HIT Think

Three keys to a multi-layer security strategy

Register now

The cybersecurity landscape is more threatening than ever, and healthcare is an industry under attack. According to a report from Symantec, healthcare providers face the second highest rate of incidents, with ransomware propelling the number of attacks forward.

Healthcare providers represent a prime target because of the personal data they collect and their deep dependence on lifesaving technologies. Many also rely on legacy systems that have few security protections in place. Given all of this, healthcare providers should be re-examine security strategies, with the aim of making them impervious to attack.

However, committing completely to any single solution is like investing in an expensive door but leaving the window next to it unlocked. Today’s hackers are highly sophisticated and highly motivated, using obstacles as opportunities to create a new exploit or devise a novel form of attack.

There are many attack vectors that healthcare providers must be aware of, such as USB corruption, bad firewall configuration and website problems. But even with protections in place on each of these entry points, the most common attack point—the email inbox—remains vulnerable.

For example, as malware becomes increasingly sophisticated, organizations need to be able to filter out and quarantine messages pre-emptively. This process starts by filtering out all of the known threats, continues by filtering out the suspected threats and succeeds by learning from each threat and improving its ability to spot red flags. It’s important to note that this particular solution is only possible with multiple protection layers, because each layer builds off the last.

That example is exactly why a security strategy that isn’t multilayered is inherently inadequate. Even if only 1 percent of attacks manage to get through, that’s all it takes to initiate pervasive and lasting damage. Thus, a comprehensive cybersecurity approach—which means having a variety of solutions in place with each designed to protect against specific threats across the cyber landscape—is essential for all healthcare organizations.

The challenge for the healthcare industry in particular is putting protections in place without compromising quality care, communication, continuity or accessibility. The protections must also simultaneously insulate against current threats and adapt to future ones.

To build a successful, multilayered security strategy, organizations can focus on these three areas:

System-based protections. To safeguard some of the most valuable data available to hackers, healthcare organizations need strong cybersecurity policies. Often, though, the exact holes in a security plan are invisible to an organization until they’re exploited and attacked. Independent penetration testing can pre-emptively reveal where these holes exist and what the scope of their vulnerability is. Once these vulnerabilities are identified, organizations can then resolve them through systematic patching practices that close those gaps most likely to be exploited.

User-based protections. As many as 68 percent of attacks are caused by internal users. Healthcare organizations have an even greater responsibility to educate and train their users, given the number of people who have access to sensitive information and the frequency with which that information is distributed. Prioritizing regular training, testing and education and requiring users to use complex passwords and two-factor authentication will help to limit unauthorized access and minimize the risk of a threat.

Contingency plans. Every effort must be made to block cyberattacks, but there must also be contingency plans in place to limit the scope and scale of the damage in the event a breach occurs. Abnormal traffic monitoring and refined network segmentation do just that. If a hacker is exporting data out of a system and into an independent server, then a spike in traffic results. Monitoring for these spikes enables a faster mitigation response, and networks that are properly segmented fundamentally limit the effects of an attack from spreading.

Even following these practices, organizations should consider using external audits to better assess their security strategy and look for the deeper gaps that may exist. In the U.S., the American Institute of Certified Public Accountants’ Service Organization Control 2 accreditation and SOC3 certification can help ensure that service organizations provide the appropriate controls for security, availability, integrity and confidentiality.

Ultimately, a multilayered approach that is constantly evaluated is the only way to ensure that an organization is providing its patients and providers with the utmost protection.

For reprint and licensing requests for this article, click here.