cybersecurity has become a top-of-mind issue for the healthcare C-suite. Distributed care delivery models — which bring care to patients virtually or physically, outside of traditional care facilities — are complicating the cyber landscape. While this care model can greatly improve patients’ access to care, it also creates a larger attack surface for cybercriminals to target and increases an organization’s cybersecurity risks.
The good news is that IT security best practices, when properly employed, can help mitigate this added risk by reducing system complexity and eliminating inefficiencies, enabling a more consistent, secure and reliable digital experience for clinical and nonclinical staff.
Becker’s Hospital Review recently spoke with two cybersecurity experts from Palo Alto Networks — Tony Douglas, regional vice president, U.S. Enterprise Healthcare, and Lee Gardner, healthcare security architect — about the importance of employing cybersecurity best practices in distributed care models and key points that healthcare leaders need to know.
Distributed Care Expands Patient Access, but Also the Attack Surface
The COVID-19 pandemic prompted the healthcare sector to experiment with different approaches to care, using various technologies to connect clinicians and patients. Hospitals and health systems confirmed it’s possible to deliver effective care in non-traditional ways.
“As organizations deploy technology to support neighborhood clinics or hospital-at-home initiatives, they must ensure that cybersecurity is a top priority,” Mr. Douglas said. “If we don’t get in front of this, it will increase risk for the industry as a whole.”
When care moves outside of a healthcare facility, this means the security perimeter moves closer to patients. If patients interact with an online coach or engage with a remote pop-up clinic, for example, cybercriminals may listen in on communications. Security is also a concern when transferring data to a central health system or storing it locally.
“Patients trust that healthcare organizations will safeguard their personal information,” Mr. Gardner said. “A primary mission for healthcare systems and providers is to do no harm. If a health system fails to protect a patient’s data, that can do irreparable emotional and financial damage. As you extend care into the community, you need the right cybersecurity controls in place to protect individuals’ information.”
To Stay Ahead of Cybersecurity Challenges, IT Needs a Strategic, Top-down Approach
Traditionally, cybersecurity has been pushed from the bottom up in organizations. However, in today’s world, IT and network security must also be pushed from the top down.
IT leaders need a prominent seat at the table whenever the C-suite is making decisions, whether it’s a cloud transformation initiative, a change to the EHR or deploying network-connected medical devices.
“This ensures that organizations enforce IT security best practices at the time that decisions are made,” Mr. Douglas said. “They can address any potential risks or vulnerabilities early on. It’s essential that this occurs, given the growing number of cybersecurity breaches in healthcare.”
Cybersecurity must be integrated into every area of the organization, including biomedical science, research labs, clinics and nonclinical areas. At the same time, cybersecurity measures need to be aligned with the organization’s overall business objectives.
Healthcare IT and business teams should actively collaborate to provide a secure, well-connected and consistent digital experience for patients and providers. That can only happen if security is front of mind and fully integrated into programs.
“Cybersecurity needs to be part of every project that’s implemented,” Mr. Gardner said. “Education and awareness must be pushed from the top down so that everyone understands that cybersecurity is their responsibility. If you can prevent even one cyber incident from happening through good education and communication, that’s a win.”
Standards-Based Frameworks Should Guide a Platform-based Approach
To continuously assess their IT risk, hospitals and health systems need to adopt a standard security framework. For example, organizations may decide to use the NIST Cybersecurity Framework (CSF) or HITRUST as the basis for measuring risk and evaluating adherence to IT security best practices across the entire technology landscape. “By using a framework, you can identify trends over time and see where the organization is making progress and where more attention is needed,” Mr. Douglas said.
These frameworks also help facilitate communication about cybersecurity. They enable IT practitioners to explain programs and risks to senior executives in a consistent way, using terms that are understandable. “At the end of the day, awareness is key,” Mr. Douglas said. “You need to get ahead of cybersecurity issues and communicate them effectively to the board and senior executive team.”
Mr. Douglas explained why moving to a platform-based security program is also more effective than a security architecture based on multiple point solutions. “If I were to give any advice, it would be to avoid the point product concept,” he said. “You need a security platform. If you safeguard new capabilities by tying them into a platform, you can ensure that consistent security is applied.”
