Secure healthcare demands a holistic approach

Feb. 27, 2018
Barbara W. Casey
Global Healthcare & Life Sciences Director, Cisco

Clinical care continues to expand outside the walls of the hospital. By some estimates, up to 50% of a hospital system’s revenue now comes from outpatient services and other types of care beyond the brick-and-mortar.

At the same time, apps, portals, and mobile workflows are exploding in popularity, thanks to their ease of use, portability, and data collection utility.

Soon, the traditional hospital will be reserved exclusively for the sickest patients requiring the most critical care.

Healthcare is undergoing a dramatic change—bringing us better access to care, improved quality, and maximum efficiency. But this innovative future also comes with a dark side: Cyber risk.

Distributed care means more security risks

As care becomes more distributed, the attack surface expands along with it. Today, there are threats lurking in your employee email accounts, inside every piece of equipment that’s connected to your network, in the cloud, in your supply chain, and even in the devices used by patients at home.

And then there’s this: Experts warn that the shadow economy of hackers and other opportunists is gaining strength—becoming agile, modern, and smarter than ever before.

Cisco’s 2017 Midyear Cybersecurity report defined a new breed of threats that could make ransomware attacks like WannaCry (the one that took down the UK’s National Health Service in May 2017) appear positively quaint in comparison.1 Researchers caution that the next wave of cyberattacks could completely incapacitate targets, eliminating “safety nets” that would otherwise allow victims to restore systems and data. This tactic even has a name: DeOS (“destruction of service”).

The complexity of securing connected devices

Another critical issue poised to overwhelm healthcare security professionals is the proliferation of connected devices and the perfect storm of risks they create.

To begin, there is no industry-standard operating system for products such as insulin pumps, CT scanners, pacemakers, and the like. Many devices use “off-the-shelf” software that’s vulnerable to viruses and worms, and a small percentage of older devices run on operating systems that no longer receive security updates. Because of their life-critical nature, devices require security exceptions, making them especially vulnerable. Finally, with ample bandwidth today, most devices run on a facility’s main network—meaning that any attacker who breaches a device could potentially move laterally across the entire network.

Building a holistic security approach

Fighting today’s unseen adversaries will require more than an annual assessment, a few bolted-on security solutions, or a single IT leader. This is a long game that calls for big thinking. Modern security must encompass every point of care—the hospital, the outpatient clinic, the home, or anywhere else. Your organization needs an enterprise-wide, all-inclusive game plan.

A good place to start is with your infrastructure. With your current network, are you able to segment and isolate traffic for devices? What about your end users? Could you pinpoint exactly where, when, and how your network was accessed—and by whom? Do you have comprehensive ransomware protection? Having specific answers to these questions will be key to a strong, ongoing defense against attacks.

Whatever stage your organization’s cybersecurity is in at this moment, it’s never too late to start drawing a roadmap. Decide, step by step, what you can do today, a year from now, five years from now, and beyond. Begin building resources and staff—or at least make the pitch for them. It’s an easy argument to make: Stronger security now means unimpeded patient care in the future, no matter where or how it’s delivered.

Organizations that plan ahead and take a holistic approach to cybersecurity today will be the best-equipped to survive the next round of cyber exploits—and the round after that.