As digital transformation becomes more widespread, electronic data is playing an increasingly important role in healthcare organisations. This data must be kept confidential, integral and secure, while still being readily accessible whenever needed. People should be able to access healthcare without worrying about their privacy, safety and security — which in turn means healthcare systems need to be absolutely transparent in order to assure the concerns of patients worldwide. If electronic data is not properly protected, it can have a devastating impact on clinical care and the overall operation of healthcare institutions.
A healthcare organisation’s greatest asset is patient data. As such, it is crucial for them to have a security solution in place to protect patient data. Cyberattacks on healthcare are attacks on people!
Cyberattacks in healthcare are becoming more and more common. In fact, hospitals are now the target of more cyberattacks than any other type of business. There are a few reasons for this. First, hospitals have a lot of sensitive data that hackers can use to exploit patients or commit identity theft. Second, hospitals are often reliant on outdated technology, making them more vulnerable to attacks. Finally, hospitals are usually understaffed and overworked, making it difficult to keep up with the latest cybersecurity threats.
IT security incidents in Healthcare institutions between 2020-2022 (EU)
There is a shortage of cybersecurity experts in the market, so how do you address this problem?
According to a report by Gartner, the number of jobs for Infosecurity professionals will reach 3 million by 2021, and the shortage will reach 1 million by next year (3).
Cybersecurity experts are constantly uncovering new technologies and methods to secure our systems, and criminals are constantly trying to circumvent those same protections. Attacks are becoming more sophisticated and more and more personal (2).
We’re now seeing a new trend emerging that addresses this struggle: the idea of shared responsibility. This is a revolutionary shift in thinking around the vendor-client relationship — one that has the potential to revolutionise the way organisations interact with each other for years to come.
In practice, this shift is about the transition from the security “of” the cloud to the security “in” the cloud. Don’t be fooled, I know it sounds the same, but these are two separate forms of security. The first one is about protecting the organisation’s perimeter, while the second one is about securing the data and its residency (logical perimeter).
Gartner estimates that through 2025, 99% of cloud security failures will be the customer’s fault(5). The shared responsibility model helps organisations focus more on user/employee awareness and leave the operational burden of IT security to the cloud provider.
Education is the Cybersecurity’s Achilles Heel
There are two main approaches to improving cybersecurity: security controls and education. Security controls involve implementing technical measures to make it harder for hackers to penetrate systems and networks. On the other hand, education focuses on raising awareness among users to spot potential threats and take steps to avoid and report them. Both approaches have their merits, but education is generally more effective in the long run. This is because security controls can only do so much to prevent attacks. Ultimately, both are important and should be given equal attention.
Healthcare organisations should focus more on building their cybersecurity program by implementing awareness programmes and tuning organisational processes. But is really this way? Well, not according to a survey ran by MineCast (1) that can be summarised by the following sentence: “Companies want more cyber-aware employees, but they haven’t stepped up to train them”.
Counterintuitively, this is especially true for the highly vulnerable healthcare and public sectors. For instance, while 54% of respondents said their company offers group training sessions to employees, only 50% from healthcare organisations and just 44% from the public sector said the same.
Likewise, while 39% of all survey respondents indicated that their company offers one-on-one security training sessions to employees, this was true for only 35% of healthcare sector respondents and a mere 26% of those from the public sector.
On the bright side, those organisations with a cyber program in place are faring better. For example, while fewer than one in four (23%) of the survey takers said that their company provides cyber awareness training regularly, the number rose to more than a third (36%) for those from companies with a cyber preparedness strategy.
Security Controls: How to do it right even when nobody is watching?
Securing an ICT system requires several measures to be implemented on different layers.
- Basic security controls:
- Anti-virus/malware
- Security awareness training
- Data loss prevention
- Backup and restoration of files/data
- Encryption at rest & in-flight
- Encryption for archived files/data
- Firewall, Intrusion Detection and Prevention Systems
- Incident response plan
- Mobile device management
- Policies and procedures
- Secure disposal
- Vulnerability management program/patch management program
- Web gateway
- Advanced security controls:
- Threat intelligence sharing
- Anti-theft devices
- Vulnerability scans
- Multi-factor authentication
- Business continuity and disaster recovery plan
- Network segmentation
- Penetration testing
Additionally, the industry more and more relies on healthcare IT to streamline operations and improve patient care. However, with the increase in health data being stored and shared electronically, the need for stronger security measures is also on the rise. Fortunately, the cloud is providing new opportunities for healthcare IT to become more secure.
How Healthcare IT is Becoming More Secure with SaaS and IaaS
There are three main types (IaaS, PaaS and SaaS) of cloud computing as-a-service options. Today I will mainly focus on the SaaS and IaaS models because PaaS is not the way we see healthcare organisations would use the cloud in the near future. In the diagram below, you can see how the security management responsibility is shared between the healthcare institution and the vendor.
