security into everything – the application, the network, essentially everything that connects and carries data.
Prevention is better than cure
Breaches are inevitable but how fast and how effectively healthcare organisations mitigate the threat is what matters. Through a combination of low complexity and high ambition, healthcare teams must be empowered to innovate and deliver new mobile and data-important services that chime with today’s security requirements while still offering the flexibility to deploy the types of services that patients and healthcare organisations need and have become accustomed to.
- Automate processes and manual tasks – Automation frees up people to focus on more valued-added pursuits such as delivering patient care or expediting drugs through regulators. Perhaps more importantly, it is essential to combating threats. When it comes to noticing abnormal system behaviour that might give a sign to a data breach or other security event, machine learning technologies pose incredible value. Automated technology is able to analyse an abundance of information and data points within a matter of seconds, making it a valuable technology in finding outliers where an initial breach may have occurred.
- Move to a zero-trust policy for application behaviour, devices and access – Zero Trust mandates a “never trust, always verify” approach to access, from inside or outside healthcare providers’ networks. However, recent research by Forbes Insights, revealed healthcare has the lowest adoption rate of all industries of zero-trust approaches to application behaviour – 58%, compared to an average of 66% in EMEA. Healthcare organisations also rank lowest in their confidence in strategies to identify ‘known good’ application behaviour – which validates how an application is known to work rather than chasing threats – for an effective zero-trust application strategy (12% versus 26% overall). These findings demonstrate the alarming imperative for healthcare organisations to adopt zero trust across all applications and interfaces, which stipulates that systems should automatically verify all requests for connectivity or access, and not trust anything from inside or outside.
- Adopt intrinsic security to combat the growing threat landscape – The use of connectivity in healthcare devices to collect and disseminate real-time data for faster, more accurate analysis, or tailored treatment has created a significant opportunity for medical professionals to improve diagnosis and treatment. It also cuts operating costs and enables remote patient monitoring. However, these devices also bring significant security risks if not managed properly. According to Allied Market Research, as of 2018 there are 3.7 million medical devices in use that are connected to and monitor various parts of the body to inform healthcare decisions. But securing the data that sits on these devices requires intrinsic security and protecting applications from the inside out, rather than bolting on security – an approach which will inevitably end up always being at least one step behind.
- Create a security framework that supports the flexibility staff and clinicians need – The majority of healthcare organisations want fast, secure access to all applications and data as they look to increase the quality of both the patient and clinician experience. Yet at the same time, they are increasingly aware that with the wide attack surface and the complexities of digital interactions, end-users serve as the first line of defence. Most attacks in healthcare organisations are all preventable to a large degree through end-user awareness and education that comes from the very top of the organisation. But what happens when the device itself is stolen? Robust tools like mobile device management and biometrics provide water-tight security for physical devices and protect patient data. However, rather than adopting a “command and control” attitude, healthcare organisations should ensure a framework is in place that allows employees to work from a range of devices, applications and locations without feeling the need to bypass security rules.
- Ensure patient data remains in the hands of patients – GDPR has created a framework to help ensure data remains in the hands of the individual. In healthcare, the general consensus has been that the patient’s data belongs to the patient. But the patient must also retain the right to determine which doctor, pharmacy, hospital and health insurance company they want to provide certain information to. The industry needs to help ensure patients can exercise their right to share data with those whom they trust. Only then can it credibly convey to patients and society that what happens to their data is exclusively for their own benefit and lies in their hands. Data-driven healthcare services will only find social acceptance under this condition.
With a landscape characterised by more voluminous and more sophisticated threats, the modern-day technologies healthcare organisations are using require a modern-day approach to security – one that is anchored in building security intrinsically into the infrastructure. There will always be ways that cybercriminals will find ways to be one step ahead of their victims. But we should make it as hard as possible for them. This means innovation in patient care and service delivery can continue to be driven and not be thwarted by security.
Read our new The Future of Healthcare Report to see how VMware is approaching security in the healthcare sector.