Staying Secure Against Cyber Security Risks In Healthcare
Mark Thompson | June 17, 2021 | 4 Min Read
The COVID-19 pandemic is ushering in an era of digital transformation in healthcare. This means businesses have to grapple with more cyber-security threats. But a recent study noted that 88 percent of executives in the healthcare space aren’t prepared for these attacks. Macadamian’s cyber-security expert and healthcare software architect, Mark Thompson, offers his thoughts on how you can stay secure against the lurking threats.
Macadamian: What’s at stake here for healthcare businesses?
Thompson: To start, a company’s brand is at stake. We’ve seen how security breaches, and how they are handled, can have a big impact on an organization’s brand. If an organization gets hacked, customers lose trust in the company. Additionally, in the healthcare space, you might house patient protected health information, and protecting this data is fundamental. Breaches here not only erode trust, but also may result in hefty fines from regulatory bodies. But an area getting more attention within healthcare lately is data integrity. If data can be modified through a cyber attack, this could put the patient at risk, as it could change some of the clinical decisions taking place downstream.
Macadamian: What do these cyber threats look like in the cloud space?
Thompson: The surface area is much bigger in the cloud space. It’s no longer about a device sitting in a room that can be physically secured. You’re dealing with vast, distributed systems, so you end up with a much larger ecosystem. An attacker needs just one or maybe two different holes in that surface area. But you’re responsible for securing all of it. In the cloud space, the risks are the same as on premise, but the area to protect is that much larger, which makes securing it that much more complex.
Macadamian: What are some short-term actions leaders in the Health Tech space can take to avoid being victims of these attacks?
Thompson: Teams should be running tests and drills with their incident detection and response processes. Some companies develop fairly rigorous cyber-security plans. For others, it’s less rigorous, but regardless of where you are, you’ll find very rarely that those systems are tested. This means the systems and processes in place don’t get tested until there is an actual cyber attack. Avoid that. Instead, I recommend implementing cyber-security fire drills. Consider these exercises where an entire multi-functional team goes through a mock cyber attack scenario.
Macadamian: What are some long-term actions companies can take to avoid being victims of cyber attacks?
Thompson: You really need to be looking at your DevSecOps (development, security, and operations) maturity. Make sure you have a cyber-security risk assessment as part of your development process. This should apply to existing products, but also to any new product introductions and new modules. Security really comes down to a risk-based approach. It’s fanciful to think you can be 100 percent airtight when it comes to security. There will always be some risk exposure. You need to work through the individualized risk profile of your organization and your solutions to customize the spend and the effort that you’re going to put into mitigating those concerns. In the end, you need a layered defence in-depth strategy driven from the risk assessment.
Macadamian: This pandemic has brought in an era of remote work in many industries, including healthcare. Is this creating a great cyber-security risk?
Thompson: Absolutely it is. You’ve taken a distributed system and just made it more distributed. The pandemic has stressed a lot of organizations in trying to make sure infrastructure like their Virtual Private Network (VPN) can support the scale of their workforce. This means companies now have a larger set of external endpoints that need to be properly secured. Working from home is going to continue to grow, and expand. More and more of the security processes and practices will be extended to that broader distributed environment.
Macadamian: Do you feel cyber attacks will get more sophisticated?
Thompson: For sure. You’ve got a much more complex system. We’ve talked about that distributed workforce, which is much tougher to secure. In the last 10 years, the threats have become much more advanced and prevalent. That trend will continue. We’re even seeing wars and political conflicts move to the digital space. Attackers are building their tools at the same time that we’re building the protection. So while our defences are getting more sophisticated, there will always be a constant battle to make sure we stay on top.
Get Email Updates
Get updates and be the first to know when we publish new blog posts, whitepapers, guides, webinars and more!
Meaningful Use Stage 3 Safety-Enhanced Design Updates
Overall, the requirements for MU3 certification and participation in the program are significant. EHR vendors will be challenged to deliver certified products according to the proposed timelines and navigate confusing requirements for safety-enhanced design.Read More
Test Strategies for HIPAA Compliance
If you search for information on testing HIPAA compliant applications, you’ll find a number of overviews on HIPAA, but very little information on how to approach testing software to ensure that it will be HIPAA...Read More
5 Best Practices for Designing in Medical Device Cyber Security Controls
There is no silver bullet for achieving security and it definitely cannot be considered an afterthought once a design has been completed, or considered at the development phase but forgotten about after deployment. Security needs to be a constant focus from product conception, design, development, deployment, maintenance, and support.Read More