Cyberattacks, whether generated from a single individual or a politically-motivated group, have emerged as a bigger threat to the healthcare industry security in recent years. Tight regulations and the growing number of electronic devices that store health information exacerbate the challenge that hospitals face in securing both internal and patient data. Any individual can walk out of his or her office with confidential patient information on a flash drive or laptop and have these items stolen from his or her car. Therefore, vigilance, advanced security systems and advanced compliance and training programs are essential for hospitals seeking to avoid investigation or liability.
According to PwC, an estimated 85% of large health organizations experienced a data breach in 2014, with 18% of breaches costing more than $1 million to remediate. These numbers are expected to increase as more and more portable health care devices become linked to the internet. As a result, hospitals should review their security practices, update them, conduct training of all their staff, and determine how often the hospital will require retraining. The data security issue is complex, but for healthcare facilities that are starting or renewing their commitment to security, the following three areas should be the focus of extra vigilance:
Internet of Things (IoT) devices
Advancements in sensors, open systems connectivity and analytics software have all enabled healthcare institutions to manage real-time tracking of people and devices at a lower cost than ever before. However, on the security side, this convenience comes at a price. Since these devices connect to the internet, more investment in cyber risk management is recommended. In traditional healthcare infrastructure scenarios, uptime, accurate processes and functioning equipment are top priorities; in other words, it’s about reliability. In the cyber world, it’s all about resilience. Being cyber resilient means more than just addressing protection and prevention. The concept encompasses the ability of an organization to react quickly when a cyberattack occurs.
Secure network / firewalls
When planning for protection from cyberattacks, any newly acquired IP devices should be audited to make sure they are configured into a secure network. The network should be designed accordingly to allow for segregation of systems and access. For example, the Closed-Circuit Television (CCTV) system should be segregated from any guest Wi-Fi. Vendors can recommend proper design and use of virtual LANS and management of incoming and outgoing data to help provide more resilience. Network intrusion detection systems and firewalls help to support these efforts by protecting network boundaries from outside threats. Such systems can minimize the damage from cyberattacks by searching for anomalies and signatures on the network. When an anomaly is identified, an alert is forwarded to the analyst for review. The analyst investigates and determines if the alert is a false positive or a potential attack against the network. In some cases, these systems can block an anomaly or signature before it can cause damage.
Data centers and network closets
Security for these sensitive areas needs to focus on control and surveillance of humans who move in and out of these facilities. Security hardware should include access control (regulation of who is entering the room via card readers or electronic doors), intrusion detection (sensors to detect either the open or closed status of protected points of entry), and visual surveillance systems (generally comprised of television cameras and monitors, video amplifiers, video switches, video recorders, audio recorders, and related cables, fittings and attachments).
Vendors who support healthcare facilities with technology solutions also need to contribute their cybersecurity expertise. Some have incorporated ISO 27034-based processes that define a Secure Development Lifecycle (SDL) for their products. Within the context of SDL, secure architecture reviews, threat modeling of the conceptual security design, secure coding rules, specialized tools to analyze code, and security testing of the products are all part of the process. These actions help to ‘harden’ products, making them more resilient against cyber-attacks. In this way, as new products replace old, entire systems evolve to become more cybersecure.
To learn more about healthcare data security efforts and the related topic of business continuity, download Schneider Electric’s new reference guide “A Practical Guide to Ensuring Business Continuity and High Performance in Healthcare Facilities”