Connected Healthcare Environment: Managing Risks for a Safer Industry at HIMSS23
In the rapidly evolving landscape of healthcare, the ecosystem has expanded far beyond the traditional four walls of hospitals and health systems, as highlighted by Erik Decker, Intermountain Health's Chief Information Security Officer (CISO). This expansion brings with it a host of challenges, particularly in the realm of cybersecurity.
One such challenge is the management of connected medical devices. Nearly one in five of these devices are thought to be running unsupported versions of operating systems, posing a significant risk to patient data and overall system security. However, tools like the Software Bill of Materials have proven useful in providing more information about what's baked into a device, helping healthcare providers make informed decisions about their security posture.
Vugar Zeynalov, CISO of the Cleveland Clinic, emphasizes that while continuous monitoring solutions have improved, there's still room for growth. Zeynalov notes that increased visibility has been instrumental in managing critical equipment such as ventilators, providing real-time insights into their location and frequency of use.
Common strategies for securing critically connected healthcare environments while managing associated business needs centre on a combination of robust cybersecurity practices, compliance with regulations, and operational preparedness.
Robust access controls, mobile device management, patch management, data backup and recovery, continuous monitoring, training and cyber hygiene, and federally supported coordination are all key strategies that address technical, organizational, and human factors.
For instance, robust access controls can prevent unauthorized internal and external access to sensitive patient data by implementing multifactor authentication, avoiding shared accounts, enforcing unique user identification, and using role-based permissions.
Meanwhile, Mayo Clinic's unique approach involves a risk, remediation, and vulnerability management team within their Healthcare Technology Management (HTM), rather than the Office of Information Security. This integration allows for a more holistic approach to cybersecurity.
In the face of increasing federal scrutiny due to security vulnerabilities, collaboration is key for effective enterprise risk management and cross-identifying key risks. ChristianaCare CISO Anahi Santiago and UNC Health CISO Dee Young both emphasize the importance of conducting thorough third-party risk assessments, with Santiago noting that the process is often disjointed in the healthcare sector.
However, despite the concerns surrounding insecure medical devices, only 51% of security professionals have a prevention and response plan for an attack. This underscores the need for continued education and investment in cybersecurity measures.
As the healthcare sector continues to evolve, a zero-trust approach is finding increasing favour, with gaining visibility being an important first step. In the words of Zeynalov, "we are rethinking our approach to third-party risk, specifically by thinking like the other aspects of cyber: moving past prevention and into resilience and response."
In the evolving healthcare sector, the management of connected medical devices, often running unsupported versions of operating systems, presents a significant risk to health-and-wellness, particularly in terms of patient data security and system integrity. To address this challenge, robust access controls, such as multifactor authentication and unique user identification, are key strategies for securing critically connected healthcare environments, offering protected access to sensitive patient data. On the other hand, in the realm of technology and cybersecurity, collaboration among institutions like ChristianaCare and UNC Health is essential for effective enterprise risk management and cross-identifying key risks, especially in the conduct of thorough third-party risk assessments.
