Best practices for healthcare delivery organizations to safeguard sensitive data

A goldmine of vulnerable patient data and intellectual property 

Every industry has its own unique concerns, threats and challenges related to cybersecurity. Healthcare organizations, which deal with patient data and other highly sensitive information, are unfortunately particularly attractive targets to bad actors. 

It's important to note that the healthcare industry encompasses a broad group of organizations, including healthcare delivery organizations, insurers and life sciences companies. While each of these segments manages massive amounts of data, the most prominent threats and most effective countermeasures will vary depending on the type of data stored. 

For this article, we are focusing specifically on healthcare delivery organizations (i.e., hospitals, health systems and medical groups) that handle extremely high volumes of patient data, including personal health information (PHI), driver's licenses, insurance cards, social security numbers and more, which are highly valuable targets for any hacker looking for financial gain. Once hackers get ahold of this data, patients are vulnerable to financial damages including identity theft, fraudulent credit card charges and accounts, and loans. 

One of the less intuitive — and most harmful — forms of data theft can happen in pediatric healthcare delivery organizations. Hackers can steal the data of minors for financial exploitation, which may not be discovered for years until those individuals reach adulthood and go through the credit check process. 

Healthcare industry data is also vulnerable to secondary and tertiary extortion. For example, a hospital may be attacked with ransomware and compelled to pay a fee to regain access to critical IT data and services. Months later, the same attackers could demand another ransom with the threat of releasing the data on the dark web. They could also contact individuals whose data was stolen to further exploit them for financial gain. 

Connected medical devices 

Smart devices are becoming ubiquitous in healthcare settings, including implants (pacemakers, defibrillators, etc.), insulin and infusion pumps, telemedicine tools and surgical robots that connect to enterprise networks.

Each of these connected devices introduces risk and vulnerabilities to the organization, including:

• Sensitive patient data is not always properly encrypted 
• Lack of strong security mechanisms such as authentication and authorization 
• Lack of adequate security updates and patching, especially among older legacy devices 
• Various software and hardware components that are vulnerable to 3rd party supply chain risks 
• Patient safety risks if IoT device is breached 

Zero trust security to protect your sensitive data

There are many tools you could invest in to protect your data from bad actors. However, if you want to comprehensively build protection into your security model — and you absolutely should! — zero trust security is the best approach. 

Here are some of the ways zero trust can protect your sensitive information from malicious actors. 

Visibility 

With hundreds of IoT devices in healthcare delivery settings, visibility is an essential foundation of any cybersecurity program. CISOs must first identify key IoT assets and existing network architecture and answer the following questions: 

• What is on my network?
• What is each application and device doing?
• Is that application or device doing what it should be doing?

A comprehensive inventory will help you understand the function, data flow, protocol, firmware and software of each device. 

Network segmentation 

Healthcare enterprise networks are incredibly complex with a mix of IoT devices, electronic health record (EHR) systems, imaging technology, information systems (IS) for various administrative functions, laboratory processes, pharmacies and more, to name just a few. The lack of robust security mechanisms means IoT devices can act as access points for bad actors, who can then move broadly throughout the network. 

Network segmentation ensures hackers won't have this broad, lateral access once the system is breached. This is a critical aspect of cybersecurity in healthcare settings that many healthcare organizations haven't fully tackled. 

A network segmentation strategy groups critical applications and assets within their own security perimeters. Key segmentation prerequisites include asset inventories, data classification, policies and regulations, application dependency mapping, network mapping, existing technology, zone architecture, and shared infrastructure. Each area will be a major component of your greater segmentation plan; discovering and filling gaps will form your roadmap for network segmentation.

Identity and access management (IAM) 

Healthcare organizations often employ thousands of people across dozens of departments. From physicians and nurses to researchers and technicians, administrators, human resources, IT and more, different segments of your employee base need different levels of access to effectively do their jobs. 

Additionally, healthcare delivery organizations rely heavily on contract labor (e.g., travel nurses) to supplement a shortage of providers. These are critical resources, but there must be a plan to quickly turn on and off access to only the data they need.  

This all underscores the need to have a firm grip on identity and access management. Protocols need to be in place to quickly manage credentials for these employees to grant access to only the assets they need and remove access quickly when the employee is no longer working for the organization. 

The importance of rigor in cybersecurity 

The healthcare industry as a whole is constantly evolving, with a focus on developing new treatments and devices, researching novel pharmaceuticals, and coordinating care. The amount of data stored and transmitted will only increase, and bad actors will continue to innovate and capitalize on this continual flood of new information. 

In this environment, it's essential to continue developing and refining programs that can quickly evolve and adapt to the latest threats. 

Continue learning

With finite resources, it's imperative for CISOs to carefully prioritize budget dollars and staff time. WWT's team of security experts identified the outcomes that security leaders across all industries should prioritize to be confident their cybersecurity programs are providing thorough protection.