Traditional vs. Cloud deployments – security management comparison
The benefits of IaaS in healthcare
This cloud computing model makes it simpler and faster to deploy computer workloads. Because IaaS is pay-as-you-go, it can also make it much more cost-effective for healthcare organisations. IaaS can also alleviate healthcare providers’ IT management and burden while also providing scalability to grow computing resources, when necessary, without the capital expenditure burden of having to hire staff.
Securing IaaS
When it comes to securing IaaS, it is important to consider both the responsibilities of the cloud service provider and the customer. The cloud service provider is responsible for managing the security of the underlying networking, storage, servers, and virtualisation, while the customer is responsible for managing the security of everything running on top of the infrastructure, such as the operating systems and middleware, data and applications. By working together to ensure all security aspects are taken into account, IaaS can be a secure and reliable option for businesses.
Software-as-a-Service (SaaS)
Cloud-based software, or software-as-a-service (SaaS), has become increasingly popular in recent years as businesses move away from traditional on-premises software solutions. SaaS provides many advantages over on-premises software, including increased flexibility, scalability, and lower up-front costs.
The benefits of SaaS in healthcare
The healthcare industry is always changing, so SaaS could be a better option because the software is already set up, secured and deployed to a secure environment. This would reduce the amount of time needed to get the software up and running, which could increase your return on investment quicker than traditional methods. Additionally, this cloud infrastructure could also lead to lower costs and the ability to scale if necessary.
How to secure SaaS
SaaS security is a massive topic with many complexities. Unlike in traditional on-premises software deployments, the security responsibility in a SaaS deployment is shared between the customer and the service provider. The provider is responsible for securing the infrastructure and delivering the service, while the customer is responsible for managing access to the application and ensuring that only authorised users and 3rd party applications can access it.
Going SaaS for the customer means relying on the SaaS vendor to manage IT Security and compliance processes. Parsek, together with Open Line B.V. has a proven record in safeguarding healthcare data using the following key IT controls:
- Access Management: Who can access your cloud deployment and what permissions they have is achieved using unified user authentication and authorisation framework.
- Network Control: By implementing granular security groups controls who can access specific instances across the network and subnetworks.
- Perimeter Network Control: fine-tuning firewalls and IDS/IPS systems to let just the good traffic in and out
- Virtualisation Management: Continuously performing updates on standardised VM images to guarantee the minimal time between a breach and the resulting patch.
- Data Protection: Keeping data encrypted in transit and at rest is key for preventing a data breach.
- Governance and Incident Management: incidents must be captured, reported and tracked to closure. Parsek and Open Line, NOC & SOC are investing in rolling out a unified SIEM solution.
- Availability & Reliability: Your services and data must be available 24/7/365, so we have to deliver business continuity procedures such as power and WAN redundancy, backups, automatic scale up and down procedures for increased demands and finally, there must be a disaster recovery plan in place for replicating data and services in the event of a natural or human-induced disaster.
You can’t improve it if you don’t acknowledge it
Those responsible for managing IT Security can’t afford to be complacent: they need to understand the different types of cyber risk, build a comprehensive cyber security strategy and implement the right processes and tools to tackle this challenge.
There are many potential benefits to using a SaaS solution for increasing IT security challenges. By delegating the most demanding ICT technology-related security operations to experts, you can focus on more non-IT cybersecurity threat prevention. This can help you create a more comprehensive and effective overall security strategy.
Let us be your partner in preventing cybercrime
Every organisation has a different set of requirements, expectations, and goals. Parsek, together with Open Line B.V. is investing tremendous efforts in staying ahead of the curve through extensive experience and industry know-how in terms of secure software development, network operation centre management, secure configuration management, ITSec compliance (ISO 27001, NEN standards, CyberEssentials, etc..) and lately implementing a holistic SIEM approach. Focusing on these core services, we have been able to proactively address potential threats and have a proven track record of security, availability, confidentiality, and integrity of services.
Doing it together by splitting duties and responsibilities is the only sustainable way to do ITSec right, even when nobody is watching. If you’d like to know more about how we can help you support the highest level of healthcare IT security, feel free to get in touch: sales@parsek.com.
Miloš Cigoj,
Quality and Compliance consultant
References
- Minecast, 2022. State of e-mail security. Accessible via: https://www.mimecast.com/state-of-email-security.
- Verizon, 2022. Data Breach Investigations Report. Accesible via: https://www.verizon.com/business/resources/reports/dbir/interactive/industry/healthcare.
- Gartner, 2021. Gartner Survey Reveals Talent Shortages as Biggest Barrier to Emerging Technologies Adoption, https://www.gartner.com/en/newsroom/press-releases/2021-09-13-gartner-survey-reveals-talent-shortages-as-biggest-barrier-to-emerging-technologies-adoption.
- CyberPeace Institute, 2022. https://cit.cyberpeaceinstitute.org/explore.