Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

The urgent need for the healthcare industry to develop cyber-resiliency

By Dr. Sanjaya Kumar
healthcare security freepik
October 25, 2021

It is hard to make it through a workday without hearing of another healthcare data breach or ransomware attack. This shouldn’t be a surprise; since March 2021, the United States has averaged more than two reported healthcare data breaches every day.


Healthcare is disproportionately targeted: 34% of all data breaches in the U.S. involve a healthcare organization. Yes, healthcare is a large industry, but we’re not that large. Here’s why security is such an issue for our critically important but increasingly fragile industry.


  1. Black market value of healthcare records. According to a Trustwave report, a healthcare data record may be valued at up to $250 per record on the dark web. In second place? Payment cards at a fraction of the value, a mere $5.40 per record.
  2. Competing management priorities. CIOs often focus on tech that improves patient care and underprioritize systems integrity. COVID has made matters worse because healthcare organizations understandably have diverted resources to combat the pandemic.
  3. Underperforming security infrastructure. Broadly speaking, healthcare lags behind other large industries in updating information systems and enabling effective monitoring of the attack surface.
  4. Complexity of governance and compliance process standardization across enterprises. Over the last decade, there has been significant consolidation in the healthcare industry. Most acquisition targets are assimilated without adherence to best cybersecurity compliance practices. This leaves the overall enterprise vulnerable to data hacks and ransomware attacks.

 


ESTABLISH A HEALTHCARE SYSTEM WITH CYBERSECURITY RESILIENCY


The four pillars of cybersecurity resilience are system design, system deployment, ongoing vigilance and compliance governance. Success depends on a risk mitigation approach to continuously manage threats, vulnerabilities and compliance gaps.


1. System Design Excellence

Design your IT systems with the end in mind. Intimately know your users, their data needs and all required applications. When designing your IT system, consider:


  • Using multi-factor authentication for remote access.
  • Establishing a second layer of user authentication for access to sensitive data or applications.
  • Enabling strong spam filters on external web-facing applications and sites to prevent phishing exploits.
  • Enabling rules and policies for user access rights and privileges to applications, data, and supporting information systems.
  • Installing a disciplined process for monitoring the entire system for updating firmware, operating system software and end-user applications.
  • Providing authenticated restricted network access to only the right users from within or outside your organization.
  • Using system controls to identify security holes, vulnerabilities and processes with required steps to effectively remediate high-risk issues.


No system design is complete without addressing the weakest link, the human factor. All users within the organization must be knowledgeable of the protocols, policies and risk mitigation procedures that affect them. Simply increasing awareness and distributing knowledge content is not good enough; training programs with active exercises are far more effective. Good training systems require people to fix their mistakes before being allowed to move to the next step.


2. Systems Deployment Excellence

Since most modern deployments (implementations) depend on coordination, uniting disparate teams remains a significant challenge. Developers, IT operations professionals, infrastructure engineers and business managers each have roles to ensure success. All need to strive to:


  • Remove silos within your organization. Consider creating a single DevOps team made up of representative stakeholders that oversee development, operations and everything in between.
  • Develop a culture of continuous improvement. Operationalize:
    • Periodic audits and checks.
    • Automated monitoring with real-time alerts.
    • Quick, active remediation of discovered weaknesses.
  • Institute best practices across the software deployment process, including vulnerability and compliance remediation.
  • Deploy automated network scanning tools to identify system threats and vulnerabilities.


Most software development and deployment stakeholders know what they should do when performing their jobs, but unfortunately, they don’t always do it. Instilling operational excellence into your systems DevOps team helps mitigate system risks that can make your environment vulnerable to attacks and exploitation.


3. Vigilance Excellence

Post-implementation, run your cybersecurity protocols on schedule. 


When vulnerabilities and compliance issues are identified, immediately execute your remediation process, especially the ones identified as high importance or critical. Also:


  • Automatically identify, track, and monitor sensitive data flows within your organization and throughout your ecosystem of employees, contractors and vendors.
  • Continuously monitor the dark web for breached data.
  • Periodically run a user training program that includes simulated “spear-phishing” to discourage users from opening malicious attachments or visiting unsafe websites. Again, the weakest link of any secure environment is humans, so the more situationally aware users are, the more resilient your organization will be.  Inform your employees of successful attacks at well-known healthcare organizations, so they understand why they need to comply with the security procedures you require.
  • Mandate an annual attestation from all employees of successful training compliance, including a review of security policies and procedures. Do the same for new staff hires.
  • Automatically check for sanctioned employees joining your payroll.
  • Automate vendor oversight to monitor vendor compliance gaps and implement vendor risk and remediation processes.


Schedule compliance is a lot easier with automation. There are many tools that can help you do this, but if you choose manual processes, develop rigorous compliance protocols to protect your healthcare organization.


4. Compliance Governance Excellence 

Be in continuous compliance with all appropriate security frameworks, which in healthcare usually is a combination of HIPAA, NIST, HITRUST, CIS Critical Security Controls, ISO 27000 and COBIT standards.  Much of this work can be assessed through scheduled automation scans of the IT network environment.  Any discovered weaknesses need immediate remediation and documentation. After identifying the security frameworks appropriate to your healthcare organization:


  • Maintain a state of ‘continual readiness and compliance’ for all frameworks.
  • Establish a comprehensive set of security protocols, policies and standard operating procedures that are current with the requirements of regulatory standards and controls.
  • Ensure your policies and procedures are widely accessible to appropriate staff.
  • Enforce all security policies with regular compliance assessments and monitor through automated compliance scans of your information systems and data network. 


When an automated scan identifies a compliance issue needing remediation, and you have created the processes for quick remediation, your organization will easily maintain a prescribed state of cyber-hygiene and readiness.


HOW WORRIED SHOULD YOU BE?


If you’re a small provider and think you will fly under the radar of cybercriminals, think again. Many small organizations leave themselves widely exposed, and this puts their stakeholders at risk. Comparable patient health records have the same value regardless of whether they originated from a large or small organization.  


If you’re a large provider and think that your market impact will deter a cybercriminal, think again. In the past few months alone, cyberattack targets include well-known marquee healthcare names like Intermountain Healthcare, Florida Blue, Scripps Health, Temple University Hospital and Walmart.


So, if you’re unprepared or even under-prepared, you should be very worried. CEOs and Boards of healthcare organizations increasingly are recognizing cyber risk as a core threat to reputational and financial performance. Take the bull by the horns and develop the right security posture for your organization before the spotlight shines on your vulnerabilities. 


It’s a matter of time before hard questions will be asked about how well cyber risk is being managed within your organization. Be prepared by adopting a risk-based approach and maintain a continuous compliance readiness environment. This will significantly aid you in becoming more cyber-resilient. 


There are no shortcuts. The work must be done. The alternative to cyber-resiliency is potential disruption of care and unnecessary cost, either of which can be catastrophic.

KEYWORDS: cyber security data breach healthcare risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Sanjaya Kumar, MD, is CEO of SureShield, Inc., a cybersecurity company offering IT security solutions. Dr. Kumar has more than 25 years of healthcare compliance and security experience. He can be reached at skumar@sure-shield.com.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber_lock

    COVID-19 and the need for a national cyber director: How the response to the pandemic illustrates the importance of a leadership

    See More
  • training-skills-freepik1170x658v536.jpg

    The cybersecurity skills gap highlights the need for cyber-awareness training

    See More
  • Growing and Gaining

    Want to Avoid Being Scapegoated For the Next Breach? You Need Total Trust Alongside Zero Trust

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing