Protecting vulnerable healthcare IT infrastructure in the face of growing cyber-risk
January 2023
In early 2020, healthcare organisations and providers across the UK were flung into a brand-new environment full of cybersecurity challenges. Staff and patients shifted online, and highly sensitive patient data moved onto the cloud, requiring constant security.
What’s more, large numbers of connected devices had to operate consistently and securely in an environment where patients, doctors, non-medical staff, the IT department, and outside contractors all needed varying levels of system access. With a wealth of information shifting to cloud-based systems and new devices that required a connection to one large network, this left many healthcare organisations vulnerable to cyber-attacks.
It’s easy to see why the healthcare industry is a prime target for cybercriminals. Patient data is extremely valuable, and a typical electronic health record (EHR) for an individual contains their full name, social security number, medical history, banking and credit card information, and names of relatives. Plenty of information for cybercriminals to harvest. It’s also a challenge to secure such an environment, especially when many healthcare professionals lack cyber-awareness and often find themselves too busy to shore up on their knowledge.
One of the biggest vulnerabilities within the healthcare industry is that IT infrastructure often has a very high number of access points, with operational technologies including connected MRIs, iPads and desktop computers used by staff members, wireless routers in hospitals, and other electronic devices that can be connected to the network. Without adequate security, any access point can be used as a gateway to access the larger system, and this is what many threat actors are looking to exploit.
It is important to remember just how much operational technology has benefitted the healthcare industry, especially during the pandemic. It has allowed workers and patients to connect during one of the most challenging periods the industry has faced, enabling staff to continue their work remotely – something that was previously considered unachievable for many organisations.
However, not all services areas were able to function as normal. During national lockdowns it was a struggle for some healthcare employees to complete aspects of service delivery – for instance, external companies could no longer carry out pen-and-paper tests onsite. This was a major challenge for many hospitals and healthcare providers who were facing increased risk of cyber-threats and had little to no knowledge of when such services could return to normal.
On top of this, healthcare organisations found themselves trying to operate without enough IT staff, which presented another significant vulnerability. The primary focus for healthcare professionals has rightly been on patient care, and there was often little to no time left to focus on improving the IT department.
In many cases, the IT team is very small and operates with a small budget, despite having lengthy action lists, working to meet compliance and strict security regulations, and having the huge responsibility of safeguarding valuable patient data and vulnerable IT infrastructure. There is no doubt that IT teams work hard – they are after all trained professionals. But small and often overworked IT teams are a potential vulnerability for healthcare security if they fail to keep up with all the demands that sufficient cybersecurity requires. This means that healthcare organisations require additional support to guarantee complete security.
Having possession of arguably the world’s most important data, healthcare organisations must work hard to shut down such vulnerabilities. Due to specific needs and compliance regulations, the solutions organisations can use to fix vulnerabilities require several key qualities.
Appropriate solutions need to be low impact so that the delivery of healthcare is not affected. They must be results-oriented to ensure vulnerabilities are mitigated. They must also be easily and quickly implemented, and incorporate security-by-design principles, to minimize IT workload whilst maximising security throughout systems.
All these qualities are crucial, and in addition to this a suitable solution should be capable of controlling remote access, provide oversight of all users on the system, properly enforce the principle of least privilege to avoid data leaks, and help streamline management for the security team.
This is a lot to expect from an overworked security team to take on. However, a robust privileged access management (PAM) solution can meet all necessary security requirements. Setting up an access manager component will give security teams visibility into, and control over, privileged access. Managers can then define privileges for any user, ensuring that the user can only see the systems and complete tasks for which they authorised to do so.
In addition to assigning privileges, security teams also require visibility into login activity, and any actions from privileged users make while they are in the system. This helps security teams to identify unusual activity on the network before a potential security incident happens.
Healthcare organisations can further boost their security by adopting real-time and automated session management capabilities. This means that session managers can detect inappropriate activity on its own, along with having the power to automatically terminate such a session or to raise real-time alerts, so that administrators can take a closer look at it before taking necessary action. Being able to automatically shut down unusual session activity or raise real-time alerts for security teams is critical for healthcare organisations because they can stop threat actors in their tracks.
PAM solutions that can record all sessions give an audit trail for regulatory compliance and can be used as a training tool for employees. This will educate and help healthcare workers to recognise whether pieces of equipment, such as MRI scanners, have been updated incorrectly or suffered a true mechanical malfunction – another method of identifying unusual activity that may be a threat to the organisation.
Education on cyber-risk is also key to overcoming the challenges healthcare professionals face. Training that is engaging is proven to be highly effective, and organisations can implement group activities and simulation videos that can demonstrate how cybersecurity solutions work and clearly explain what they need to look out for.
Of course, the primary concern of healthcare professionals is to provide adequate care for their patients but company-wide education on cybersecurity and increasing cyber-risk is essential, especially as the industry continues to be a top target for threat actors. Scheduling short and regular training sessions can allow professionals to brush up on their security knowledge without taking up too much time.
It’s clear that technology has significantly helped healthcare organisations during the pandemic, allowing workflows to continue and healthcare professionals to continue working remotely. However, the new systems adopted by healthcare organisations have created new risks and challenges. Attack surfaces have widened as threat actors kept a close eye on vulnerable networks, and the entire healthcare industry has had to act quickly to shore up defences.
Sufficient company-wide cybersecurity training cannot happen overnight, especially with an extremely busy workforce, but healthcare organisations can adopt cybersecurity solutions such as privileged access management to reduce growing cyber-risk. Equipped with secure solutions and regular cyber-security training healthcare organisations can bounce back from the pandemic, fully prepared to operate in a digital-first world.