The Essentials of Healthcare Cybersecurity
There is no “done” in cybersecurity, just best practices and consistent evolution and learning
Shena Seneca Tharnish joined Comcast Business Services as VP, Cybersecurity Product Management in late February 2017. In Shena’s time at Comcast Business, she has developed a Cybersecurity Product Framework that drives the commercial product roadmap. Cyberattacks and data breaches can be devastating for healthcare organizations. What type of Cybersecurity should be in place to plan for, predict and protect against these attacks?
ST: Superior IT security is a fundamental requirement for any healthcare institution. COVID-19 forced many businesses, not just healthcare, to reconsider how they would support and secure sensitive data and network entry points that are vulnerable to malicious attacks or internal threats. The “Internet of Medical Things” carries sensitive data. Networks need multiple layers of defense and should include robust firewalls with advanced security functions that can further protect healthcare information. Through an effective network foundation and security management processes, IT can ensure that key systems and information are protected. Moving to a Software-Defined Wide Area Network (SD-WAN), IT can enable the provisioning of new connections, networks, and transport protocols to accommodate shifting users across multiple locations. Access control and management, as well as network monitoring can further prop up an organizations’ cybersecurity posture to help prevent unauthorized access, either from unauthorized users within the business, former employees, or people outside the organization. Some essentials of cybersecurity are:
• Secure VPN: By providing a secure VPN tunnel between endpoints, IT security pros can lessen the threat posed by devices connecting to their private network via the public Internet. VPN helps protect sensitive data while online due to encryption and access control features.
• Zero trust: To be safe, a zero-trust framework assumes no trust in a network, device, or identity and requires those accessing resources to verify legitimacy. Zero trust also leverages identity and access management technologies to assign appropriate access permissions to everyone in the organization. For instance, an employee working in accounting may not require access to sensitive treatment data. Nor would the medical team need access to payment records or cost information.
• Multi-factor authentication: Two-factor authentication is a subset of multi-factor authentication, which requires more than two pieces of evidence to authenticate a user. For instance, some access requires entering a code sent to a specific user’s device after entering their username and password. By enabling multifactor authentication, access can be prevented, despite a hacker obtaining a username and password.
• Mitigation and remediation tools: Real-time system monitoring, unified threat management (UTM) functions, DDoS mitigation solutions, and managed security services are effective tools to help keep cybersecurity threats at bay. Creating a perfect security system is near impossible. What can hospital leaders do to stay informed about cybersecurity threats and ensure they are staying on top of the most up to date security methods? ST: Healthcare institutions should partner with experienced, reputable, solution providers who can share thought leadership and integrate the latest cybersecurity solutions into existing infrastructure, or work with decision makers to create a comprehensive “Defense in Depth” strategy that assesses the distributed network, internal infrastructure, and systems and services. Partnering with a Services Provider that can deploy software defined or cloud-based solutions that enables your IT and Network Security Teams with central control to roll out configuration changes easily – pivoting and adapting to situational changes is also effective. Whether cybersecurity is fully managed, co-managed or self-managed, having a trusted partner who understand your needs, infrastructure and your budget, will help protect the organization and help prevent breaches or downtime from cyber-attacks. Implementing employee training is essential to successful cybersecurity use. What kind of training is needed to enable employees to both feel safe and comply with security directives? ST: IT security professionals can prevent problems by educating end users on the dangers of clicking on links in emails or visiting unsafe websites. Having an easy-to-understand and enact cybersecurity policy should be taught and accepted in writing by every employee. Then, random testing can take place to ensure the training has been effective. To err is human, however, which is why security leaders must build their infrastructure and network in a way that verifies systems, services, and users before enabling secure connectivity and access. There is no “done” in cybersecurity, just best practices and consistent evolution and learning. This Executive Insight was produced and brought to you by: