Vertical Markets

Cyber and digital healthcare

by Mark Rowe

Vishal Salvi, Chief Information Security Officer & Head of Cyber Security Practice at the IT services company Infosys, pictured, writes about cybersecurity amidst the rapid digitization of healthcare.

The healthcare sector has been undergoing digital transformation for a while, and the COVID-19 pandemic accelerated the adoption of cloud services and digital tools. The industry has also seen the emergence of digital native ‘health-tech’ players that enable digitization of healthcare services. While there are demonstrated benefits of digital transformation, the healthcare industry is increasingly vulnerable to cyberattacks. The threat quantum is amplified because the impact of an attack could lead to delays in medical assistance or even loss of lives.

Since the onset of COVID-19, hackers have set their sights on the healthcare industry, looking to take advantage of the sector when it’s at its most vulnerable. The US Department of Health and Human Services reported a 50 per cent year-over-year increase in cybersecurity breaches in hospitals and healthcare providers’ networks, pointing to increased targeting of the healthcare industry.

The healthcare IT systems are at an increased security risk because end-users often opt for the convenience of telemedicine or healthcare apps and devices sharing personal data without much due diligence. Also, a lot of medical infrastructure involves outdated and heterogeneous systems with obvious security constraints.

Moreover, the healthcare industry is an attractive target for cyberattacks. As healthcare providers scale telemedicine and innovate with apps, services, and connected devices, there is an increased availability of protected health information (PHI). Such sensitive data is highly quoted on the dark web for nefarious purposes. Also, high value assets like vaccine research and development are valuable targets for commercial and political benefits. Given that healthcare is a critical service – in the middle of a pandemic – healthcare and service providers need to improve their security posture and strengthen their cybersecurity. While most cybersecurity solutions are industry agnostic, there are certain nuances that the healthcare industry needs to embrace.

Hygiene

Healthcare organizations need have a zero-tolerance approach to IT hygiene, with systems and governance in place for third party risk management. The guidelines must be considerably hardened for high-risk systems like life support or sensitive assets like vaccine trials. They should strictly adhere to software and hardware security by ensuring up-to-date applications and operating system, replacing outdated or unsupported medical devices, and implementing security measures for remotely connected devices.

Zero Trust

With the growing adoption of telemedicine and increased remote working by healthcare professionals, ensuring perimeter security does not suffice, and organizations need resilient new models that work in the new environment. Healthcare organizations need to adopt a principle of least privilege allowing access to stakeholders only to get the job done and exposing only required applications for remote access instead of connecting them to the corporate network. They should also adopt network segmentation to ensure that mission-critical systems such as life support and R&D systems are kept separate from rest of the setup.

Data

Healthcare must focus on data minimization to collect and process only the minimum needed data and anonymize it if possible. To ensure the security of sensitive data like the PHI and R&D assets at rest as well as in transit, they must build automated systems for data identification and classification as well as data loss prevention. The healthcare industry also needs to adopt stricter data access controls limiting access to only the individual and healthcare provider as well as a government department, if needed, to manage community healthcare like in the case of COVID-19. Using sophisticated encryption standards and data masking solutions along with periodic reviews can also ensure that the access is only available for authorized users.

Secure by Design

Modern organizations need to ensure cybersecurity as a consideration right from the development stage, instead of an afterthought. This requires establishing secure coding guidelines and embracing practices such as DevSecOps. With a focus on managing threats, vulnerabilities, risks, and incidents at all times, a continuous compliance management and real-time patching is essential. Organizations must also look at building a strong security culture ensuring a security-conscious workforce that can mitigate cybersecurity risks intuitively.

Compliance

The healthcare ecosystem includes multiple partners and vendors in the value chain. In this interconnected – but disparate – setup, each stakeholder needs to individually ensure cybersecurity. Organizations need to create and implement effective partner risk management programs to secure data and protect against any cyber-attacks. This can be achieved by security posture assessment of partners, followed by risk-based partner segmentation, as well as working on ‘zero trust’ principles for connectivity and access management for partners.

Managed Detection

The cyber threat landscape is constantly evolving which leads to emergence of new threats every other day. Therefore, a well-defined playbook for fast detection of threats and breaches and response is critical. Healthcare organizations need to adopt AI systems with machine learning and behavioural analytics to proactively detect anomalies and threats and build quick sandboxing and recovery processes for being cyber-resilient.

About the author

Vishal Salvi is Senior Vice President, Chief Information Security Officer and Head of the Cyber Security Practice at Infosys. He is responsible for the overall information and cyber security strategy across Infosys Group; and the Cyber Security Business Delivery.

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing