As everything in healthcare becomes more ever complex, one of the biggest challenges healthcare provider organizations need to prepare for is managing secure user access to all the systems that are now interconnected.
From multiple linked patient portals and virtual telehealth platforms to online billing and payment services, the rise in medical digital interactions and transactions has led to massive amounts of sensitive user data being fed into online healthcare systems. So how do organizations make sure this data is properly safeguarded?
To help readers with this critical security question, Healthcare IT News interviewed Aarti Borkar, vice president of IBM Security. She offers her deep security expertise in finding ways secure the highly interconnected realm of healthcare.
Q: What are some of the big security challenges you see in healthcare today? Are healthcare organizations able to securely manage the rising interconnectedness of the patient-provider experience?
A: Digital healthcare has seen a massive surge over the last year during the pandemic. With more people turning to telemedicine services and digital health solutions – not to mention the entire vaccine rollout process – patient data now exists online in more locations and silos than ever before.
While the pandemic has offered a much-needed push for people and healthcare systems to embrace digital health solutions, healthcare organizations are faced with a variety of security challenges to keep critical IT systems secure and patient data private.
Health data remains attractive to cybercriminals because it lasts forever. With credit cards, banks can reset the cards, which results in an "expiration date" on their usefulness to criminals. But health records never expire, and can be used for numerous malicious activities, including identity theft, insurance and healthcare fraud, and more.
Given the highly sensitive nature of this data and the strict regulatory requirements surrounding it, healthcare providers must take every precaution to ensure patient data remains confidential and protected, even as their IT systems evolve and become more and more interconnected.
Finally, there is an added layer of urgency to protecting IT system availability in the healthcare industry. As providers become increasingly reliant on digital systems, any interruption that could lead to system downtime now poses an even greater threat to patient care and livelihood.
Unfortunately, cybercriminals have used this to their advantage, leveraging ransomware to prevent access to data and IT systems and demanding huge sums of money in order to restore access. According to IBM Security X-Force data, ransomware was the No. 1 threat impacting healthcare organizations in 2020, representing almost a third of all attacks in this sector.
Q: The pandemic has increased this complexity: Multiple linked patient portals, virtual telehealth platforms, online billing/payment services and more. How do organizations make sure all this data is properly safeguarded?
A: When it comes to securing sensitive data, organizations need to ensure that only the right people have access to the right data for the right duration of time – and that the data is being used in the right context of the task being performed. This ensures that data cannot be misused intentionally or unintentionally. At the same time, if we monitor user behaviors to find any suspicious usage of information, we can prevent misuse faster.
Given the huge implications for security in the healthcare sector, these organizations should also consider adopting a "zero trust" approach for their overall security strategy. Whereas historical approaches to security have been focused on securing the IT perimeter and keeping threats and unauthorized users "out," the distributed and cloud-based nature of today's environments require a more robust approach in which nothing should be trusted inside or outside a healthcare organization's perimeters.
In this zero trust model, anything trying to connect to its systems would need to be verified before gaining access, and continually monitored for any unusual behavior even once initial access has been granted. In this approach, security controls are based on "context" – creating a more connected model in which previously siloed security tools can share context with each other, helping to better protect the connections between users, data and resources.
In this model, companies must also implement IT policies and controls that follow the principle of least privilege, allowing certain data access only to users who require it to do their jobs.
Lastly, healthcare organizations should consider the benefits of applying automation and AI within their security systems in order to correlate data and identify potential security compromises much more quickly than manual review and intervention. The use of these technologies can bring the most important threats to the surface much more quickly for security teams to investigate and react to – helping thwart threats before they cause too much damage.
Q: Describe the importance of security frameworks, and how they can help ensure incidents of compromise can be isolated. How can the organization ensure attacks don't snowball across all other services/systems/departments that it's interconnected with, and debilitate the entire organization?
A: Patient health data, as well as any other data that is required for active patient care, should be segregated from other data. This way, in the event there is a data breach, if a particular system is compromised, attackers won't have a direct gateway to where patient data lives, which is often what they're after.
This type of segmentation should also be applied across departments and systems, with controls and policies in place so that users can access specific systems and data, limiting the impact of a compromised account or device. To prepare for the event of ransomware, there must also be backups in place so that systems and data can be quickly restored with minimal interruption.
To always stay prepared for the worst-case scenario, healthcare organizations should also develop a solid cybersecurity incident-response plan and schedule regular tests to ensure the plan works, everyone knows their role and what to do if an attack were to occur, and make modifications as necessary to keep the plan up to date. A proper plan should include playbooks for specific types of attacks and build in appropriate contingency plans to minimize impact to the organization.
Additionally, it's good to always have a trusted breach response team on speed dial rather than trying to find the right team that needs to learn your systems for the first time once you've already been breached. So a retainer with an incident response team should be standard operating procedure.
With proper preparation, it's more likely to detect, respond and contain an attack – rather than let it snowball out of control.
Q: You've talked about the issue of trust as healthcare organizations adjust their security strategies. Can you explain the problem?
A: We're in an era where trust is top of mind for consumers – and securing patient data should be a top priority in healthcare. As organizations move rapidly to stand up digital health solutions to meet new patient needs in our current pandemic landscape, they need to make sure security is not falling through the cracks in the name of speed to market.
Any new application needs to be scanned and tested thoroughly before deployment, ensuring it is secure and that proper coding practices were followed during development.
For highly regulated industries like healthcare, where sensitive patient data is transmitted across the network via connected devices, adopting a zero trust policy is key to proactively managing threats. Keep in mind that an attacker only needs to find one loophole to gain a foothold in a network or system.
With constantly evolving infrastructure and applications, the fast-paced nature of the industry, and human error as a constant risk factor, healthcare organizations need to shift to a model in which no user or device should be automatically trusted with a single verification.
This approach implements both the policies and technical controls so that users, devices and data are continually monitored and verified – making them accessible only on a limited basis and under the right circumstances.
This in turn limits the amount of damage that can be done in the event that a hacker is able to circumvent a particular security roadblock. This is the most effective way to ensure security and privacy for sensitive data – weeding out threats and bad actors before they can gain access to critical data and systems.
With both of my parents spending their careers as doctors in the medical field, I know all too well that trust between patients and their healthcare providers is crucial – and that trust must also extend to trusting healthcare providers with their most sensitive data.
Nowadays, cybersecurity is intrinsically tied to the quality of care that can be provided, meaning security must become a top priority for healthcare organizations of all sizes.