The intense pressures currently pushing on health centers don't stop at the lines of patients waiting to be treated or vaccinated. First, there's the obvious spike in attacks that have come with COVID — take, for example, the 50% increase in the number healthcare-related security breaches witnessed by the Department of Health and Human Services in the first half of 2020 alone. Complicating the problem is the common use of legacy technology with little to no strong authentication. And on top of that, these organizations are typically resource-strapped with budgets often allocated toward medical supplies and treatments rather than security.
So, how can health centers finally close the security gap while maintaining the flexibility, convenience, security, and speed that are necessary in these environments? It boils down to four dimensions:
1. Harden your foundation. Think about it this way: The most stunning castle is nothing if it's built on sand. In this analogy, the health center is the castle, and outdated systems are the sand. In order to swap that sand for a sturdy slab of cement, organizations must harden their foundations by establishing trust zones to ensure the right users have access to the right information — and nothing more. On top of that, sensitive data at rest should be encrypted to further prevent unauthorized access. You never know if a bad actor will make it through that wall of cement, so you must prepare for everything.
2. Compartmentalize your environment. Think the sand/cement analogy helped you prepare enough? Think again. Similar to different fire compartments in building, you want to isolate different zones in your environment. Without such isolation, if threat actors gain access to your systems, they can spread like a disease, moving laterally to spread malware across critical systems, steal confidential patient information, and more.
3. Filter your flow. While strong walls are important, you also need to secure what's coming in and out of the door. Health centers must filter the applications that they bring onto their devices to ensure the integrity of the data that's coming in. Without closely examining this information, these organizations face the risk of supply chain attacks, and let's be honest, no one has time for another SolarWinds.
4. Authenticate, authenticate, authenticate. On top of all of these precautions, health centers also must place a greater emphasis on strong authentication when resources are accessed. Next-generation authentication makes sure only legitimate entities get access to the information they're authorized to interact with — protecting against the attacks that scale easily, such as phishing and credential stuffing. In addition, by adopting standards-based authentication, these protocols will pair the security necessary to protect networks with the convenience necessary to allow practical use and to work quickly in potentially life-threatening situations. This approach of authenticating access to resources independent of the source of this request is often referred to as zero trust.
Seems fairly simple and reasonable enough, right? Unfortunately, there's one piece we still haven't addressed. For health centers, arguably the most challenging aspect of closing the security gap is getting the budgets necessary to do so.
In order to make a compelling argument, you must understand and convey the following to your organizations' decision makers: Historically, health organizations have evaluated security in a certain way. Compared with the countless medical risks, a major security breach used to be seen as one in a million — all things considered, a calculated risk worth taking. But now we have new data, and. a breach isn't as low of a risk as we previously thought. Breaches are more sophisticated and more frequent. A breach no longer means just stealing a username/password; attacks are complex and scalable, layering multiple approaches like phishing, malware, and more. We need to reassess risk from one in a million to one in a thousand and respond accordingly.
Only by shifting the perception of cyberattacks from a potential risk to a real threat will health centers be able to take the first step toward a safer, healthier security posture.