Vishal Salvi, Chief Information Security Officer & Head of Cyber Security Practice, Infosys talks about the ways to overcome cybersecurity challenges in healthcare
As the healthcare industry increasingly relies on digital technologies, cybercriminals are exploiting their systems and devices to steal Patient Health Information (PHI), for identity theft, medical fraud, and extortion.
Take, for example, the massive cyberattack on a top government-run hospital in India, in late November last year, which forced it to shut down many of its servers and go back to manual operations.
The number of healthcare breaches in India has been rising alarmingly, particularly since the sector has not focused on strengthening its cybersecurity posture. Very few healthcare companies have a CISO or a dedicated cybersecurity department. Data published by cybersecurity think tank CyberPeace Foundation and Autobot Infosec Private Ltd, revealed that the healthcare industry faced 1.9 million cyberattacks until November 28th, 2022.
Traditional security measures are no longer reliable while the perimeter that organisations must defend has grown exponentially, calling for the protection of an entire ecosystem. The rise of healthcare-related hacks post-COVID has compelled the industry to adopt the following measures for an adaptive security ecosystem:
Implementing information security governance and risk management
Establishing an information security governance framework helps organisations define clear roles and responsibilities and prepare for risks or events before they occur. This forces organizations to continually revaluate their critical technology infrastructure, stay proactive by enforcing hygiene and enabling business functions through integrated risk management functions.
Businesses must tailor their governance, monitoring, and compliance processes in a way that creates an equilibrium between security and meeting regulatory mandates such as HIPAA, PHI data, and GDPR.
Securing pro-actively
Medical institutions need several infrastructure, databases, and research facilities that are critical to their business. With the healthcare industry’s low IT security spending, hackers see an opportunity to benefit from these systems. Most firms consider security only after being hacked.
Enforcing hygiene
Network-connected IT and medical equipment need IT hygiene practices to avoid getting exposed to cyberattacks. Security monitoring, logging, and real-time threat intelligence give security analysts context-specific information to enforce hygiene. To ensure that IT hygiene practices are not in conflict with business demands, organisations should regularly update or replace their operating system (OS) and medical devices. They must harden internet-facing and high-risk systems and set up IoT security procedures for remotely linked devices.
Addressing new and emerging threat surface
Businesses must develop a defence-in-depth mechanism to handle the new threat surfaces created by remote operations. It is also critical to consider the varying motivations of different threat actors, such as insiders, competitors, and nation-states.
For example, while some criminals seek to profit from PHI data, state-sponsored attacks could target labs to obtain confidential vaccine information. Healthcare and life sciences organizations must secure remote access controls, disable unnecessary insecure services and protocols, and enforce endpoint controls to prevent data leakage.
Securing by design
Everyone is responsible for cybersecurity. Doctors, nurses, hospital staff, critical care providers, and scientists at pharmaceutical companies must be educated on security risks and how to deal with them.
Adopting multi-factor authentication
Multi-factor authentication offers a highly reliable approach to securing data and applications. It requires a user to use two or more credentials to authenticate the login identity. In case one of the credentials is compromised, the unauthorized user will need to provide the second authentication to gain access.
Managing detection and response
The changing threat patterns, as well as the constantly evolving technology tools and processes, necessitate a constant focus on improving security posture. People with diverse skill sets are needed in the cybersecurity field to deal with threat detection technologies, access management, governance risk, compliance, and much more. Almost 90% of healthcare IT security leaders say they don’t have enough skilled cybersecurity professionals to improve their security posture. Fortunately, these abilities can now be outsourced.
Prioritising cybersecurity
When it comes to the cost of a data breach, healthcare is the most expensive industry. Data breaches in the healthcare industry, according to 2022 industry estimates, have been the most expensive for 12 years in a row. They set a new high in 2022, with an average breach costing $10.10 million. Despite this, healthcare providers spend far less on cybersecurity than other regulated industries. Healthcare providers must identify and invest in appropriate information security programs and create the role of a CISO to ensure security gets the priority it deserves. They must adopt best practices such as behavior-based anomaly detection and sandboxing for threats that cannot be detected using signature-based systems.
Most importantly, for the health industry, cybersecurity is fundamentally about patient safety and uninterrupted care delivery. Cyber safety is patient safety.
- Advertisement -