Time for a cybersecurity check-up in healthcare

Connectivity and the Internet of Things (IoT) are pushing the boundaries of healthcare treatment. But this connectivity comes at a price. More devices and more communication increases the opportunities for attackers to breach defenses. On the one hand, the healthcare industry has been resistant to changes because it fears that interfering with critical systems could harm patients. On the other hand, not investing in security may not only affect patient healthcare if systems are disrupted but also injure patients’ well-being if their private records are stolen.

Today, when it comes to doctor’s visits and care, the concept of connected healthcare is advancing the industry in ways where the scenario of the time you wasted sitting in a doctor’s waiting room is becoming a thing of the past. From a sensor-equipped bra that detects breast cancer to streamlining care and improving network connection at a family of retirement communities, the Internet of Everything (IoE) has turned the healthcare ideas of yesterday into the healthcare realities of today. As healthcare becomes more consumer-focused and personalised, all aspects of health services, from billing to patient care, are primed for transformation.

Why the sudden focus on healthcare? To be honest, healthcare has been in the cross-hairs for several years. However because of the relative lack of sophistication of healthcare information security to detect attacks, most have gone unreported. The theft of someone’s bank balance doesn’t go unnoticed for very long.

The second factor has more to do with the market valuation of stolen data. The wholesale value of stolen credit cards on the dark net declined as a result of too many card numbers in the market. At the same time cyber criminals discovered lucrative new avenues for the disposal of stolen healthcare information by parsing the data into market categories such as personal identities, prescription information, or insurance information. Criminals have now been able to make much more money by selling these buckets of information to different groups, rather than selling the medical record as a whole. Medication types, credit card information and personal information are just some of the sensitive data stored on healthcare networks, so special attention has to be paid to shore up the network and reduce the potential of attacks.

According to a report by Grand View Research, the global healthcare cybersecurity market size is expected to reach nearly $10.85bn by 2022. Healthcare is so poorly protected compared to other industries and ranks close to the bottom in information security spend. The healthcare industry doesn’t view cybersecurity to be as much of a strategic priority as the finance and defense industries do. Healthcare funding is focused squarely on the human and technology assets that make medical treatment possible. Information security is largely an afterthought, or viewed simply as a ‘cost of doing business’, rather than as ‘business enabler’ to permit healthcare organisations to expand their services into lucrative new revenue streams or more efficient ways of conducting existing business.

A lack of money is only part of the problem. Locating the right security talent is equally challenging, and the hunt for qualified candidates is only becoming more difficult. According the Cisco Annual Security Report 2016, there is currently a deficit of one million security practitioners, increasing to 1.5 million by 2019.

Healthcare organisations should consider solutions that segment networks. This measure could prevent attackers from gaining full access even if they breach a portion of the healthcare system. Having the appropriate network segmentation, authentication, and access control for people and devices is crucial, as are compensating controls.

If organisations use a group of devices that cannot be scanned or have controls directly applied to them, they must be segregated behind gateway controls, isolating them from other network segments and traffic. To improve the sophistication and reliability of their security defenses, healthcare organisations should consider continuous threat detection. Such a system not only monitors the inside of networks (not just the edge), but also detects and mitigates threats to make sure that if attackers gain entry to critical systems, their impact is limited.

A threat-centric and operationalised approach to security can reduce complexity and fragmentation, while providing superior visibility and continuous control.

Healthcare organisations must now quickly grow their capabilities in cybersecurity, especially given the sharp rise in cyber-attacks in recent years. All organisations need to be agile in adapting to this new terrain. The risk to safety, security and trust are too great. The healthcare community must continuously learn and collaborate with one another to become more resilient for the industry as a whole and to protect patients, the ultimate benefactors.

Scott Manson is Cyber Security leader for Middle East and Turkey at Cisco