How to mitigate the risks of browsing in healthcare organizations

Ransomware, malware and cyberthreats require a new approach to web security, in order to ensure protection of provider networks.


The freedom to browse comes with inherent security risks. While healthcare organizations must adhere to strict compliance rules to ensure data security and privacy, ransomware and malware threats are widespread and show no signs of slowing down.

We have seen hospitals such as Hollywood Presbyterian and major healthcare organizations, such as the UK's National Health Service, held hostage by cyberthreats. Even healthcare organizations with more proactive security measures are vulnerable. For example, Urology Austin, which operates in 13 locations throughout Texas, managed to thwart a ransomware attack –but despite early detection, the medical records and associated personal information of nearly 280,000 patients had already been exposed by the hack.

The reality is that today’s healthcare organizations are increasingly relying on cloud infrastructure, mobile devices and browser-based applications to support both front- and back-office processes. Thus, organizations are challenged with maintaining a balance between deploying solutions that provide the utmost in accessibility and security without impacting workflow and most importantly, day-to-day operations.

Ransomware attacks are massively increasing in both sophistication and volume. Private health information is extremely valuable for hackers and their ability to obtain it—through ransomware and other schemes—poses an ongoing security concern. Each day, hackers are implementing highly creative ways to reach their targets by luring end users to click on seemingly innocuous links, or through file downloads that appear to be legitimate. Once the bait is taken, it can be “game over.”

As ransomware techniques and malware continue to evolve, it is getting harder for antivirus, firewalls, and other types of “detect and block” solutions to address unknown threats, and offer healthcare organizations an effective toolset.

According to the FBI, organizations should spend less time on detection and focus on two key areas:
  • Prevention: Robust technical prevention mechanisms and awareness training for employees
  • Business Continuity: Creating a solid business continuity plan, including daily backups and verification

It is hard to think of how we would operate without the Internet and browser-based applications today. Most electronic medical records (EMR) solutions, billing applications and lab management systems offer browser-based functionality. Hospitals also rely on the Internet for ongoing research, email, patient communications, and to collaborate with other clinicians and specialists. The Internet is transforming healthcare and how patients are cared for.

It was not so long ago that web browsing was available solely on certain office computers. Fast forward to today, and we browse from a broad array of devices including smartphones and tablets. At the same time, the current primary requirement from web browsers is shifting from simply providing a seamless user experience to also ensuring data security, privacy and compliance.

This has not always been the case; let’s take a quick look at the evolution of secure browsing mechanisms and how they are evolving as the needs of healthcare organizations are changing. From inconvenient, dedicated browsing stations to the promise of today’s browser isolation model, recent innovations can now provide the highest levels of security and a seamless browsing experience.

Originally, dedicated, Internet-enabled computers were made available to end-users, but were not connected to internal networks and systems. This ensured data could not be compromised by external threats. However, the separation of internal networks and the Internet comes with a cost, as it requires additional workstations and the management overhead of managing disparate machines. Obviously, the user experience is far from ideal; shared computers might not always be available when needed and information from the Internet cannot be easily transferred to applications and systems on internal networks without manual manipulation. This can impact productivity, as well as the ability to expedite treatment.

As more employees began to require Internet access for research and other applications, organizations took various measures to harden the local browser, enforce browsing security policies, and implement URL filters. This was the beginning of individual secure browsing, but it didn’t provide adequate protection from the increasing volume and variety of threats, and has not yielded the freedom to navigate the web without risks. A better, more secure approach was required.

Next in line was remote connectivity using virtualization. This was the first “smart” solution for secure browsing, in which users access a remote browser using Microsoft RDS or VDI technologies and use that “session” to access the web. In this scenario, users are not directly accessing the web, but rather connecting to a virtual browser to do so, which eliminates the direct contact between the endpoint device and the Internet.

With remote browsing via a virtual browser, Internet-borne threats are restricted to the virtual machine isolated from the endpoint. No information is cached on that endpoint and the user views the remote content as they normally would, only the information is rendered via a visual stream of digital bits. Additional licensing and hardware for VDI and terminal devices are required.

In addition, there are limitations related to performance and the number of remote browsing sessions a server can technically handle. Moreover, most solutions of this type require installation of an agent on every endpoint and occasional updates, which is time-consuming and costly for IT departments.

With the evolution of the “isolation” concept (sandboxes and containers), the next step in the secure browsing evolution was an isolated browsing environment hosted locally on the endpoint. In this case, the endpoint comes pre-configured with multiple virtual environments and secure browsing occurs as a separate activity within a secure, contained virtual environment. This separation ensures that even if malware penetrates during the browsing session, it does not contaminate the endpoint and can be remediated within that isolated virtual environment on the endpoint.

This approach usually requires an agent installation on the endpoint or pre-configuration of the virtual environment on the device as part of the operating system. It also has implications related to the cost of hardware needed to support multiple operating systems, complexity of deployment, and the time it takes to install across the organization. Additionally, some of the hardware for the end users will need to be replaced.

One of the issues with this approach is that if malware is downloaded, it gets past the firewall inside the secure network within a contained environment on the device, and there is the possibility of leakage. Thus, the malware can potentially harm other network applications and systems.

The most advanced form of secure browsing known today – remote virtual secure browsing – combines the best of all methods and offers a viable solution that provides a seamless and native user experience with one of the best price-performances ratios. This alternative can prevent ransomware and Internet-borne threats by conducting isolated virtual browsing sessions remotely, giving users the freedom to browse safely while protecting an organization’s IT infrastructure.

Remote virtual secure browsing provides a clientless approach, meaning there is no endpoint installation required. Hence, end users can utilize any operating system, on any device, and are not limited to a specific type of browser. The browsing session is executed inside a one-time disposable container in a remote “safe zone,” ensuring any potential malware is fully contained and disarmed in a demilitarized zone (DMZ) – never making its way to the device or network.

This approach ensures that Internet-borne threats can be handled without impacting productivity, and most importantly, without the need to make costly investments. Furthermore, files can also be downloaded, but undergo a “sanitization” process first. Downloads are made available after they are cleared of any potential malware.

Healthcare organizations are at the forefront of technology and require access to a variety of web-based systems, resources and applications to deliver services. In addition to safeguarding confidential data and privacy, internal networks and vital devices such as heart monitors and other medical equipment must be protected at all costs. Similar to how hospitals contain at-risk patients diagnosed with a contagious disease, a modern secure browsing solution can help healthcare organizations prevent cyberthreats and ensure business continuation.

More for you

Loading data for hdm_tax_topic #care-team-experience...