Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cybersecurity NewsHospitals & Medical Centers

Healthcare Organizations Must Balance the Growing Cybersecurity Threat Landscape with Meeting Regulatory Mandates

By Vijay Basani
healthcare-screen
August 3, 2017

The need for healthcare executives to reassess their cybersecurity policies and strategies has never been more critical. But how can security operations professionals within healthcare organizations balance the need to meet regulatory mandates while securing critical network infrastructure and patient data?  Even though healthcare organizations, including providers, payers, pharmaceutical companies, medical device manufacturers and medical research organizations, aren’t lucrative money centers like banks or credit unions, they are sitting on a treasure trove of valuable personal information that cyber criminals are increasingly eager to access.

According to the 2017 Verizon Data Breach Investigations Report (DBIR), healthcare organizations have become a top target for hackers delivering malware-based ransomware, which accounts for 72% of the malware incidents in the healthcare industry. It’s apparent that the cyber risk to healthcare organizations, and their patients, is not going away anytime soon. As new threats continue to escalate and extend to IoT-based medical devices, many healthcare organizations will continue to be compromised through known attack vectors and patterns such as phishing attacks, misconfigurations and unpatched systems. According to the Identity Theft Resource Center, between 2014-2016 there were over 950 confirmed data breaches within the healthcare industry, and of those three years, the most recent (2016) had the largest number of breaches.

One very recent and widespread ransomware attack, dubbed WannaCrypt, affected 45 hospitals across the UK which sent systems offline and hospital personnel scrambling. As a result, appointments were cancelled, and doctors and nurses resorted to pen and paper as systems were locked down by the ransomware attack. WannaCrypt should have sent a shock across the healthcare industry at large because of one important factor – many of the targets were running outdated Windows operating systems like Windows XP, Windows 8 and Windows Server 2003. Microsoft issued patches because of WannaCrypt, but organizations should take this widespread threat as a hint – it’s time to regularly update systems to newer versions, apply security patches, and most importantly, take cybersecurity seriously.

One of the most significant challenges facing the healthcare industry is a required focus on regulatory mandates, both in terms of federal laws as well as an increasing patchwork of state laws that have steep sanctions in the event that PHI and PII data is breached or otherwise compromised. When the Health Insurance Portability and Accountability Act (HIPAA) was passed into law in 1996, it ushered in a new era for recognizing the importance of securing the confidentiality and integrity of healthcare patient data.

Years later, healthcare organizations still struggle under the weight of ensuring that all newly-adopted technologies – such as analytics systems that centralized massive amounts of PHI, and healthcare delivery devices that are now connected to facility networks and are IoT-based – are compliant with HIPAA requirements, while maintaining compliance for substantial legacy systems as well. This is especially true since the passage of the HITECH Act, which dramatically increased the potential sanctions for non-compliance. In the last few years, HHS and OCR (HIPAA enforcement authorities) have become lot more active in auditing and enforcing HIPAA controls in healthcare industries. And the fines can be steep, ranging from $100,000 to millions for a failed audit and/or a confirmed breach.

Collectively, these real challenges – current and emerging regulations and the perpetual fight against threats both known as well as new – can often be points of contention (and competition) for budgets, personnel and time within healthcare organizations.

Additionally, for healthcare organizations, the cost of implementing cybersecurity controls is not simply one of financial impact. For personnel tasked with implementing these solutions, the burden of ensuring that these controls not only deliver actual security but also address regulatory requirements is critical.

In light of meeting regulatory mandates while taking an assessment of the current cybersecurity program and technologies, healthcare executives and organizations should take the following into consideration:

