Digital transformation in the health care sector has been underway for a few years now and the COVID-19 pandemic has only accelerated the rate of adoption. For instance, we’ve seen a massive uptick in telemedicine. The entry of several digital native players in the health care ecosystem has resulted in greater digitalization of the engagement value streams and business processes. Now, there’s greater adoption of cloud-based systems and digital tools in health care, facilitating an ecosystem approach to delivering health care services.
Along with the massive benefits of going digital, the health care industry has also become increasingly vulnerable to cyberattacks. The U.S. Department of Health and Human Services has reported a 50 percent year-over-year increase in breaches at hospitals and health care provider networks.
Because health care operations are so critical, they make an attractive target, both from commercial and political standpoints. Ransomware attacks can bring down mission-critical systems leading to considerable chaos and even loss of life. As health care organizations roll out telemedicine, there’s greater access to remote data because of an increase in online consultations. Sensitive data such as PHI can fetch criminals large sums of money on the dark web. R&D efforts such as COVID-19 vaccine development are easy and valuable targets.
Complex and connected health partner ecosystems consist of varied participants, including patients, physicians, payers, and pharma companies, making them particularly vulnerable. Health care apps, connected devices, and medical devices too increase exposure and vulnerability. Given the increased threat landscape, ensuring cybersecurity has become a critical success factor for any digital transformation effort in health care. The following are six best practices for health care organizations to improve security posture to support their digital transformation goals:
- Implement sound security standards and stricter guidelines.
Organizations must insist on strict adherence to prescribed gold standards for operating systems. This means ensuring up-to-date operating systems and patches with transparent processes for patching and security updates, replacing outdated medical devices, and implementing IoT security measures for remotely connected devices. Also, security teams must harden guidelines considerably, especially for internet-facing and high-risk systems. Older systems with vulnerabilities must get patched. In effect, the team has to have a zero-tolerance approach when it comes to IT hygiene.
- Adopt a Zero Trust model.
Now that the perimeter has shifted towards home offices, organizations need resilient new models that work in the new environment. Apply greater network segmentation to ensure that mission-critical systems such as life support and drug R&D systems are kept separate. Adopt a principle of least privilege so people only get the access they require to get the job done. Practices such as multifactor authentication for admin access and remote access and the use of secure web gateways for remote access instead of traditional VPNs also help. Rather than connecting remote users to the corporate network, expose them only required applications for remote access.
- Instill a data security focus.
Security teams managing remote users should secure data both at rest as well as in transit. Automated systems for data identification and classification can help better protect critical data. Data loss prevention (DLP) systems at email, network, and endpoints can enable real-time loss monitoring. Also, using industry best encryption and data masking solutions and periodic access reviews can help ensure that only authorized users can access data.
- Build security in by design.
Companies should build-in security right from the systems development stage. Establish secure coding guidelines, and embrace practices such as DevSecOps and email security (phishing, malware protection). Security teams also need to practice continuous compliance management using vulnerabilities identification and real-time patching. Proactively evaluating devices connected to the network and applying appropriate controls regularly can reduce the threat surface.
The team should focus on managing threats, vulnerabilities, risks, and incidents at all times. Nurture security culture actively through certifications, awareness campaigns, quizzes on phishing and social engineering attacks. Each employee needs to understand the rules and responsibilities towards maintaining security. The culture should reward good behavior and reprimands bad behavior.
- Develop a compliance and risk management program for vendors and business partners.
The health care ecosystem includes many players and they all have to take security seriously. Toward that goal, the organization should develop an effective partner risk management program to secure data and protect against attacks. This should include security posture assessments for partners and risk-based partner segmentation. Base connectivity and access management for partners on zero trust principles, with systems and governance in place for third-party risk management.
- Embrace managed detection and response.
New threats emerge every day. Therefore, health care organizations need to have mechanisms to detect breaches and recover immediately, no matter how robust their systems. They need to adopt behavior-based anomaly detection and sandboxing for threats not detected using signature-based systems. Well-defined playbooks for fast detection and response are also critical. AI systems can play an important role in reducing false positives and proactive threat hunting. Finally, becoming cyber-resilient depends on the ability to recover quickly.
There are any number of moving parts in the health care delivery process, so the success of any digital transformation initiative depends on developing a comprehensive response to today’s many cybersecurity threats. Companies that follow these practices will stay secure and have a stronger chance of meeting their digital transformation goals.
Vishal Salvi, senior vice president, chief information security officer and head of the cyber security practice, Infosys