Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Healthcare + Security: Why it needs to matter to everyone

By Matthias Wollnik, Adam Mahmud
healthcare security freepik
June 16, 2021

Stop us if you’ve heard this one before: A laptop is stolen and the theft results in the owner’s personal data being accessed by a threat actor. All user’s private data, including financial records – among other data – are made publicly available since there was little more standing between the attacker and data protection, other than a weak, easy to bypass password.

Now let’s take this scenario one step forward by changing the laptop to one owned by a healthcare professional. This one small change has triggered a huge problem for the owner and the healthcare organization they work for. Additionally it possibly violated the Health Insurance Portability and Accountability Act (HIPAA) regulations that govern all healthcare stakeholders and the devices that process and store patient data and records.

The biggest differences between the two nearly identical scenarios are:

  • The latter has the potential to negatively affect the privacy of thousands of patients.
  • The latter is regulated by governmental laws worldwide that vary by region.
  • The latter can and does carry stiff penalties for violations. These may include loss of employment, steep fines, and/or may even be punishable by incarceration.

Ironically, the biggest takeaway from both scenarios is that they both could have been mitigated using full disk encryption with a strong cipher. This technology is included within most modern operating systems free of charge.

To be fair, enabling encryption would not have prevented the laptop from being stolen nor attackers from trying to exfiltrate the data contained within, but when a strong enough algorithm is used (which are used by most common operating systems by default) and the recovery keys are managed properly and securely, it could take a very long time before the encryption is defeated – much longer than is likely worth the attacker even attempting to bypass the encryption altogether. However, encryption turns the story from one of a loss of private patient data into one of hardware loss. It’s much simpler, not to mention cheaper, to just replace the device.

 

Everyone plays a role in security

Any security professional will tell you, there is more to information security than simply enabling full disk encryption. The keys to successful implementation of security practices are to:

  • Know the business requirements.
  • Understand the industry requirements (e.g., regulations).
  • Identify the risks to data that systems may be exposed to.
  • Communicate with the stakeholders so everyone understands what is necessary to keep data protected.
  • Provide users training so they understand what is expected of them and how it ties into the holistic view.
  • Implement security plans that comprehensively mitigate the known risks, including insight into monitoring device health, patch management, reporting, and remediation at a minimum.
  • Embrace best practices and guidance provided from frameworks, such as National Institute of Standards and Technology (NIST) or Center for Internet Security (CIS), zero-trust, and defense in depth strategies to layer security protections and verify protections are working as they should be to secure data at all times.
  • Vetting supply-chain pipeline partners and maintaining safeguards to limit access when and where possible, including access to internal and cloud-based systems, regularly scheduled upgrade cycles for mission-critical/industrial/Internet of Things (IoT) equipment, and managing how data is accessed and stored on vendor-owned systems.
  • Align corporate policies with regulations to reflect guidelines, best practices, and expectations for all stakeholders working internally and externally for the organization.

 

Governance + IT work together

Protected Health Information (PHI) is regulated globally by the laws of the country or region. In the United States, that regulation is known as HIPAA and is summarized by the Centers for Disease Control and Prevention as “national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.” Violating these protections – in whole or in part – can lead to repercussions, depending on the severity of the violation. The Office of Civil Rights (OCR) is responsible for enforcing HIPAA’s privacy and security rules, as data leaks or breaches are considered a violation of the patient’s civil rights.

Organizational leadership and IT should be cognizant of cybersecurity and its role in ensuring patient confidentiality as the protections implemented fall under their direct purview as the governing and systems management bodies respectively. A lapse in this view can lead to a multitude of issues beyond access to privacy records, such as tampering with patient data and limited patient care. All of which can have a decidedly negative impact on patient health and may even lead to fatalities if patient’s access to general healthcare is prevented due to security issues, such as ransomware making systems unavailable.

Adoption of technologies and processes, such as zero-trust and cloud-based applications are increasingly used to mitigate security risks on managed devices. These can be leveraged to protect against issues detected in systems, operating as fail safes to allow patients to continue receiving the care they need despite local system compromises. Developing change management cycles, disaster recovery plans and remediation processes will help governance determine how data systems are to be protected based on the organization’s unique needs and risk factors.

Additionally, implementing a policy of standardization for computing devices and data protection helps IT to apply templated configurations to specific device and data types, ensuring that all devices of a certain type, for example, laptops issued to doctors providing telehealth services have a minimum set of protections in place to secure patient data through known security policies, like disk encryption, VPN, compartmentalization of data to isolate business data from personal data, endpoint protection and managed settings to be certain that each device in this category is configured appropriately to provide end-to-end security coverage.

 

Educating the users

In 1597, Sir Frances Bacon is attributed with the saying, “Knowledge is power.” Since then, the idiom has come to be used by many individuals over time. Simply put, the more you know, the better equipped you will be in handling what may come your way. While this is true of many things in life, it is an essential a way of life for information security at all levels, including your users.

Educating your users, particularly those tasked in working with sensitive data as part of their daily job function, is a basic need for protecting data from unauthorized access. Especially in telehealth when direct this becomes a major necessity. Often immediate access to technical support may not be available given the disparity of work from home (WFH) programs. Furthermore, organizational devices on a home network that was setup by without professional security oversight and exposed to consumer level devices increases the risks data need to be mitigated even further. Educating healthcare workers on the proverbial do’s and don’ts, best practices, and known attack types, like how phishing works and how to identify it to not fall prey to it, are all important, yet a sadly overlooked aspect to address informational shortcomings.

