Healthcare IT Security: 3 Best Practices for Protecting the Expanding Attack Surface

Kaitlyn Graham | October 12, 2021 | tag: Health IT Security

Hospitals, doctors’ networks, insurance companies, and other healthcare organizations are guardians of valuable protected health information (PHI). As such they are particularly vulnerable to cyber attacks – and these threats are escalating. In 2020, healthcare IT security breaches increased by 55% year-over-year, with over 26 million individuals impacted.

Security specialists have been sounding the alarm about cybersecurity performance issues in the healthcare sector for some time. In fact, BitSight research shows that healthcare organizations have much to do to improve their security postures. For instance, 61% of these companies are at heightened risk of ransomware attack due to poor security hygiene and vulnerabilities.

Fortunately, there are some basic measures that healthcare organizations can practice to reduce cybersecurity risk, protect PHI, and ensure the continuity of patient care.

1. Understand the attack surface

 

The first step to better healthcare IT security is understanding the extent of the organization’s digital footprint and what needs protecting. This includes servers in the data center, medical devices in the ICU, assets and applications in the cloud, and more.

But this isn’t easy. Healthcare organizations have large and complex network infrastructures. Traditional IT inventory audits can help, but they tend to be a one-and-done approach and don’t always account for new devices as they come online or the “hidden” nature of cloud-based services.

A better way to understand and manage cyber risk is to conduct an attack surface scan. Performed in real-time as needed, attack surface monitoring lets security and risk teams quickly discover and visualize digital assets on-premises, in the cloud, and across geographies, subsidiaries, and a remote workforce. The scan will also assess each device for cyber risk exposure so healthcare IT security pros can make informed and comparative decisions about where to prioritize cybersecurity efforts. 

For instance, if a healthcare system has 100,000 devices across 15 locations, the scan will display all devices and identify, by location, those with security vulnerabilities or malware infections. It will also visualize which assets have the highest risk exposure. With these insights, teams can pinpoint the location of potential security issues and focus resources on those devices that are essential to the continuity of operations or contain a vast amount of sensitive data.

2. Continuously monitor for cyber risk

 

New attack methods and emerging vulnerabilities in healthcare IT infrastructures call for constant vigilance and fast discovery and remediation.

To get one step ahead of threat actors, healthcare organizations must monitor their systems and networks for security gaps and suspicious behavior. This is typically done through intermittent security audits. But these can be costly and time-consuming and only capture a point-in-time view of the security of the environment. They are also hard to scale cost-effectively.

For this reason, many organizations are turning to continuous monitoring solutions like BitSight for Security Performance Management. With BitSight, teams are immediately alerted to vulnerabilities and potential anomalies across the entire IT infrastructure including open ports, misconfigured systems (a known ingress point for ransomware), the presence of malware, exposed credentials, and user behavior.

Continuous monitoring is particularly important as the digital ecosystem grows. When new applications, systems, and networks are added, keeping track of hidden risk becomes increasingly tricky. But with BitSight’s ecosystem-wide views of digital assets and continuous monitoring, healthcare organizations can visualize areas of risk – including critical or excessive risk – better prioritize remediation, and bring continuous improvements to cyber health. 

3. Reduce risk in third-party supply chains

 

Third parties are worrisome sources of risk – especially given this sector’s increased dependency on cloud service providers and outsourced vendors. Case in point: the 2019 Quest Diagnostics breach, which exposed the private data of 11.9 million patients.

The prevalence of Internet-of-Things (IoT) devices is also a factor. A recent study by the Ponemon Institute found that six in ten organizations don’t monitor third-party-developed devices for cyber risk. That’s problematic, since vendors may have varying standards of cybersecurity.

Regulators are also starting to pay more attention to third and fourth-party cybersecurity. HITRUST certification, for example, is being used as a security measuring stick for managing supply chain risks in the healthcare sector.

These developments underscore the importance of developing a robust third-party risk management program and gaining visibility into the security posture of each vendor in the supply chain – including cloud providers. For instance, using BitSight for Third-Party Risk Management, IT teams can continuously and automatically assess a vendor’s security posture without the need for lengthy or costly audits.

With this insight, healthcare companies can streamline onboarding and keep a pulse on vendor security performance for the duration of the contract. Alerts are generated when security issues are detected, and these insights can even be shared with the vendor so there is absolute transparency in the process and both sides can work quickly to resolution.

And, because supply chain risk doesn’t begin and end with third parties, BitSight also continuously monitors for fourth-party cyber risk for full visibility across the entire healthcare vendor ecosystem.

Ensuring continuity of healthcare

 

As stewards of life-impacting digital assets and vast amounts of patient data, healthcare security and business leaders must rethink their security performance management programs and continuously assess risk across their extended attack surfaces – before they’re exploited. This will ensure that remediation can be prioritized and patient care ensured during this critical time.

 

New call-to-action

Suggested Posts

Healthcare IT Security: 3 Best Practices for Protecting the Expanding Attack Surface

Hospitals, doctors’ networks, insurance companies, and other healthcare organizations are guardians of valuable protected health information (PHI). As such they are particularly vulnerable to cyber attacks – and these threats are...

READ MORE »

Get the Weekly Cybersecurity Newsletter.