It’s no secret that cybersecurity continues to be a problem in the healthcare environment. The latest Protenus Breach Barometer, a report made in collaboration with DataBreaches.net, found there were 503 healthcare breaches in 2018, compared to 477 in 2017. The number of impacted patient records also nearly tripled, going from 5.5 million in 2017 to about 15 million in 2018.
Despite the upsetting data, healthcare organizations aren’t stuck being victims.
At HIMSS, retired Brigadier General Greg Touhill, who served as the inaugural U.S. chief information security officer under Barack Obama and is now president of Cyxtera Federal Group, offered advice on what hospitals, health systems and other medical entities can do to keep data safe. Here are his tips:
Adopt a zero trust strategy
“I think trust is assumed in much of what we do, but it’s incredibly misplaced,” Touhill said.
Rethink access control, because username and password aren’t good enough
Username and password were considered state of the art back in 1979, Touhill said, noting that it is now “time to retire legacy technology.”
Multi-factor authentication is essential
Other industries like finance and the government are using multi-factor authentication to help individuals better protect their information. It should be more prominent in healthcare.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
TCP/IP is a weak security foundation
Transmission control protocol/internet protocol, which is used to govern the connection of computer systems to the internet, was also state of the art in the late 1970s, Touhill said. But at this point, it’s not a strong security foundation. He urged healthcare organizations to learn about software-defined perimeter solutions to authenticate first, then connect.
Unclog firewall congestion
Healthcare entities should say goodbye to their old VPNs (virtual protected networks) and implement software-defined perimeter technology, Touhill suggested.
Don’t just segment — microsegment
“[T]he more segmentation you can do, the better,” Touhill said. As organizations look at adapting their risk profile, he recommended examining technologies that can microsegment.
Whitelist
Whitelisting essentially means only allowing pre-approved programs, IP addresses and email addresses on your network. Touhill believes the practices has its pros. After all, “[w]hy would you want to have some code running on your network that you don’t know ahead of time what it is?” he said.
Leverage automation to detect and thwart fraud
There are numerous tools that can be used for fraud detection, but Touhill said the best ones are coming out of the financial sector. He urged attendees to find solutions from the financial sector and bring them over to the healthcare world.
Guard your backdoor
Organizations often contract with third-party vendors, who come in and handle database administration or system administration. “Are you personally vetting them? Probably not,” Touhill said. This is an area where micro-segmentation can be particularly helpful.
Be careful flying into clouds
Touhill also touched on security as it relates to cloud computing. When working with cloud providers, he recommended that organizations get access to the logs, reserve the right to penetration test and reserve the right to bring in an independent third-party auditor.
Think ahead — AI is a coveted health attack surface
As artificial intelligence continues to generate buzz and organizations invest in such technologies, keep in mind that the use of AI makes your organization a target to cybercriminals.
Photo: MF3d, Getty Images
