10/21/2021

The growing risk of cybersecurity incidents is well-documented. Hardly a week goes by without a major headline on the topic, and this year, it’s ransomware that has dominated the news; in particular, there were breaches at the Colonial Pipeline, meat supplier JBS, and the software company Kaseya that drew large-scale attention to the problem. It’s safe to say there are many (daily) security incidents that do not attract widespread media attention.

The healthcare industry is certainly not immune from these risks, and to make matters worse, there are some unique concerns the industry has to worry about. First and foremost is a concern about patient safety and security. Healthcare providers are increasingly reliant on highly sophisticated, connected systems to care for patients. A disruption to those systems poses a very serious risk to the standard of care that patients can receive. Healthcare providers have data privacy concerns to deal with as well: HIPAA is the obvious one, but for any organization that accepts card payments, PCI presents additional data security requirements.

A few years ago, one of our healthcare clients had a major cybersecurity incident that caught their leadership’s attention. In response, they invested millions of dollars in innovative new security technology. For healthcare organizations eager to protect their patients and data against cybersecurity threats, there are many vendors offering a wide array of different technologies. Our clients have had success implementing some of those tools, but cybersecurity isn’t only a problem to be solved by technology – it’s a problem to be solved by people. Although the human element to cybersecurity doesn’t always attract as much buzz or investment, employees make very important contributions to an organization’s cybersecurity.

Healthcare providers are increasingly reliant on highly sophisticated, connected systems to care for patients. A disruption to those systems poses a very serious risk to the standard of care that patients can receive.

The Human Factor Behind Patient Safety and Security

Most breaches can be traced back to employee behavior. Effective cybersecurity requires regular, recurrent employee education and training. For healthcare systems large and small, every single employee presents a vulnerability, and it only takes one errant click to introduce a security compromise into the system.

Simulated Phishing Attacks

Employees should know how to spot a suspicious e-mail, what actions to take, and what actions not to take. Realistically, education and training is not enough to ensure adequate cybersecurity protections. Smart organizations also enforce their employee’s behavior: one common tactic is simulated phishing campaigns. Sendero has worked with multiple clients who employ this approach – they use software that allows them to circulate fake phishing attempts to their employees via e-mail. Employees are given the option to follow links, open attachments, and enter personal data (e.g., login credentials) into fake landing pages. By tracking which employees are fooled by these e-mails, the organization can require enhanced, targeted training requirements for those individuals to reduce their risk profile over time.

Password Policies

Password policies require similar vigilance. Organizations should make sure their password policies adhere to industry best practices, and that they are documented and clearly communicated to all employees. As with the approach to suspicious e-mails, however, knowledge is only half the battle. It’s also important to ensure employees are following these policies. Sendero recently completed a project with one of its healthcare clients to deploy a Privileged Access Management solution to its server admins and other critical IT admins. This solution included a password vault to protect sensitive credentials and enforce adherence to password policies.

Patching Programs

There are some security responsibilities that are unique to IT staff. In particular, it’s important for them to stay up-to-date with patching. When done manually, patching is vulnerable to delays and other human “errors.” However, automated patching can help the organization stick to a regular patching schedule to address security vulnerabilities. That’s especially critical for older systems. Routine patching will help remediate many threats that are “low-hanging fruit”, but some healthcare providers rely heavily on their vendors to patch and maintain equipment, including biomedical devices that are so central to patient care. For the major security incident mentioned above, our client ran into a roadblock when they realized they needed to be more aggressive with their patching protocols, but depended heavily on vendors to maintain those vulnerable devices. They resorted to a large investment in firewalls (and a segmentation strategy) to separate those vulnerable devices from the rest of the network.

Patient Safety and Security Foundations of Network Security

Balancing People with Technology (and Vice Versa)

A focus on the habits and behaviors of employees will only move the needle so much. Eventually, organizations have to depend on new technology to do the rest. In particular, we’ve seen clients make recent investments in next-generation firewalls, network segmentation, device profiling, network visibility, and analytics.

