Healthcare organizations (HCOs) today are tasked with juggling multiple priorities — striving to achieve the ultimate trifecta of rapid innovation, regulatory compliance and highly effective cybersecurity — all while delivering the best possible health outcomes.
To be successful in this age of digital transformation, HCOs are increasingly turning to cloud technology to make it all happen. Yet, many don’t have the required experience to manage these new systems and ensure highly sensitive and valuable patient data that’s been migrated to the cloud remains secure on their own. Instead, many organizations choose to invest in managed cybersecurity services as a force multiplier for their existing cyber defense teams.
In fact, Gartner estimates that the managed detection and response (MDR) market will reach $2.15 billion in revenue in 2025, up from $1.03 billion in 2021. And according to ClearDATA’s research, most larger provider organizations and those with more advanced cloud maturity outsource their security and compliance solutions, with as many as 80% of HCOs delegating some degree of their cybersecurity processes.
But that doesn’t mean HCOs are off the hook when it comes to cybersecurity. To get the best results and ROI from their managed defense investment, organizations must take the time to truly understand their existing cybersecurity posture and establish strong internal processes at every level of the company.
Here are three steps every HCO should follow to lay the foundation for stronger managed cyber defense:
Evaluate an organization’s strengths and weaknesses
No matter how committed an HCO is to protecting itself, no cybersecurity program is perfect. That’s why every organization’s journey must start with one crucial first step: clearly defining an organization’s strengths and weaknesses.
An HCO, likely already conducts security risk assessments (SRAs) to better understand an organization’s cybersecurity readiness. Begin by reviewing the findings from past SRAs to identify exactly where an organization excels, and what vulnerabilities may need additional support. Two key areas to drill into are the technologies and processes used to secure a workforce’s digital identity and cloud service adoption roadmap. These two areas are tightly coupled as an employee’s corporate digital identity serves as their access pass to the organization’s cloud services.
For many HCOs, there are two primary areas where they fall short, leaving themselves vulnerable to malicious cyberattacks: a lack of modern security awareness training, which often leads to mistakes allowing threat actors to compromise the corporate digital identity of under-informed employees; and out-of-date software and applications that have been “lifted and shifted’ from the data center and into the cloud.
Invest in up-to-date workforce security training
The unfortunate truth is that many cybersecurity incidents and breaches are the result of human error — in all industries. Even the most rigorous cybersecurity processes and market leading tools provide little to no utility if an employee continually reuses credentials associated with publicly disclosed breach data, utilizes weak passwords, clicks every link in every email or leaves their laptop accessible in a public space, where prying eyes can potentially gain access to valuable data.
The first step for CIOs and CISOs is to screen their workforce. Confirm that team members are trustworthy by conducting background checks. Enroll them in cybersecurity training upon employment. Throughout the year, evaluate their performance and IT hygiene to confirm they are following the cybersecurity best practices on which they were trained.
Ensure that whichever security training program invested in is up-to-date and covers cybersecurity best practices that are based on the current threat landscape. For example, training programs should include a focus on preventing phishing attacks, which have historically served as the biggest problem for organizations in any industry. Today’s sophisticated phishing attacks resemble actual emails, and for many non-technical users, these emails may appear to be genuine. An entire organization should be able to recognize, avoid and report potential phishing attacks.
Lastly, don’t be afraid to enlist internal security teams or a managed cybersecurity partner to conduct phishing simulations against an organization. It’s been said that a good offense is the best defense. This adage applies directly to the realm of cybersecurity and can help to pinpoint users who need additional training and monitoring to keep their corporate digital identity secure. Also, keep in mind that while multi-factor authentication (MFA) is a necessary and valuable technology in the event credentials have been compromised, it isn’t always enough. Many modern red team training courses teach numerous techniques for bypassing MFA. Malicious threat actors utilize these same techniques, so ensure that they are included in simulations and cover how to spot them in employee security awareness training.
There isn’t room for excuses, it’s time to patch software vulnerabilities
If anything was learned in the last two years, it’s that phishing isn’t the only way modern threat actors are wreaking havoc on HCOs worldwide. Initial access via exploitation of software vulnerabilities such as Log4shell and the slew of Microsoft OS and Exchange flaws have been highly targeted by immature and sophisticated threat actors alike. In fact, during the first half of 2022, ClearDATA witnessed tens of millions of attempts to exploit vulnerabilities in cloud hosted applications leveraging the Log4J software.
While clinical systems are often fragile, production web applications and databases must be resilient and facilitate regular updates and patches. Organizations should make like Robert Frost and avoid what appears to be the simplest path to the cloud, which is often referred to as “lift and shift.” Not taking the time to refactor an application to utilize modern cloud native deployment strategies and technologies to build highly resilient and secure applications does both the organization and the individual’s sensitive data promised protection a great disservice.
No matter whether an organization chooses to utilize virtual machines, containers or serverless technology in the cloud, there must be a solid strategy for hardening and updating these workloads.