Ransomware, phishing, and cyberattacks in the healthcare sector are increasing. In 2020, healthcare was a top industry targeted by cybercriminals. With the average cybersecurity attack costing $7 million, is your healthcare organization doing enough to secure systems and patient data?
When it comes to healthcare cybersecurity, consider these recent findings from the 2020 HIMSS Cybersecurity Survey:
- 70% said their organization experienced significant security incidents in the past 12 months.
- Attacks ranged from phishing (57%); credential harvesting (21%); social engineering other than phishing (20%); ransomware (20%); website/application attacks (14%); negligent insider activity (13%) or breach (11%).
- Financial or employee information is the primary target.
- Disruption of IT or business operations are the typical outcome of an attack but data breaches and monetary loss were also reported.
- 6% or less of IT budgets is typically allocated to cybersecurity.
Hospital IT departments spend the majority of their time keeping equipment/systems running and supporting digital transformation. As the threat landscape evolves, it’s now time to make cybersecurity a critical part of any healthcare strategy.
Healthcare delivery organizations (HDOs) can improve their security posture and reduce risk by following some best practice advice.
- Conduct Regular End-to-End Risk Assessments – Healthcare organizations need to conduct regular risk assessments to identify weak links in their security framework and to comply with HIPAA. Yet, the HIMSS survey found that only half of companies are actually doing this. An end-to-end assessment should evaluate all IT and healthcare systems and devices as well as the security posture of vendors and third parties. This includes networks, servers, email, remote access, web/cloud applications, legacy systems, medical and mobile devices, industrial controls, video conferencing systems, and more. Each risk should be assessed, evaluated, and prioritized. A post risk assessment action plan should be created and executed.
- Update Software/Hardware and Consider Replacing Legacy Systems – Many IT and healthcare systems have been in place for years or even decades. It’s important to make sure that all updates and patches are made to hardware and software. According to the HIMSS survey, legacy systems are pervasive in healthcare. Legacy systems are known for vulnerabilities that hackers can exploit and appropriate controls need to be in place to ensure security. In many cases, HDOs should evaluate legacy systems and develop a roadmap for replacing them with modern systems that support security frameworks such as NIST, HITRUST, or Critical Security Control.
- Improve Remote Access Security – With COVID, we have seen a transition to remote working and telemedicine. Healthcare providers need remote access to health systems and patient records. Moving beyond VPNs and implementing a secure remote gateway enables HDOs to lock down systems behind a firewall. This forces remote workers to use the gateway to access critical assets. Access can then be verified, managed, and monitored through privileged credentials. The result is a zero-trust remote access strategy that “never trusts and always verifies” anything and everything connecting to a network before granting access.
- Secure IoT Medical Devices – According to Deloitte, 68% of medical devices will be connected or able to connect to a health system network by 2025. With an estimated 50 billion medical devices connected to clinical systems within the next 10 years, these devices need to be secured and managed. This requires both password management and privileged account management (PAM) software. These IoT devices need to be found and default passwords need to be changed and managed in a secure vault. IoT credentials should be managed as privileged credentials along with servers and Web applications.
- Leverage Identity and Access Management (IAM) Software – To secure systems, data, PHI, and PII, HDOs need visibility into each identity – including related behaviors around that identity. This is done by managing user permissions and access to make sure the right individual has access to the right resources. IAM solutions automate the process of managing digital identities, support compliance/audit requirements, and improve security. By controlling and limiting who has access to what information and systems, HDOs further mitigate risk.
The Imprivata Advantage
We recently announced that Xton is now part of Imprivata, the digital identity company for healthcare and beyond. Imprivata provides identity, authentication, and access management solutions that are purpose-built to solve healthcare’s unique workflow, security, and compliance challenges. Combining privileged access management (PAM) software with IAM extends access control to include administrators and root users – the user type that governs critical enterprise assets such as servers, network devices, databases, and other core resources. With Imprivata and Xton, HDOs can safeguard and control access to a broader set of mission-critical resources and data.
Visit us at HIMSS 2021
Attending HIMSS 2021, August 9-13 in Las Vegas? Meet with the Imprivata and Xton team in Booth — 1632 to discuss your cybersecurity needs and how IAM and PAM can help.