Like virtually every other industry over the past two years, the healthcare sector has been impacted by a profound digital transformation that has abruptly changed organizational policies and realities. Exigent circumstances forced governance and compliance standards to quickly adapt, enabling healthcare organizations to adequately – not perfectly – manage deep and wide network transformations.
Although digital transformation enabled numerous enterprise-scale benefits, including electronic orders and clinical workflows, rushing major IT changes unsurprisingly increased organizational risks as well. Decisions to “act first, fix later” were in many cases overly permissive on network security, expanding the healthcare sector’s attack surfaces and exposing hospitals to increased cybersecurity threats.
In response to the increased threats, governments have developed new guidance to establish necessary foundation-level protection standards, guidelines for reporting of threats, and increased assessment of risks and security parameters. This guidance expands upon prior requirements: For instance, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule already requires healthcare organizations to carry out risk assessments, which are necessary and demonstrate to organizations they must remediate risk.
Adhering to regulation is needed but not sufficient to protect against modern cyber threats
Given the rapid growth of threat actors targeting the healthcare sector, continuing with traditional compliance-based approaches to security is not sufficient to protect organizations against cyber criminals and disruptive attacks. Beyond complying with industry and government standards, organizations must commit to adopting proactive and anticipatory approaches to security, ensuring they are tackling issues head-on, rather than addressing them reactively – when it’s too late to stop or limit damage.
Proactive cybersecurity measures go beyond enabling healthcare organizations to prepare for potentially disruptive cyberattacks. They also ensure that plans are in place for inevitable attacks, including protocols for handling data loss, or worse, managing consequences for patient care. By contrast, reactive organizations that are not prepared for today’s attacks will suffer from potentially lethal downtime and scramble to find long-term solutions while also doing damage control.
As threat actors are continuously finding new ways to disrupt and extort the healthcare industry, government regulations have not been able to keep up. Individual state legislation has added to the regulatory challenge: National healthcare leaders now face a patchwork of unique and somewhat unpredictable regulations, creating a challenging and fluid landscape. Mounting threats and regulatory issues have only reinforced the need for healthcare organizations to perform HIPAA-mandated risk assessments and take appropriate actions.
Proactivity must become the new normal for healthcare organizations
In the past, organizations treated cybersecurity as an afterthought, and most could afford to do so; threats were once both uncommon and limited in scope. But in the current threat climate, organizations need to change their mindset from “reactive” to “proactive” and prepare for when they are attacked, not if.
The first and most critical step in adopting that proactive stance is ensuring a robust security risk assessment program – one that ensures organizations understand where they are most exposed to potential threats and then act to address those exposures. That said, successful proactive cybersecurity is a journey, not a destination. Beyond carrying out risk assessments, continuous attention and the following three actions are required:
- Test and validate plans. Organizations must have response plans ready to immediately execute in the event of an incident. Key players need to know how to operate under duress and how law enforcement, cyber insurance, incident response firms, and business leaders will communicate and act. Ensuring that those involved understand their marching orders will smooth out responses that could otherwise become increasingly complicated, particularly when access to systems and data may be limited.
- Protect identities and privileged access: The use of compromised credentials is common amongst the successful attacks used to extort and steal information. Organizations must protect identities with multifactor authentication and limit the number of users with privileged access. This is a continual effort requiring people, process, and technology to effectively manage effective outcomes.
- Continually monitor for attacks. Cybersecurity systems need to be continuously monitored and updated in order to function at their best; only then will organizations be able to actively track threats and know when the systems are raising flags that must be addressed. Knowing all the assets needing protection and having continuous visibility across the entire attack surface is critical for effectiveness in minimizing the impacts of disruptive attacks.
There’s little question that the pandemic and consequently rapid digital transformations have forever changed the healthcare sector – as protective masks and increasingly frequent ransomware attacks amply demonstrate, old approaches to physical and digital security just aren’t enough anymore. What worked yesterday is inadequate today, and for that reason, healthcare systems must increase the frequency of their risk assessments and validation efforts, rather than occasionally testing or conducting merely annual run-throughs.
A proactive rather than a reactive approach is critical. Planning ahead will save organizations money, frustrations, and other troubles down the line.In the event of an attack, proactive cybersecurity will likely spell the difference between a hospital remaining open and functional or having to close its physical and digital doors at a time of serious need.
