The Health Information and Management Systems Society (HIMSS) conference was held earlier this month. It’s the health information and technology event of the year, where healthcare industry professionals share ideas and insights on education, innovation, challenges, and collaboration.
Our experts attended the conference to get the pulse on how the industry is addressing key cybersecurity challenges, and how shifts in the market will impact the need for cybersecurity moving forward. Here are the three takeaways you need to know.
Health tech innovation is up, cybersecurity is not
The healthcare industry continues to shift towards a digital-first environment, adopting more and more technological solutions to serve their patients and to streamline their own services and processes. Telehealth, for example, has risen dramatically, increasing 63-fold during the pandemic.
Many of these solutions are here to stay post-pandemic - telehealth is now a standard offering for many healthcare providers and even services like mobile check-ins and remote screenings are becoming commonplace. To better accommodate this quick shift, organizations have prioritized digital transformation, with 79% of health systems saying they’re still in the planning stages.
This represents a crucial time for the industry to properly put in place the right infrastructure, policies, tools, and solutions that address the new risk this digital shift is creating. Resources need to be properly allocated to shore up existing gaps and to account for an increased attack surface.
However, too many businesses are still relying on diluted, low-cost, stripped-down security offerings, which can lead to long-term cybersecurity costs while providing minimal protection. Without the right infrastructure, patient health information is at risk and even urgent care centers may be impacted, which can put patients at risk for physical harm.
What We Recommend
Healthcare businesses need to invest in updated health systems that not only address new cybersecurity risks but maximize the effectiveness of their digital offerings. Otherwise, they’ll be susceptible to potential attacks and fail to serve a consumer audience that is already expecting digitalized services.
They should look for updated healthcare offerings and solutions that account for new technologies used internally and externally, can give organizations the ability to scale their cybersecurity and solutions, detect ransomware, and can help with compliance and HIPAA regulations while using these new technologies.
Healthcare organizations must prioritize cybersecurity to address pressing risk
The advent of IoT (or Internet of Medical Things - IoMT) has completely shifted how an organization needs to protect themselves and their sensitive patient data. A security compromise is particularly harmful to a healthcare company. Ransomware, for example, can be the difference between life and death in an emergency room. This is why internet-connected device security is both a challenge and should be a priority for securing patient data.
Healthcare data breaches impacted 45M people in 2021 - a record amount - and multiple healthcare providers and companies including vision care providers, childcare providers, and third-party pharmacy service providers.
Data breaches are also expected to get worse as 0–day attacks are expected to increase. This is particularly risky for healthcare organizations who currently lack the resources and infrastructure to have the right visibility into their potential vulnerabilities or assets.
What we recommend
As threats continue to press against healthcare organizations who are suffering from an increased attack surface, a more focused approach to cybersecurity is required. Healthcare organizations should try and allocate more resources to address these amounting risks. Here are some areas of priority to consider:
Focusing on patient safety and data protection: Data protection is likely already on most organization’s radar but addressing patient safety is necessary as more and more internet-connected devices make their way into healthcare environments.
Protecting privacy and PHI, EPHI in healthcare settings: As you conduct an assessment of the key assets that need to be monitored, secured, and protected, patient health information (PHI) and electronic patient health information (EPHI) should be considered critical data given that malicious hackers often target it.
Having a plan for ransomware: Ransomware attacks are at an all-time high and malicious hackers know healthcare organizations are prime targets due to both insufficient cybersecurity and because these organizations can’t afford to wait out a ransomware attack. As organizations prioritize and build out their cybersecurity strategy, how an organization employs detect and response solutions to a ransomware attack is crucial.
Reconciling patient safety in ERs and other urgent care settings: Organizations should have a separate strategy in place that addresses patient data safety in these high-risk critical areas where internet-connected devices are most commonly found. This will help address potential scenarios in the event of a ransomware attack, an unauthorized user, and/or a compromise that can shut down your network.
Consider investing in a cybersecurity command center: Organizations with larger budgets and resources may want to have an in-house security team that’s proactively threat hunting and responding to potential attacks to keep uptime as high as possible.
MDR can be a key asset for healthcare organizations
Healthcare organizations can make great use of Managed Detection & Response (MDR) services as they build out their digital infrastructure. MDR serves as outsourced security departments, providing 24/7 support as well as critical monitoring, detecting, and response services that can account for any changes in environments, more devices across a number of different on-premise locations, while helping organizations comply with HIPAA and other related compliance standards.
Even if healthcare organizations already have an existing cybersecurity infrastructure or a roadmap plan, they can still leverage MDR partners for a number of benefits.
- Filling any monitoring gaps, allowing enhanced telemetry to monitor all incoming traffic, especially if they opt for an XDR solution.
- Monitoring medical devices and other endpoints that don’t have a native visibility or monitoring option, increasing comprehensive coverage.
- Providing proactive threat hunting, monitoring, SOC support, and 24/7 security analysts to respond to attacks during an organization's off-hours.
- Helping organizations meet HIPAA compliance in adopting new digital healthcare solutions.
The digital evolution healthcare companies are embarking on is essential for maintaining progress and success in healthcare. However, it’s not worth pushing hard on digital transformation and eschewing cybersecurity. As more and more digital tools leverage electronic health records (EHR) and various third-party vendors integrate themselves in healthcare organization’s environment, risk management leaders must ensure any information sharing is done in a compliant and secure way.
Re-assessing what requires cybersecurity attention in a digital environment and with the increased use of IoT devices is necessary in order to properly understand how an organization can invest in cybersecurity tools and solutions. MDR services as well as other forms of detection and response solutions are key for addressing new risk factors and shoring up existing gaps in a company’s environment.
To learn more about how Bitdefender MDR services can help healthcare organizations become HIPAA compliant, check out our executive brief here.
Click here to learn more about healthcare cybersecurity solutions.