Amid Healthcare Mergers, the Importance of Cybersecurity Can’t Be Underestimated
As healthcare mergers and acquisitions continue, organizations’ cyberattack surfaces grow. Proactively addressing security issues as part of the M&A process is essential. “A health system that used to have strong cybersecurity can inherit gaps through M&A activity,” Mr. Gardner said.
Mr. Douglas agreed. “If a healthcare organization has an imperative to grow through acquisition, the leadership must proactively conduct due diligence in a way that keeps IT security in mind,” he said. “If you move forward with an acquisition and then integrate an organization with poor cybersecurity, the entire organization’s networks will now be vulnerable.”
To prevent data breaches, it’s important for hospitals and health systems to have controls in place to monitor security anomalies and raise alerts.
“We recently worked with a healthcare organization that proactively detected and prevented a cyberattack,” Mr. Gardner said. “A disgruntled employee at a business partner remotely accessed equipment with the intent of doing harm. Fortunately, the organization had deployed monitoring systems. This prevented the bad actor from accessing other network devices. When the tooling saw the activity, alerts were raised.”
Robust IT Security Can Prevent Disruptions in Care, Compliance & Budgets
When a healthcare organization experiences a cyberattack, it can have significant negative repercussions — and as more health systems become technology dependent, these repercussions increase exponentially if security measures are not bolstered accordingly. Mr. Douglas recalled a recent example of a Midwest hospital that shuttered permanently due to the financial impact of a ransomware attack.
“If an organization sustains an attack and doesn’t have the proper remediation processes in place, it may have to divert patients to other healthcare systems,” Mr. Douglas said. “So now, you’re not only losing new patient revenue but potentially losing medical staff to other hospitals that aren’t experiencing the same issues.” He emphasized how breaches also affect hospitals’ ability to recruit and maintain top talent — which often isn’t acknowledged. Like any system, he said, these factors are interconnected.
Further, cyberattacks erode patient trust and damage the organization’s brand. “Patients will be reluctant to visit a hospital or health system that has suffered repeated data breaches,” Mr. Gardner said.
Palo Alto Networks Helps Hospitals & Health Systems Minimize the Risk of Cyberattacks
Palo Alto Networks is a pure play cybersecurity company, meaning it is highly competent in and focused on cybersecurity, and has built a platform that helps healthcare organizations evolve to distributed care models. This enables organizations to pursue secure cloud transformation and SaaS-based applications with confidence and security in mind.
“Our platform-based approach to security allows us to sit down with care providers and assess their IT landscape,” Mr. Douglas said. “We create solutions that help organizations drive efficiencies by consolidating many of their point technologies.”
Growing health systems appreciate that Palo Alto Networks’ platform is an acquisition-ready architecture. “We work with organizations after they’ve acquired a facility and we drive a time-to-value equation,” Mr. Douglas said. “As a result, they can integrate facilities as quickly as possible, without compromising security.”
Palo Alto Networks’ Unit 42 serves as a strategic security advisor, proactively helping healthcare organizations avoid potential attacks. Unit 42 provides hospitals and health systems with the appropriate playbooks, so teams can respond rapidly if a compromise occurs. Healthcare leaders also turn to Unit 42 to conduct tabletop exercises that simulate a cyberattack. This enables teams to practice remediation measures.
Progressing in the ‘New Normal’
In today’s world, cyberattacks are an unfortunate reality. It’s not a matter of if a cyberattack will occur, it’s only a matter of when one will occur and whether the organization is properly prepared. Palo Alto Networks works with many healthcare organizations across the U.S. to ensure they are well prepared to address the inevitable cyberattacks and to minimize the impact.
“Robust cybersecurity helps hospitals and health systems adhere to their mission,” Mr. Gardner said. “Trust in the organizations and professionals providing care is essential, therefore, safeguarding the patient data they have been entrusted with is paramount to all health systems and caregivers. Your IT teams and C-suite leaders will sleep better at night knowing that they’ve done their due diligence around cybersecurity.”
To learn more about cybersecurity in distributed care settings, read Palo Alto Networks’ case study on Clearwater, Fla.-based BayCare Health System and their prescription for protecting more than 33,000 devices across its 160 locations — including 15 hospitals — staffed by 25,600 employees.