David Higgins, EMEA Technical Director, CyberArk, shares the following with Hospital Hub
Patients today experience medical services that go far beyond that of the generations before them. Telemedicine, virtual care, medical devices enabled by the Internet of Things (IoT), and patient communication portals are helping to improve clinical outcomes and provide new models of care in a rapidly changing healthcare landscape. Better technology has now become vital for the NHS instead of a ‘nice to have’, according to Secretary of State for Health and Social Care Matt Hancock.
These developments will clear a path for a higher standard of healthcare, better affordability, and enhanced convenience for patients around the country. But the creation of a complex care delivery network also brings unwanted attention from cybercriminals seeking potential vulnerabilities.
In fact, according to our global threat landscape report, 50% of healthcare organisations reported that a cyber attack impacted their business within the last three years. The study found that the greatest healthcare cybersecurity risks are external attacks such as phishing (cited by 61% of the respondents), ransomware/malware (57%), management of the cloud (43%), and insider threats (41%). Furthermore, nearly 20% of healthcare organisations identified privileged insiders – or user accounts that can access and control vital data and applications – as their number one security threat.
As hospitals and healthcare ecosystems continue to grow and embrace digital transformation, providers need to put an emphasis on protecting highly targeted electronic personal health information (ePHI) within expanding, interoperable care delivery networks.
Transition to cloud
Healthcare organisations are prime targets for attacks because they possess a plethora of sensitive and potentially valuable information—much of it located in the cloud. Just last month the NHS announced their intent to create a nationalised approach for the digitisation of millions of GP records as part of the government’s ‘Cloud First’ policy.
The cloud transition in the healthcare sector has been extensive. Our data indicates that 43% of all healthcare organisations surveyed deploy or store patient data, including data subject to regulatory oversight, in the cloud. Nearly half (46%) are deploying or storing cloud-based business critical applications, including revenue-generating customer-facing applications, in the cloud. Furthermore, 45% of healthcare organisations are deploying critical business applications on software-as-a-service (SaaS) offerings – including customer facing applications, enterprise resource planning (ERP), customer relationship management (CRM), and financial management software.
As more and more functions are moved to cloud and hybrid cloud environments, the security risks only increase. To clarify, the use of the cloud is not problematic in and of itself, rather some troubling cloud-related habits exist among those organisations that are adopting cloud-based strategies, which may be to blame. For example, 35% of healthcare organisations are fully depending on their cloud provider’s built-in security to secure assets, despite not believing it is sufficient. Even more disturbing – a good number of healthcare organisations admit that they didn’t notify their customers when their sensitive data had been compromised as a result of a cyber attack, and 37% said they would prefer to pay a penalty or fine for non-compliance with regulations instead of substantially changing their security strategy.
In fact, complying with data privacy regulations appears to be a major challenge for healthcare companies, with only 40% saying they were prepared for a potential General Data Protection Regulation (GDPR) breach investigation.
As healthcare organisations continue to embrace digital transformation, they need to modernise their security programs to suit this new landscape.
Privileged access management is key
Another key security concern for the healthcare industry is privileged access management. A large majority of organisations (86%) think IT infrastructure and critical data are not fully protected unless privileged accounts, credentials, and secrets are secured. Yet, 38% of healthcare organisations do not have a privileged access management strategy in place for cloud infrastructure and workloads, and 44% do not have a privileged access management strategy in place for business-critical applications – including customer-facing applications.
The oversight when it comes to privileged access management is likely due to a limited understanding in the healthcare sector of where privileged accounts, credentials, and secrets can exist within an IT environment. Only 24% of organisations recognised that privileged accounts and credentials exist within containers and only 30% said they exist within continuous integration/continuous delivery (CI/CD) tools. That being said, more than one quarter (28%) of all planned security spending in the healthcare sector in the next 24 months will go toward preventing privilege escalation and/or lateral movement, according to the study.
Future-proofing
Every employee, application, and technology impacts the risk profile of an organisation. So, as healthcare organisations such as the NHS seek to enhance their services and complete a fully-fledged digital transformation, IT and security teams must look to understand the impact these efforts have on the security of an organisation’s assets. Once the impact has been recognised and understood, practices can be adapted to suit necessary requirements.
Making successful adjustments to current cybersecurity measures and practices may require new talent, skillsets, and tools, but they are nonetheless vital in protecting assets from advanced threats in the current landscape. Updating tools and managing access to privileged accounts and credentials reduces a threat actor or cybercriminal’s moves considerably and constricts their path. In a sector with so much stake, it is key that every piece of the cybersecurity puzzle is in place to completely secure a targeted network. All stops must be pulled out to maintain the critical functions of our most needed establishments.
