5 ways to boost healthcare IT security

Why is the healthcare industry particularly attractive to attackers?

Lucrative data

Health care data breaches are especially devastating due to the enormous amount of private information that hackers can access.

Most health care systems contain all of the information a malicious actor would need to commit identity theft or demand ransom: full names, addresses, phone numbers, birthdates; even payment information. Legacy systems may even contain social security numbers; tracking patients by social security numbers was a common practice for decades.

What are the costs of a healthcare data breach?

According to a report from IBM, the average cost of a healthcare data breach climbed to $4.24M per incident in 2021: the highest of any industry.

Not to mention the costs to reputation and to patient confidence.

How do hackers get in?

Easy access

The complex world of healthcare allows for easier access to those systems not kept carefully secure: patients transfer from one system to another and their data follows them. Some legacy devices, still vital in treating many conditions, don’t have the security patches that newer devices have. And most weren’t originally built with modern security risk mitigation in mind.

The sheer number and variety of devices involved in the healthcare system makes securing data far more complex than many other industries, as well. And creates more access points.

The pandemic also created more attack vectors as many health care providers had to move to working remotely to keep COVID-19 infections as low as possible. Scrambling to add new software, security systems and workflows often led to institutions missing key vulnerability areas.

Citing a recent study, Health IT Security News reports that unpatched vulnerabilities remain one of the most dangerous access points for bad actors.

“Researchers discovered 65 new vulnerabilities connected to ransomware in 2021, which signified a 29 percent growth compared to 2020,” writes Jill McKeon of Health IT Security News.

Jumping on zero-day vulnerabilities, attackers of all kinds often combine multiple vulnerabilities to get at the most data.

What can the healthcare industry do to improve its security posture?

There are numerous ways that healthcare organizations can significantly improve their cybersecurity.

#1: Day-zero readiness

Ensuring that devices are secure from the day new systems release is vital in the healthcare industry. Vendors that manage healthcare devices, security and systems must be able to offer day-zero support the day the software releases. Ensure you have hired a company that has a relationship with your most-used hardware and software vendors so that they will be ready immediately to patch and support all updates.

#2: Secure systems for remote workers and mobile devices

Mobile devices such as multiple-use iPads and iPhones have helped healthcare organizations to cut costs, improve patient support, and increase the effectiveness of clinical communications.

With those advantages come all the risks that mobile devices can present: remote access to personal health information, a possible lack of properly secured connections and devices, as well as the potential for compliance violations with multiple types of mobile devices in multiple locations.

Ensuring that you have a mobile device management system with absolutely solid encryption, Zero Trust Network Access (ZTNA) and enforceable security protocols is a must. Any company your organization works with should have the ability to offer not only fully-encrypted access based on well-known identity providers rather than merely device or network, but it should also offer ways to enforce security requirements, a way to lock and wipe devices that are lost or stolen and a way to track what devices are where.

#3: Automation to remove human error

When you are running a complex organization with multiple patients, healthcare providers, vendors, devices and more, you want to remove the risk of human error as much as possible. If you have a shareable iPad or iPhone program, for instance, allowing for multiple care providers to share devices and multiple patients to use devices while in the hospital, an automated system that works with internal codes to wipe and reset devices as well as control access to data is not only an improvement in the user experience, but also helps to secure any gaps that individuals might introduce by forgetting to sign out or in on devices.

#4: High visibility into systems and devices

The single most important factor in securing your devices, systems and connections is security observability. You need to know exactly where your devices are, who is using them and who is accessing what data. You’ll need a solid and automated inventory system, a strong and constantly updated security system and a way to receive, sort and report on any incidents or odd behaviors both granularly per device and globally per system.

And you’ll need to ensure that whatever vendor you choose works seamlessly with each area of your network.

An Apple Enterprise Management system that can cover all of your bases and partner with other systems is your best bet.

#5: Properly secured connections/devices

When it comes to security, a healthcare system cannot depend on a list of known malware and basic antivirus. You’ll need a system that uses --in addition to patches and a robust list of known actors-- behavioral analytics. These security products not only patrol your system for known malware but they also understand what is unusual behavior for a system, device or user to exhibit — and the system reports on these incidents and mitigates for them immediately.

Use a device management solution that can enforce endpoint encryption on all your devices to verify that you meet HIPAA compliance. A system that validates that all patient health information that is at rest on the hard drive is encrypted is crucial. Not only do you need a product that enforces endpoints-- you’ll also need to ensure it can escrow recovery keys centrally for InfoSec to have access to in case of an emergency or legal use. This solution should have reporting capabilities to provide a full inventory of encryption status that is required for auditors.

If you have questions about how Jamf can help your healthcare organization strengthen your security posture and lower your risks, please email us at info@jamf.com or give us a call.