Endpoint security is vital, even as 'the definition of endpoint itself has changed'
As health systems become increasingly connected, the number of potential vulnerabilities also arise in the form of endpoints.
Experts at the HIMSS Healthcare Security Forum this week outlined the security hygiene practices necessary to safeguard a system's endpoint perimeter – including grouping assets, leveraging machine learning and artificial intelligence, and implementing robust threat responses when necessary.
"Even before COVID-19, we started seeing a lot more endpoint devices in healthcare, specifically around wearable medical technology, handheld devices [and] medical apps on cell phones and iPads," said Heather Roszkowski, assistant vice president of cyber defense and enterprise chief information security officer for Augusta University, during a HIMSS Security Basics segment available on demand.
"But with COVID-19, we saw an immediate expansion with a lot of that," Roszkowski said. "We had requests coming in left and right for new technologies, especially around telemedicine."
Balancing the speed of those requests with the need for standard security reviews has proven to be one of the biggest challenges in the wake of the coronavirus pandemic, said Roszkowski.
"From my perspective, I think the definition of endpoint itself has changed," added Sriram Bharadwaj, vice president of digital innovation and applications at Franciscan Health Information Services.
"An endpoint is no longer inside your network. An endpoint is actually, in some respects, outside your network," he continued.
During COVID-19, he said, clinical interest in remote patient monitoring soared, with physicians issuing kits including Bluetooth-enabled pulse oximeters and blood pressure monitors to individuals at home.
"The challenge for us from a security perspective, [is]: How do we secure, how do we manage, and how do we maintain those devices?" said Bharadwaj.
In terms of emerging endpoint protections, panelists touted the ability to deploy threat intelligence into one's environment via AI and machine learning.
"But the one thing you have to remember, though, is they are technologies. You have to supplement them with a human factor," said Roszkowski. "The technology doesn't know your organization. You do. … It takes time for it to learn your environment, and it takes a lot of interaction from your human analysts."
That can be frustrating, Roszkowski, but the time investment also pays off in the long run.
"From my perspective, I think technologies are great, but you are as strong as the weakest link," Bharadwaj pointed out.
Often, he said, that "weakest link" exists among staff members who have not been educated as to their importance in an organization's security fabric.
"We've got all these advanced protections and so on. … But, still, at the end of the day, if we can avoid that person clicking on a link, the phishing attack, that's 10,000 times more protection than the person [who] is trying to write the AI/ML technologies to make it better," Bharadwaj argued.
When there is an incident, Bharadwaj said, people can – and do – panic.
"Help them to not struggle," he advised. "That was a lot more beneficial to us than all the technologies put together."
The best, most cutting-edge security software won't be effective "if the guy keeps on sending his password through the Internet," he said with a laugh.
Bharadwaj and Roszkowski also emphasized the importance of enterprise-wide visibility to flag potential breaches.
"It's nice to be able to scan your endpoints and immediately say, 'Hey, this one hasn't been updated,'" said Roszkowski. "It's absolutely great to be able to have some of those tools in place that can even auto-isolate and stop it until you have an opportunity to get over there and investigate."