How healthcare security can protect data without sacrificing care
Key strategies such as network segmentation and threat modeling are among the approaches that can increase safeguards for patient services.
In the first article of this series, I outlined why healthcare’s “Golden Hour” creates a unique opportunity for attackers. In the second article, I detailed some of the other specific challenges that healthcare organizations face. That’s a lot to chew on, and it paints the picture of an industry constantly under siege from outside threats.
But that’s not the whole story, because attackers aren’t the only ones fine-tuning their tactics and leveraging advanced new technology. In this article, it’s time to show how healthcare organizations can modernize their approaches to cybersecurity and avoid becoming easy targets for opportunistic attackers.
Security teams in the healthcare industry can’t focus on security alone — they need to prioritize ease of use, reducing friction and ensuring that the process of delivering life-saving care is as fast and seamless as possible. It’s a difficult balance to strike, but modern security tactics and solutions are helping healthcare organizations establish a “defense in depth” approach, layering complementary solutions atop one another to not just prevent breaches, but limit their potential damage.
By conducting threat modeling, implementing network and identity segmentation tactics, and working with skilled security partners, healthcare providers can dramatically limit their exposure and reduce their risk.
Network segmentation is critical
There are two primary lenses through which to consider healthcare security: security of data and security of life. That is to say, if a certain system is breached, what does it mean for the organization? Will it result in the theft of data, or potential loss of life?
Ultimately, the life-saving side of the operation and the business side of the operation have different needs, and it’s important to establish a degree of separation between them. That means segmenting networks and systems according to whether (and how) they impact patient care.
It's easy to see why this is important. Countless healthcare breaches have occurred because an attacker broke in through a system or application that wasn’t actually part of the medical record environment. A poorly secured device or overprovisioned identity can give an attacker a valuable foothold, which they can use as a jumping-off point to move laterally throughout the environment until they reach sensitive systems or data. This is often the result of organizations focusing too heavily on prevention, and not enough on mitigation.
Think of network segmentation like a bank. A burglar who manages to break in shouldn’t have the run of the place. Banks don’t just need locks on the doors — they need locks on the vault, the safe deposit boxes, the cash drawers, the back offices and so on.
The digital infrastructure of a healthcare provider should be constructed the same way. Yes, there should be perimeter protections, but there should also be safeguards that prevent, for example, an account associated with patient check-in procedures from accessing — or worse, modifying — anesthetic dosages. The systems that make the hospital run need to be safely segmented within the metaphorical vault.
Patient care vs. data security
Anything that enables patient care needs to be kept in the vault. That includes obvious things like diagnostic services and access to medical devices, but it also includes things you might not think of immediately.
For example, things like patient intake forms and medical histories might not seem immediately impactful, but consider what might happen if a hospital suffers an attack in the middle of a surgery. If doctors are unable to determine what medications (and what dosages) a patient has received, the results could be disastrous. Anything with even an outside possibility of affecting patient safety must be locked down.
This means healthcare organizations must engage in thorough threat modeling. It’s important to be able to take a given system and clearly identify everything that connects to it, including third-party applications, security systems and more. It’s critical to know every potential avenue that could access that system, because these are the potential pathways an attacker might use. After a threat model has been constructed for a given system, any security controls or other solutions should be implemented with an eye toward reducing, or at least mitigating, risk.
As we discussed in the previous piece, healthcare organizations have an unusually high volume of connections, which means out-of-the-box solutions are unlikely to provide the specific protections and capabilities needed. Instead, establishing separation is key.
Departments like billing and patient intake need to be able to communicate, but it shouldn’t be easy to jump from one to the other. The billing department can — and should — have more controls in place because speed is not a factor. Implementing additional security layers there will not impact patient care but will keep attackers away from valuable and sensitive information.
This same principle should be applied to third-party vendors. Insurance companies, diagnostic services and other partners and vendors may need access to certain systems, and their access should not extend any further. For example, a technology partner installing patches on an MRI machine should not be able to access patient portals or prescription services.
Security starts with understanding risk
Finally, it’s important to know who is making security decisions. If a doctor or other practitioner is in charge of the decision-making process, they may not have the security expertise to ask the right questions of potential partners and vendors. It is critical for organizations to seek out the expertise they need to ask the right questions, establish clear performance benchmarks and ensure they are working with partners capable of meeting their unique needs.
Ultimately, healthcare security is about understanding your digital environments and their differing needs. It’s crucial to identify potential threat vectors and be honest about how prepared the organization is to defend against them. With a thorough understanding of where risks actually exist, it becomes possible to begin building controls around them, closing gaps and separating systems from one another, when appropriate.
By streamlining the processes associated with patient care and layering additional protections around more data-oriented systems, healthcare organizations can avoid life-threatening disruptions without sacrificing security. And then when all else fails, have protocols in place that don’t rely on technology at all, hoping that they’ll never have to be used.
Nick Kathmann is the chief information security officer of LogicGate.