  • The false “either/or” choice of security or compliance. Often, security technology vendors build their solutions specifically to ensure that healthcare organizations will “check the box” when it comes to regulatory compliance. While it’s important to ensure that any cybersecurity solution passes muster with auditors, it is just as important to remember that these solutions must provide actionable information and in the process, reduce risk – otherwise, they run the risk of simply being an audit tool.
  • Beware of choosing solutions that require extensive management. There is certainly no lack of choice when it comes to cybersecurity solutions for healthcare organizations. However, many of the “block-and-tackle” security technologies that are critical to detecting and mitigating threats such as security monitoring, vulnerability management, and patch management demand significant security expertise and time, which in turn results in a need to hire a large team of security professionals that can eat away at healthcare budgets. In a current market where there is a cybersecurity professional shortage, with approximately 1 million jobs unfilled, and the total cost of hiring a full-time security professional is north of $250,000 per year, most healthcare organizations are challenged to find sufficient budgets to handle security in-house. A cost-effective and budget-friendly option could be to partner with a well-qualified and SOC 2 complaint third-party security-as-a-service provider.
  • Anticipate technical integration issues. Security platform products such as monitoring and patch management systems are only as effective as the technologies with which they can integrate. Some products lack effective out-of-box integration with common technologies, requiring security personnel to manually create templates and other burdensome components to achieve integration or paying a premium to the vendor or a third-party to do the work, increasing the cost of achieving a properly functioning solution. On-premises solutions, in particular, can present a nightmare scenario that requires extensive network and service reconfiguration coupled with continuous “care and feeding” in the form of security patches and functional updates for software, servers and appliances, as well as physical burdens such as rack space, power redundancy, network connectivity and other concerns.
  • Time and expertise required to implement solutions. Rarely do healthcare personnel who implement or manage security technologies wear “one hat.” From supporting internal auditors in advance of examinations, to fielding technical support for healthcare practitioners, to translating the complexities of threats and resulting risks into language that can be understood by administrators and management teams, time is always in short supply. Implementing security technologies takes away a substantial portion of that valuable time, both in terms of implementation and ongoing management, that might be devoted to other high priority IT projects.
  • Choosing the right Managed Security Services Provider (MSSP) that delivers security as a service. For many smaller healthcare organizations, it makes sense to trust a MSSP to provide security protection which may include monitoring, and vulnerability and patch management.  Some MSSPs substantially lower the cost of cybersecurity protection because they use cloud-based solutions that don’t require on-premises servers, appliances, or other equipment and software. However, all MSSPs are not created equal. Some may not have the cybersecurity experts required to monitor and mitigate threats successfully on a 24x7x365 basis. And,  MSSPs unfamiliar with the healthcare industry may not be able to support regulatory mandates, such as HIPAA, the HITECHAct, 21 CDR Part 11, and others that require healthcare organizations meet audit requirements while simultaneously reducing cybersecurity risks. While MSSPs can significantly lower the spend on cybersecurity protection, it may cost more in the long run if the MSSP isn’t knowledgeable about the specific needs of healthcare organizations.

 

The Urgent Cybersecurity Imperative

Healthcare organizations face a special set of challenges because they may be targeted due to the sensitive data they possess. They must also comply with many regulatory mandates and must strike a balance between meeting regulatory mandates and increasing their security posture. Both are doable, it’s just a matter of designating enough of the IT budget and IT personnel to accomplish these goals. This necessary balance needs to be made between compliance and reducing actual risks. However, by applying efficient solutions to the equation, security operations personnel can fully meet regulatory mandates while effectively mitigating risks to technology assets, data, and patients.

KEYWORDS: cyber risk mitigation healthcare cybersecurity ransomware security compliance security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Vijay Basani is the co-founder, president and CEO of EiQ Networks, a pioneer in hybrid SaaS security and continuous security intelligence solutions. Before EiQ Networks, he founded AppIQ, an application storage resource management provider acquired by HP and WebManage Technologies, a policy-driven content deliver solution provider acquired by Network Appliance. Basani is the co-owner of five patents for the architecture and design of the WebManage Content Delivery system, Adaptive Policy Engine, and SLA Management. He earned a Bachelor of Engineering degree in electronics and instrumentation, as well as an MBA and post-MBA degrees, from Baruch College in New York.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • data-enews

    9 Important Elements to Corporate Data Security Policies that Protect Data Privacy

    See More
  • open laptop with code in dark room

    Navigating the threat landscape: The growing menace of cybercrime

    See More
  • malware-cyber-crime-freepik.jpg

    Malware-as-a-service is the growing threat every security team must confront today

    See More

Related Products

See More Products
  • threat and detection.jpg

    Surveillance and Threat Detection

  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

  • The-Complete-Guide-to-Physi.gif

    The Complete Guide to Physical Security

See More Products

Events

View AllSubmit An Event
  • January 16, 2025

    Preparing for the 2025 Threat Landscape

    ON DEMAND: In 2024, businesses faced a barrage of critical events with far-reaching impacts. From record-breaking storms and costly infrastructure failures to contentious election cycles and sophisticated cyberattacks, companies are navigating an increasingly complicated threat landscape.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing