Increasingly, healthcare organizations are the targets of cybersecurity attacks. While securing and controlling the complex health IT environment is difficult, taking a holistic approach that addresses vulnerabilities from the front line to the back office can help.
During a May 27 webinar hosted by Becker's Hospital Review and sponsored by Imprivata, three Imprivata experts discussed health IT security best practices:
- Al Colon, Director of information security
- Troy Kuehl, Vice President of engineering
- Jesse Myers, Vice President of IT and security
Four key insights:
- Healthcare organizations face significant security and compliance-related hurdles. Cybercriminals recognize the value of healthcare data. Protected health information and personally identifiable information can be used to blackmail people, write fraudulent prescriptions and more. While healthcare cyberattacks are on the rise, many IT services have moved to the cloud, making the healthcare technology ecosystem more complex than ever. "Even before COVID-19, healthcare organizations had many remote users," Mr. Kuehl said. "Employees routinely use shared workstations, networked medical devices, smartphones, tablets and more to support clinical workflows." From a security standpoint, organizations' focus must include physical and virtual security, risk assessments and identity governance.
- As healthcare employees change roles, identity management requirements grow. During the pandemic, employees at many health systems took on new roles and responsibilities to meet COVID-19-related surges. Generally speaking, healthcare organizations have long-time employees whose entitlements stack up; without strong identity management systems, staff members can end up with more permissions than needed especially if new employees’ access rights are based on existing employees’ profiles. This increased the risk exposure associated with potential security incidents. Healthcare organizations must invest in robust identity governance systems, so they can provision employees correctly on Day 1,add entitlements for new roles and restore original ones if necessary, and remove employee entitlements from prior roles and when employees leave the organization.,. "Our CTO often says identity is the new control plane," Mr. Myers said.
- Looking ahead, organizations must adopt continuous security and risk assessment processes. In the wake of the pandemic, remote work, telehealth, and usage of health portals are unlikely to go away. To keep pace, Imprivata is constantly endeavoring to raise its bar on security processes, while simultaneously ensuring user efficiency. "We can't become dependent on physical hardware sitting in a data center," Mr. Colon said. "We need to deliver a security experience from anywhere using the cloud. In addition, we need to abandon the crunch of periodic security audits and find a way to be in audit mode continually." Imprivata is also looking at tools to support continual risk assessment.
- Integrated health system CIOs need to ask IT vendors tough security questions. It's essential to understand vendors' internal security practices, including those related to vulnerability management, patch management, encryption and posture checking on VPNs. Vendors also need an agreed-upon threshold for data loss protection analytics. "When we talk about cloud services, we're looking for exfiltration and unusual activity," Mr. Myers said. "More and more often, DLP (data loss prevention) becomes a core level of investigation. I would want key vendors to have that tooling." On the application side, software composition analysis is crucial to identify what open source code vendors are using and how it's used. Threat modeling is also essential. "Are vendors having internal conversations about the security of the applications they're building? If so, they probably have a culture of security," Mr. Kuehl said.
To view on the ondemand webinar, click here.