While the COVID-19 pandemic has done much to foster innovation and accelerate ongoing trends in healthcare, it has also made it more important than ever before for IT administrators to maintain a strong security stance. Developments such as increased adoption of telehealth models, tablets in hospitals for patient use and “bring your own device” (BYOD) policies for physicians all contribute to the proliferation of network-connected devices transmitting personally identifiable information (PII) about patients and providers alike. This means more targets for malware and other cyber threats, leading to a situation in which security breaches in healthcare are inevitable.
On the positive side, IT and information security professionals have a rapidly expanding set of tools available to them to counter such threats; it’s just a matter of understanding best practices and taking a proactive approach to implementing them. But it can be daunting to try to understand the threat environment and choose your first steps. How can you get started on improving healthcare security?
Understanding the hardware, software and compliance aspects of healthcare security
The “Healthcare Security for Beginners” e-book provides an accessible introduction to the subject, explaining basics of cybersecurity with a focus on their ramifications for hospitals, doctors’ offices and other healthcare providers. It covers the essentials of how to safeguard healthcare operations and protect the private information of patients and caregivers.
When discussing healthcare security, it helps to conceptualize tools, best practices and threats in terms of three key categories: hardware, software and compliance. In a healthcare setting, IT admins need to be vigilant against hardware threats, which target devices, and software threats, which target or work within the operating system.
Stakeholders within the compliance category are mostly concerned with auditing, achieving and maintaining compliance with regulations that govern healthcare practices, like the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
An expansive view of compliance covers more than just regulations that must be followed. It also involves actively following standards and using existing security frameworks to keep up with industry best practices.
Maintaining a “defense in depth” strategy against cyber threats in healthcare
The e-book goes on to list the main actions that IT and security admins in healthcare organizations can take to protect devices against cyber threats that would hinder their ability to provide the expected level of care to patients:
- Hardening device settings
- Managing devices
- Implementing endpoint protection
- Maintaining devices with up-to-date patches
- Monitoring devices in real time
- Triaging detected issues
- Remediating risks
- Maintaining device compliance
Next we see a list of potential threats with an emphasis on how they impact healthcare organizations:
- Malware-based attacks like ransomware and denial-of-service (DoS)
- Can cripple systems and prevent organizations from providing life-saving aid
- Devices not up to date with patches or updates
- Leave organizations vulnerable to security breaches and theft of PII and records
- Missing functionality or apps not updated on devices
- Waste time for IT and caregivers, preventing the latter from performing their job functions
- Data leaks leading to regulatory oversight
- May lead to civil and/or criminal penalties, reputation loss and even closure of businesses
Attackers use a combination of different techniques in order to circumvent the security measures that healthcare organizations put in place. Likewise, IT and security professionals ought to take advantage of multiple approaches to implement a “defense in depth” strategy. The e-book provides a list of these approaches, including the solutions from Jamf and Apple that can be used to enable them:
- Endpoint security (Jamf Protect)
- Mobile device management (MDM) (Jamf Pro or Jamf Now)
- App lifecycle management and patch support
- Hardening devices
- Secure access and communication
- Identity provisioning (Jamf Connect)
- Deploying hardware (Apple Business Manager)
- Compliance reporting
In conclusion, security breaches happen to healthcare organizations all the time, and it’s important to understand that it’s only a matter of time before you encounter a cyber threat –it’s not a matter of “if” but of “when.” Having said that, there is quite a bit that your admins can do to enhance your organization’s security posture and combat threats in a proactive manner. Doing so is a duty you owe to your patients and caregivers alike.
Read the whole e-book for a better understanding of promoting security in healthcare.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.