Cybersecurity is a major issue for hospitals, medical centers, and physician’s offices. But it often doesn’t get the attention it deserves. Healthcare organizations—60% of them nonprofits—rightly place patient care above all else when it comes to funding and personnel priorities. With limited budgets and teams stretched thin, IT needs to be creative to keep up with security as well as compliance.
What follows are five ways healthcare IT teams are protecting operations, data privacy, and patient health—along with solutions from two experts in the field.
Robust security starts with the right platform for threat detection, response, and containment, but it should never stop there. Since bad actors are always looking to exploit the weakest link, end users need to understand the critical role they play.
Amanda Berlin, Lead Incident Detection Engineer at Blumira and co-author of the Defensive Security Handbook, talks about her experience in a healthcare organization. “One of the more successful things we implemented was letting everyone know—from maintenance, to nurses, to doctors—the easy path to report something that looks weird or just not right.”
Security education needs to reach everyone in the organization, and it can be as casual as a lunch-and-learn with tips for what to look for and how to report concerns.
A proliferation of technology assets can present healthcare organizations with unique challenges. Due to the specialized nature of some medical devices, they’re often purchased outside the control of central procurement. Individuals also tend to bring their own devices in from the outside. So in the name of expedience, the IT environment can become littered with uncontrolled and unrecognized devices.
“It’s important from a security standpoint to be integrated with procurement so they know to engage you before buying equipment that’s going to sit on the network,” advises Doug Copley, CISO of AtlantaCare Health System. “You can also do things like configuring your network to not give a device an IP address until somebody in IT approves it.”
Healthcare organizations can also have high-value devices running on unsupported platforms. The vendor’s solution to upgrading security—replacing the equipment—may be cost prohibitive. “Security practitioners have got to be very creative,” says Doug. “If we can’t fix the device itself, then we can use other controls like network segmentation.”
When it comes to compliance, Doug thinks it’s important that healthcare organizations understand one thing. “Compliance is not security. Nobody wants to be the most compliant bankrupt company out there.” HIPAA is just one of many regulations healthcare organizations must comply with. It takes time and effort to demonstrate compliance, so efficiency is critical to make sure it’s not costly and all-consuming.
Without automation and built-in reporting, compliance audits can become a full-time job. A security information and event management solution (SIEM) like Blumira streamlines compliance tasks by continually gathering and storing evidence so audit responses don’t take weeks to compile.
While healthcare systems have clinical professionals, nurses, and physicians on site or on call 24 hours a day, IT security usually has only 12-hour coverage. “People don’t realize how much it takes to run an in-house security operations center (SOC),” says Amanda. “A lot of times it’s spread over different roles; it’s a help desk, but also the SOC.” If someone is out replacing devices, helping a doctor access records, or running cable, they aren’t seeing new detections as they come in.
Criminals are smart. They know people don’t pay as much attention on the weekends. So even if they eventually get detected, attacking on a weekend might buy them more time to move around in the system. That’s why smaller companies and individual medical practices have turned to third party service providers who have the personnel and expertise to provide affordable 24/7 security coverage.
Extended detection and response (XDR) solutions help organizations control risk while saving security teams significant amounts of time. The key is automation; immediately isolating an asset when a potential threat is detected. “When you talk about incident response, the first thing you want to do is contain,” says Doug. “EDR or XDR can contain a problem much more quickly than an individual can.” This means limiting the attacker’s system access and their dwell time.
For healthcare organizations with limited internal resources, there are a few things to think about when evaluating security platforms. Once deployed, a solution should require minimal ongoing maintenance and upkeep. Some systems inundate users with noise and false positives, requiring skilled team members to spend time on tuning and updates. A robust system will not only provide alerts, but also pre-built workflows and guided responses.
Blumira integrates SIEM and XDR into a single platform that checks all the boxes for internal healthcare IT teams or their managed service providers. It’s a solution that combines compliance, log analysis, security analytics, and automated response for better correlation across multiple data sources. Despite its broad functionality, most Blumira features can be used right out of the box. Blumira also has a flexible pricing model and provides the ability to collect and retain mass amounts of data without corresponding cost increases.
Contact us today to learn how Blumira SIEM and XDR solutions meet the security and compliance needs of healthcare organizations. You can also read about how we’ve helped companies like yours in this customer success story on Burcham Hills, a life plan community.
And for even more information on ways to automate security tasks, progress in your HIPAA compliance journey, and alleviate asset inventory headaches, check out this webinar with Doug and Amanda.