Digital transformation is well underway in healthcare. But this transformation has brought an increase in number and type of cyberthreats, which pose significant risk to an organization's revenue, brand, patient safety and more. These threats have in turn led to an increased focus on cybersecurity.
At Becker's Hospital Review's 13th Annual Meeting, at a roundtable sponsored by Fortinet, Troy Ament, chief information security officer, healthcare, at Fortinet, facilitated a discussion about the range of cybersecurity issues facing healthcare organizations today and how Fortinet solutions can help address these challenges.
Four key takeaways were:
- Healthcare faces increasing cybersecurity challenges. The explosion of telework and the growing use of cloud computing has exponentially expanded the attack surface for threat actors. However, resource allocation within healthcare is often more often focused on lowering technical debt rather than investing in cybersecurity for new infrastructure. In addition, burdensome change-management processes can have an unintended negative impact on cybersecurity. The vulnerabilities created by these challenges are especially concerning given the proliferation of targeted attacks and insider threats — especially costly ransomware.
- For providers, the greatest impact of a successful attack is on operations. In 2021, 55 percent of healthcare organizations experienced a technology or business disruption due to a security incident, which caused minimum downtime of one to four weeks.
Attackers often go after the underlying infrastructure and networks that support all of the systems in an organization. This not only brings operations to a halt in the immediate aftermath of an attack but also has a ripple effect, impacting operations down the chain and over a long period of time. "The huge disruption within an organization is because everything's connected . . . and our ecosystem is dependent upon that integration," Mr. Ament said.
- Sophisticated cyber-adversaries continue to adapt. Telehealth and virtual visit platforms have become significant assets for patients, physicians and for health systems' bottom lines. However, adversaries use that knowledge as leverage in ransomware negotiations, calculating ransoms based on estimated revenue loss for an organization.
Attackers have also grown more sophisticated about healthcare operations, using detailed knowledge of EHR environments to access health records of targeted individuals, such as board members or specific patients. "The adversaries are ruthless," Mr. Ament said. "They just want to get paid."
- Health systems must apply cybersecurity best practices throughout their ecosystem. In addition to robust asset management, organizations can implement a zero-trust approach to protect systems against both internal and external threats. Developing and implementing end-to-end security that ensures regulatory compliance and conducting regular employee cybersecurity training are key steps to reduce risk. "We see a lot of organizations with — through M&A — a lot of different security within their environment and a lot of different networks. Simplifying and consolidating is important," Mr. Ament said. It is critical that any third parties in a health system's ecosystem are held accountable to the same standards to ensure consistent security across the entire ecosystem.
Cybersecurity is a real concern for healthcare. Among healthcare organizations, 75 percent are adopting new or improved security measures, but tight budgets and lack of expertise can hinder progress in strengthening security.
Fortinet brings healthcare organizations detailed, industry-specific global threat intelligence and incident response to help improve cybersecurity as well as deep knowledge of grants that provide cybersecurity infrastructure reimbursement, to ease the financial burden. If you would like more information please reach out to healthcare@fortinet.com