With each of the tools we help our clients deploy, the implementation challenges are not exclusively technical. As one of our CISO clients is fond of saying, “all problems are fundamentally people problems,” so we find it important to employ change management tactics that balance the human side of the equation with the technological solution. It’s critical to build the organization’s capabilities to operationalize and support these new tools as the technology is successfully scaled up.

Patient safety and security should be at the heart of every healthcare system, but when there is a cybersecurity incident, that vital mission is threatened. It is tempting to throw a lot of money at these risks and purchase “shiny” new tools, but large budgets and expensive technology are only part of the answer to this global threat. The right approach must balance selective investments in innovative solutions with a “back-to-the-basics” mindset that emphasizes employees’ daily security behaviors.

If you’re facing cybersecurity challenges and would like to hear more about our client work in this area, please connect with a Sendero consultant so we can help. To stay informed on industry trends and emerging solutions, sign up for our newsletter using the “Drop Us a Line” form a the bottom of this page.

By Sean Sims

EXPLORE OUR HEALTHCARE EXPERTISE LEARN MORE ABOUT OUR SERVICES

For healthcare systems large and small, every single employee presents a vulnerability, and it only takes one errant click to introduce a security compromise into the system.

More Journeys

PCI Compliance for Healthcare System

A large healthcare system was notified that it is now required to report compliance as one entity, rather than separate small business units. Through existing relationships, the client learned of Sendero's experience with PCI Compliance and requested assistance.

Access Tool Implementation for an EMR at a Healthcare System

After the merger of two large Texas-based healthcare systems, a need existed to change to one electronic medical record (EMR) system across the enterprise.

Building a Next-Generation PMO for Health Care Information Services

A large non-profit healthcare provider experienced significant growth through mergers and acquisitions, now providing services to more than five million patients. As a result, the organization faced a multitude of overlapping strategic and departmental initiatives.

Optimizing a Provider Directory for a Healthcare System

After a healthcare system went through a merger, they launched a project to consolidate Find a Doctor websites to improve the patient experience.

Analytics Roadmap for HealthMarkets Insurance

HealthMarkets, a technology-enabled health insurance marketplace, needed to implement standard processes around how to effectively manage data to gain clear insight in to the new business focus: driving home a customer-centric culture.

About the Author

Sean Sims

Sean is a Senior Manager in our Dallas office with industry experience in healthcare, financial services, and hospitality.

Related Practice Areas

IT Infrastructure
IT Infrastructure
Data & Analytics
Data & Analytics

Related Posts

Increasing Brand Loyalty in Healthcare: Looking Beyond Patient Loyalty

How can healthcare providers develop patient loyalty and remain consistently top of mind at all times? It is crucial to understand how to engage with patients along their reactive and proactive healthcare journeys.

Continue To Post
6 Strategies to Unlock Value for Your Healthcare System Through Optimal Data Governance Practices

If you can harness the power of your data and effectively utilize data governance, you will excel in comparison to your competitors, especially when it comes to customer experience, patient outcomes, quality, safety, and affordability.

Continue To Post
Data Governance in Provider Data Management: A Conversation with symplr Directory and Orlando Health

Keith Belton and Daniel Ruyter share their experience with Provider Data Management, as well as some of the data governance challenges that are important to consider during system implementation.

Continue To Post
Cybersecurity in Healthcare: Now is the Time to Reassess

With the almost immediate switch to remote work earlier this year, companies had to focus on enabling employees to work from home while also putting corresponding cybersecurity measures into place.

Continue To Post
The Importance of IT Infrastructure in the Healthcare Industry

It is vital to prioritize a healthcare system's Information Technology (IT) Infrastructure as it is the base foundation of all of your organization's technologies.

Continue To Post
3 Key Considerations for Optimizing Your Telehealth & Telemedicine Platforms

Sendero Manager Miles Collins walks us through that vital next step: optimizing your Telehealth and Telemedicine platforms.

Continue To Post

Drop Us A Line

  • If you’re facing a specific business challenge you’d like to discuss, connect with a consultant to let us know how we can help. To stay informed on industry trends and emerging solutions, sign up for our email updates.
  • This field is for validation purposes and should be left unchanged.
Close Button