Healthcare cybersecurity: Our hospital’s path to better cyber resilience
Cyberattacks in the healthcare industry undermine our ability to deliver quality care and can endanger the safety, and even the lives, of our patients. Unfortunately, hackers see our industry as a prime target, particularly for ransomware and data privacy attacks. None of us want to hear the news that a hospital has been breached, nor be the person in that hospital who has to deal with the aftermath. Every time I hear about a breach, I get a deep feeling of unease.
Cyberattacks are inevitable, but successful attacks don’t have to be. As leaders in healthcare and cybersecurity, we must be extra vigilant in understanding our vulnerabilities and providing our organizations with the best defense possible, even as we face ongoing budget constraints and a challenging cybersecurity talent shortage.
As I look at 2023 and beyond, I see three areas that are top of mind for myself and many of my colleagues in healthcare. Each of these priorities presents both challenges and opportunities:
- The growth of IoMT devices and the increase in vulnerabilities they pose.
- A more challenging regulatory environment, not just in terms of the technology, but also in our ability to manage the administrative side.
- The opportunity to leverage automation, artificial intelligence, and cybersecurity consolidation to improve protection and mitigate the effects of budget and personnel issues.
Here are the priorities I believe are mission-critical for leaders in healthcare cybersecurity:
1. Securing IoMT
IoMT devices represent a huge opportunity for practitioners to improve the quality of care and for patients to reap the benefits of important advances in treatment. But the dramatic growth of these devices puts a strain on cybersecurity departments. Why?
A Larger Attack Surface
IoMT increases the attack surface significantly. In my hospital, we now have about 2,000 IoMT devices and that number is bound to keep growing as we modernize more equipment.
A Lack of Control
As cybersecurity teams, we don’t have the kind of control over IoMT devices that we have with other devices across our organizations, even IoT. Manufacturers don’t have consistent update policies and IoMT devices tend to have a lot of vulnerabilities. While new regulations in Europe and elsewhere govern their use, manufacturers are lagging behind with security.
A Lack of Visibility
You can’t protect what you can’t see. For many healthcare organizations, getting visibility into the full range of IoMT devices must be a top priority for 2023 and beyond. In our organization, we tend to isolate IoMT devices from the rest of the network. This doesn’t guarantee they are not vulnerable, but it enables us to have greater visibility into them. We can see where we have vulnerabilities and how adversaries are trying to exploit them. We only allow IoMT devices onto our network when they pass through our firewall.
Cybersecurity consolidation has been another initiative that has helped us mitigate IoMT risks. With consolidation, we have greater visibility and control through a single console. While IoMT manufacturers have been slow to offer proper protections, adjustments at our end have stopped threats before they could seriously affect operations.
2. Managing regulatory compliance
In Belgium, we were operating under NIS1 for several years, whereby hospitals were not placed in the category of critical infrastructure. Fortunately, this is changing as we move to NIS2.
In our organization, we are preparing for the coming changes by going for an ISO 27001 certification. We’ve built our cybersecurity framework according to NIST and CIS guidelines, which serve us well in meeting regulatory compliance requirements.
One of the challenges facing smaller hospitals such as ours is finding the manpower to deal with a changing regulatory environment, particularly when it comes to administrative requirements. We chose to invest in technical solutions, such as the decision to embrace cybersecurity consolidation three years ago.
On the technical side, we have good visibility into our networks. We have XDR security, segmenting, and all of our logs on one platform. This all helps the regulatory environment. But dealing with the administrative side is a manpower challenge for us, as it is for many healthcare institutions, mainly, as we all deal with a shortage of qualified personnel.
3. Leveraging automation, AI, and cybersecurity consolidation
The ongoing personnel shortage is one of the reasons why I see automation, AI, and cybersecurity consolidation as top priorities for the healthcare industry. The more we can do with machines, the more we can ease the burden on ourselves and our staff. The same with using consolidation to eliminate tools and centralize management consoles.
But automation, AI, and cybersecurity are not merely a short-term fix to a current personnel challenge—they are the future of cybersecurity. Humans can’t possibly compete with machines when it comes to tasks like sorting through logs or recognizing patterns. A human might be the final step for an action a SOC might take, but humans must rely on machines to help them do their jobs.
Looking ahead
Beyond these priorities, there are other steps we can take as cybersecurity leaders to advance our industry and support the delivery of secure, high-quality, modern healthcare.
We all benefit from more knowledge sharing. In cybersecurity, and particularly in healthcare, we are not competitors. We all have the same goals. The more we can collaborate, the better off we are as an industry and as a community.
I also think we must recognize our limitations, but also our strengths. Healthcare may not be the highest-paying field when it comes to cybersecurity, but people who come into our field have a huge opportunity to contribute to society. We must find people who are passionate about working in healthcare and, as leaders, we must express our own passion about working in healthcare. For me, I love the significant challenges as well as the opportunity to contribute to the greater good.
One more takeaway: it may seem obvious, but if you’re a cybersecurity leader in healthcare, create a plan. Don’t just buy tools because they offer a quick fix. Make a roadmap and know where you’re going. And if the roadmap happens to embrace strategies for IoMT, compliance, automation, AI, and consolidation, you’re already on the right path.
To learn more, visit us here.
Wendy Roodhooft is Security Officer at AZ Vesalius, a leading hospital in Belgium.