Master the unique challenges of hospital data security
A hospital has to manage a traditional IT environment like any other business, but faces additional challenges with two additional environments: the clinical technologies involved in the delivery of care and the modern electronic health record system.
“Each presents its own unique security challenges for the modern healthcare delivery organization,” said Michael Murray, CEO of Scope Security, who is due to speak on the subject next month at HIMSS21.
He explained that hospitals have the same traditional IT technologies (e.g. laptops, switches, routers, servers, etc.) as all environments and securing those assets is similar to what happens everywhere.
But Scope’s research shows that, for a given income level, healthcare organizations have about 10 times fewer security staff than a traditional financial services organization.
“So if you have a tool that sends out 100 alerts a week, a hospital team will be overwhelmed by the tenth alert,” he said.
Another environment is clinical technology; that is, medical devices and all the technology involved in providing care.
The challenges of these technologies are well known, with legacy equipment (over 75% of devices used today are on operating systems that no longer receive patches), long device lifecycles and restrictions on the possibility of deploying security controls.
“These devices provide fertile targets for hackers to hide in a healthcare environment while they conduct reconnaissance and evade detection,” Murray warned.
The third environment encompasses the massive EHR systems on which hospitals depend. These technologies hold the hospital’s primary information assets and, due to a lack of regulation, do not publish any information about vulnerabilities or how to detect attacks, which means most security products modern people have no way of understanding how to protect these systems.
Murray explained that visibility into all environments and technologies is the first step in resolving security concerns.
“Healthcare IT managers need to understand the wide range of technologies used in a hospital and assess which of these systems and machines they would detect attacks against and where they would be blind,” he said.
“Because these three environments are interdependent on each other, having great security over a single set of technologies, such as laptops, will not be enough if attackers take another path, such as entering through the patient portal and hiding. on clinical equipment until the day they deploy their ransomware payload. “
From Murray’s perspective, the crucial question in evaluating security solutions is understanding not only what a technology can do, but what the specific technology will require to be implemented and operate once operational.
“The main challenge for healthcare organizations is that most tools are designed assuming a very different level of staff than they currently have,” he said.
Murray noted that while it is important to have a security strategy in place to deter and stop ransomware, the scariest attacks are those that remain silent forever.
He said healthcare security officials need to think about all these types of invisible attackers and how they would detect their hidden presence inside their EHR system or on legacy medical devices while ‘They steal patient data and other important information assets.
“If they do a good job, ransomware will also be supported,” he said. “Unfortunately, focusing only on ransomware leads many organizations to develop a security strategy that is based on this type of attack model.”
Michael Murray will share some healthcare security best practices at HIMSS21 in a session titled “A hospital is not a bank, why healthcare security is difficult”. It’s scheduled for Wednesday, August 11 from 11:30 a.m. to 12:30 p.m. in Caesars Forum 123.
Nathan Eddy is a Berlin-based healthcare and tech freelance.
Email the author: firstname.lastname@example.org
Twitter: @ dropdeaded209