The immense horizons of digitalized healthcare are shining bright — but dark clouds do exist.
Perhaps the biggest concern is cybersecurity, and for good reason. According to the HIPAA Journal healthcare organizations experienced a 25% increase in breaches in 2020, with 642 large breaches reported and 29 million records affected. Meanwhile, an Ipsos study found that 48% of U.S. hospitals have had to shut down networks in response to or to prevent cyberattacks, and these shutdowns cost between $21,500 and $45,000 per hour.
Fortunately, healthcare organizations are responding. Cybersecurity awareness is growing. But converting that awareness into action — the correct action — must happen urgently.
This article presents three steps that every healthcare organization should take to elevate cybersecurity, drawn from decades of experience protecting critical infrastructure around the world, from oil & gas plants to airports to power grids.
Step 1: Assess where you are — but don’t stop there
The first step is deceptively simple: Where are your vulnerabilities? Yes, it’s straightforward, and it’s usually easy to take this first step. The challenge is that many people stop here.
Most organizations follow all the best practices for assessments — defining their system, testing vulnerabilities, creating zones and conduits, analyzing risk and documenting their process.
But then, nothing happens. Perhaps seeing the full solution laid out feels daunting, but so is the average cost of a data breach in the U.S. healthcare industry: $8.64 million, according to an IBM study. There’s no sugarcoating it — it will take time and resources to take the next step. But will it cost nearly nine million dollars?
Step 2: Fix the issues you find in the assessment — quickly
Once an organization has committed to acting on Step 1’s findings, the priority needs to be speed. Think about implementing countermeasures over a span of days and weeks, not months and years. But how? And with whom? If cybersecurity isn’t your organization’s forte, it’s worth partnering with an experienced vendor. Here are two good questions to ask potential cybersecurity service partners:
- Do you manufacture the technology you’re trying to protect?
- Do you have domain expertise in healthcare?
The first question is about hardware expertise. Many cybersecurity consultants are far more comfortable in the world of IT than operational technology (OT). However, hospitals are full of connected OT devices, from room controlling thermostats to humidity and air quality sensors. Each of these could be a backdoor into a network, and cyberattackers often exploit these overlooked OT devices. Without solid knowledge of OT devices, your vendor may only optimize one half of the IT/OT integrated network.
The second question is about compliance. Requirements for data management practices and building system criticality are different for hospitals than they are for just any commercial building. These healthcare-specific requirements will surely factor into your assessment. One objective that your vendor should target is to achieve a minimum Security Assistance Level 1 compliance to the IEC62443 standard. If you have no idea what that means, that’s okay — just make sure your vendor does.
Step 3: Monitor your system 24/7 — and do it with managed services
There’s no “set and forget” for cybersecurity programs. Cyber threats change by the minute. Do you have in-house resources to monitor and respond to every escalation of privileges? Or can you review every modification of an important file?
If not, having a managed service partner just a phone call away — with the ability to show up on-site if needed — takes the pressure off of an organization. Managed services often involve a combination of human and AI-powered monitoring to secure organizations.
Often, the difference between a breach and an attempted breach is the speed it takes to respond. With human and machine intelligence monitoring your system, you can act much faster.
Magic tricks
Following these three steps is a proven roadmap for elevating cybersecurity.
I know these steps are easier said than done. Trust me, if we could simply press a button and make all the cyber threats vanish into thin air, we would. Unfortunately, there are no shortcuts or magic tricks in the pursuit of cybersecurity. It takes steady, methodical focus.
The good news is, you don’t need in-house cybersecurity expertise to achieve expert cybersecurity. All you need is a firm commitment to act.
By taking these three steps — all of them! — you’ll elevate safety and security, minimize risk and protect business continuity. That way, you can forge ahead into the new world of digitalized healthcare with confidence.