Risk Assessments/Management, Security Strategy, Plan, Budget, Training

With resources scarce in many rural areas, security leaders struggle to properly protect health systems

Rural hospitals, including those in rural areas of New Mexico like Roswell, face substantial budget issues. (“Welcome to Roswell.” by cfiesler is licensed under CC BY 2.0)

Securing health care is an uphill battle with providers balancing the need to drive innovation with simultaneously keeping patients safe from security and privacy risks. But the challenges facing small, rural, and other under-resourced providers are burdensome when many lack the budgets and staff to adequately secure the network.

And with those limitations, often, advice from security leaders may not even be relevant to the environment.

Eric Jimenez, chief information officer for Artesia General Hospital, confirms rural hospitals like his face substantial budget issues. The standalone hospital serves patients from Roswell, Carlsbad, and Artesia in southeast New Mexico, located about 40 miles north of Carlsbad.

But the biggest challenges facing entities with constrained resources is the lack of knowledge and education, overall.

These hospitals understand the need to secure the enterprise for compliance purposes and to keep pace with the threats, “but they don’t always know how.” Jimenez explained that IT leaders often struggle to convey the importance of cybersecurity to the business, while the CEO and chief financial officer sometimes see cybersecurity “as more of a toy than a tool.”

As a result, IT leaders are burdened with attempting to provide the C-suite with an understanding of just what security tools do, why they’re needed, and how the use will protect patients, at the end of the day.

Cost is another key challenge, with rural hospitals facing more substantial budget issues than in urban environments.

“IT personnel are underpaid and overworked in rural areas,” Jimenez explained. “When I came to Artesia seven years ago, our systems hadn’t been updated in years. They did not have Windows or application update processes in place. The team just didn’t have the knowledge or time to setup update processes.”

“Fast forward to now and we fight the battles differently. With new vulnerabilities found daily, we can keep up the pace and identify threats. This helps prevent disruption for end users,” he added.

Evaluating the threats

From a vendor’s perspective, health care’s largest challenges are the scale and pace of attacks, which can easily outpace and overcome smaller or under-resourced security teams. Marcus Fowler, director of strategic threat at Darktrace, explained that the evolving attacks and methods are overwhelming the evolving business environments brought on in the last year.

This includes the shift of provider environments and digital infrastructure into the cloud or Security-as-a-Service model, which has drastically reduced visibility and entities’ preparedness to fend off attacks.

“These challenges are compounded by the fact that some healthcare institutions have been slow to prioritize cybersecurity,” said Fowler. “This recognition of risk and need is quickly changing as they face the escalated rate of attacks and face ransomware groups targeting the healthcare vertical directly.”

As a result, many under-resourced providers are struggling to improve defense capabilities at the same pace of escalated risks.

“With limited resources, organizations need to focus on areas with the most risk and those that are most central to business operations rather than all business areas,” he explained. In rural health care environments, email security should be the top priority to improve workforce understanding as social engineering attacks become more sophisticated.

Those teams looking to technologies to support the overall cybersecurity needs should consider the implementation of email security tools that can support educational efforts. Fowler noted some key recommendations for providers to better understand the threats they’re facing, which starts with evaluating and prioritizing cybersecurity risks to business operations. 

Other influential methods include tech able to improve cyber hygiene and reinforce patching processes. Fowler added that tools able to provide better visibility and understanding of operational environments — whether in the cloud, on SaaS platforms, or on-premises — will help organizations to better understand their risk and mitigate vulnerabilities.

Further, entities will need to evaluate vulnerabilities within its people and processes, by evaluating the technologies heavily used by the workforce to determine their posture and how to more effectively defend against these attacks.

To combat the staffing challenges at Artesia General, Jimenez said they implemented AI tech that augments the awareness of his IT team and the ability to thwart or disrupt attacks, while conducting “the initial investigative and triage work necessary following security events that can save critical human resources.”

The AI tool has reduced the burden on the security team and frees up time to focus on more meaningful tasks, he continued. It also enabled the business leaders to reevaluate the skills required of full-time staff to then hire more junior team members.

With gaps in staffing and overall understanding, training programs around cyber could have a large impact to rural health providers, explained Baha Zeidan, founder and CEO of Azalea Health. Many of these hospitals already have ample training around patient privacy.

But providers should take it up another step to train the front desk, billing, and clinical staff on the basics of cybersecurity on an ongoing basis to elevate the cyber posture of the entire organization. Zeidan noted that it should follow similar processes for patient privacy and compliance with the Health Insurance Portability and Accountability Act.

Steady training could go a long way in combating some of the more frequent human errors that lead to significant data breaches or an entrypoint for further attacks.

“Eventually cybersecurity is going to be a public health issue if the government doesn’t step in and continue to monitor, help regulate, or provide some sort of protection for the small- to medium-size health clinics or hospitals,” said Zeidan.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.