Lessons in how to remove complexity to achieve a secure healthcare architecture
Healthcare organizations are continuing to evolve and deploy more complex digital-first strategies. At the same time, there is pressure to prioritize business needs over security posture, resulting in greater overall risk. During a recent webinar moderated by Claire Broome, Global Healthcare Lead for Akamai, speakers Steve Winterfeld, Advisory CISO at Akamai; Chris Notaro, Co-Founder of Untangle Health; Jigar Shah, Head of Security at R1 RCM Inc.; and Alex Rodriguez, Interim VP and CISO at Hartford Healthcare, shared best practices for balancing innovation and cybersecurity threats.
1 Healthcare technology companies should be reducing complexity
Healthcare technology companies are greatly contributing to the industry transformation underway. Unfortunately, too many tech companies don’t take the time to understand how they can help their healthcare clients reduce complexity, resulting in solutions that are unhelpful or cumbersome to use. To avoid this problem, tech companies should reflect on their role in healthcare and develop clear messaging that demonstrates their ability to bring more order to the chaos.
2 Segmentation is a key cybersecurity solution
As healthcare adopts digital-first solutions, unstructured data and third-party data are bigger problems for providers to manage and protect from a security standpoint. An effective way to gain protection is leveraging agent-based segmentation, which segments the workflow to see various data flows and potential threats. Akamai’s solution, Guardicore, uses segmentation to provide needed visibility and insights into the security of data across an enterprise.
3 Segmentation enables effective risk management
Not every medical device a healthcare provider uses can have an agent installed, monitoring potential threats. The Guardicore solution enables information coming from the device to be segmented to a single area the organization can monitor and prevents any threats that may penetrate defenses from spreading. This allows organizations to manage risk. It’s unrealistic for providers to fix every single area of vulnerability, so solutions that offer clear visibility into data and potential threats are crucial.
4 Conduct security due diligence with tech companies before partnering with them
Prior to signing a contract with a technology company, providers, payers and life sciences companies should be asking questions about how the solution provider will account for security of their solution and data. The sales team may have basic information to share, but setting up a quick conversation with an expert who can speak more granularly about security is valuable. When considering new vendor partners, it’s also important to have a clear understanding of what your organization is trying to solve along with clear evaluation criteria, including definitions of security models such as zero trust. If the company’s security capabilities don’t align with your security definitions, it’s likely a sign they aren’t the right fit.
5 The future of cybersecurity will focus on patient access and interoperability
As part of the 21st Century Cures Act, healthcare providers are required to offer patients access to their healthcare data through a common set of Application Programming Interfaces (APIs). This puts added responsibility on providers to protect patient data. They can do so by bolstering third-party risk programs and adding administrative controls before allowing data to leave the organization. Moreover, as APIs add more complexity to security, choosing technology vendors that prioritize interoperability and cross visualization will be crucial to helping providers easily assess where their security risks are located.