As the adage goes, a chain is only as strong as its weakest link. Bear that in mind next time an organization that has the resources available to purchase the latest hardware, hire talented staff, and configure all manner of security controls to limit access to patient records becomes the victim of a ransomware attack. All because an employee clicked on a spoofed email that really installed a payload that encrypted the data on their device and also the of all systems the user was able to connect to at the time of infection, including the monitoring infrastructure that was actively watching over patients back at the hospital. 

Security is everyone’s responsibility. Whether we’re involved directly or indirectly, all users need to be included in this conversation. Part of the conversation will be foundational; a larger part will pertain to their specific responsibilities and the productivity tools they use to perform their roles. By now it’s no secret that the global-health crisis has changed how and where we work. To that end, the shift created by WFH programs such as telehealth, has introduced new ways to perform the same tasks. And it is these very new tools that should be at the catalyst, leading these education programs since they are often the very same tools that threat actors are targeting in an effort to go after the low-hanging fruit as it were.

Without the benefit of company network and security appliances protecting the line of demarcation that separates work from home, threat actors have updated their tools to focus on pivoting attacks toward the users relying on popular collaboration, video, and data storage tools – all just as easily accessible from the cloud for them too – in a concerted effort to compromise devices no longer under the direct protection of the organization’s network perimeter to capture as much data as they can. And while healthcare in general has always been a big draw for threat actors, the shift to telehealth has opened up a new attack vector, allowing determined attackers to seize the opportunity to compromise unsuspecting users.

And one of the most effective ways to mitigate that vector as much as possible is through training your users. Effective, measurable security awareness training based on proven techniques, that can be free or paid resources that address a host of common attack types, those targeting phishing, email security, and password policies are among the most popular. It shouldn’t come as a surprise as these are some of the avenues bad actors often take in order to trick employees into divulging information and credentials used to attack a system and compromise PHI daily.

 

It’s all about protecting the patients

One area that is not often discussed in the security paradigm is that of the patient. We're not referring to protecting patient records, but rather the patient themselves as they relate to their healthcare provider. In these uncertain times, healthcare professionals are understandably being pulled in many different directions. Much of these technologies are just as new to healthcare professionals as they are to the patients receiving telehealth services, so how are their needs being addressed with respect to verifying that they are – in effect – speaking to the correct healthcare professional during a telehealth meeting and not an imposter?

Most of the time, links to video/chat programs are provided to the users. They click on the link to enter the chat and once inside the meeting room, they are speaking with their provider. However, one common attack in the education sector has led to students entering a meeting room they believed to be their virtual classroom, only to find out that the educator was actually someone else claiming to be the teacher. And while this has led to tighter security controls over virtual meeting spaces and the recognition of your teacher’s face should be a clear indicator that something is awry, the same cannot be said for a patient that has maybe never met their particular medical provider beforehand. Or in the event that an assistant might begin the session to gather pertinent data before the doctor assumes control of the session, how are patients able to verify the identity that the person(s) they may be speaking to are actually the healthcare providers and that they aren’t sharing private medical information with a bad actor that may have hijacked the session?

Consider a similar, real-world scenario whereby a representative from a regional ISP might knock on your door and say that something is affecting the internet access in the nearby area and they would like some information on your current network conditions. Perhaps, they’d like to exam the wiring that comes from the nearest telco to make sure there aren’t any problems with the line coming into your home. How do you trust that they are who they say they are before letting them into your home? Typically, identification systems are the order of the day for these scenarios, but that gets complicated online since it cannot be verified so easily.

While this is not a widespread concern as of yet, if there’s one thing that IT has shown is that technology is ever changing and it’s this very dynamism that fuels positive advancements – unfortunately, with the good must also come some difficulties. It is a good thing for patients and healthcare providers that this problem may seem daunting, but can be mitigated. It takes some forethought to implement into the existing provider workflows, but with patient care being the focus, security has to be a consideration.

 

Get the balance right

Between governance, IT, healthcare, and users, the priorities can sometimes diverge. While everyone is driving in the same direction generally, how they go about getting there can and often varies from stakeholder to stakeholder. One of the biggest problem points and opportunities to strike the right balance is between what IT must do to secure data and devices, while still enabling caregivers efficient ways to provide adequate care to their patients with minimal friction.

This balance sounds difficult to establish, but comes down to the same proposition as most information security activities: How do we mitigate any one risk to an acceptable level for the organization? When it comes to health care, there will, by definition, be times where the wellbeing of the patient trumps the need for security. While this may lead security teams to be reluctant to support adopting newer technologies, it will allow for organizations to provide the best quality healthcare. In these areas, security teams will often have to look for non-traditional ways to mitigate risks by introducing more education, processes, or novel security tools to keep private data continually protected.

A secondary balance that appears as a result of the first above, is that by addressing security and endpoint management, as well as remediation of security incidents, the healthcare provider’s experience must be considered. Many providers are not overly technical and are focused on providing the best care. As IT and security teams build out their processes and tools to mitigate risks, how it impacts the provider in their daily life or during security incidents become an important consideration. Patients benefit from this entire process through a painless experience that keeps their privacy and healthcare data protected as they benefit from healthcare providers.

KEYWORDS: cyber security healthcare security information security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Matthais wollnik headshot

Matthias Wollnik is Product Marketing Manager of Security at Jamf. 

Adam mahmud headshot

Adam Mahmud is Solutions Marketing Manager of Healthcare at Jamf.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • phishing-email-freepik.jpg

    Five lessons everyone needs to learn about phishing attacks

    See More
  • cyber software freepik

    When it comes to cyber risk, company size doesn't matter

    See More
  • MFA for HIPAA Compliance

    Multi-factor authentication for HIPAA compliance: What it is, common objections, and why to insist on it

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • into to sec.jpg

    Introduction to Security, 10th Edition

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!