Skip links

Healthcare organisations urged to improve system security

Sponsored Post Digital patient medical records now cover a whole gamut of sensitive details such as clinical diagnoses/treatments, prescriptions, personal finances and insurance policies. Which makes keeping them safe more important than ever.

Volumes are increasing rapidly, and so is the complexity of the digital storage facilities: healthcare providers today house patient information on multiple data platforms such as on-premises servers, electronic health record systems and public/private cloud services.

What’s more, modern healthcare environments also span sophisticated medical systems and Internet of Things (IoT) devices that are interconnected with each other and, in some cases, externally to the internet.

That means that the potential points of vulnerability for cybercriminals to launch attacks and steal commercially and personally sensitive healthcare records is ramping up rapidly, according to the SANS Institute. In response to these clear and present dangers, it has created a dedicated portal featuring a host of resources for cybersecurity professionals working to protect the systems of providers.

Cybercriminals and other malicious actors have long placed a high premium on patient information due to the breadth of fraud opportunities it offers. Such data can be readily monetised by criminals to engage in medical identity theft and fraud. The extent of the danger is highlighted by the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, which warns attacks are increasing sharply: in 2020 alone over 22 million US patient records were breached.

SANS Institute estimates that almost all attacks exploit inadequate cybersecurity controls such as unpatched systems or non-hardened medical device configurations. It advises healthcare cyber practitioners that disrupting the attacker’s return on investment through the use of cyber hygiene best practices is an essential strategy.

SANS highlights the value of leveraging CIS Controls from the Center for Internet Security which provide a blueprint for cyber hygiene best practices based on current offensive tactics, techniques, and procedures. These controls provide a cost-effective, measurable, means of technical cyber hygiene automation and can be used to inform defensive countermeasures specifically designed to block known cyber-attacks and disrupt the attacker’s ROI.

It’s also important for cyber security pros to keep up-to-date with relevant data protection regulations and demonstrate compliance with rules on how to defend patient data and related systems. For example, compliance with HIPAA laws which define regulatory standards for the lawful use and disclosure of protected health information in the United States is a mandatory requirement. These include the use of approved methods for sharing electronic patient records, disposing of patient records and management of devices. SANS offers more information about building a healthcare security and compliance programme which can be found here.

To help infosecurity professionals the SANS Institute also offers support, a host of free resources and practical advice for stopping cyber attacks on healthcare organisations. Its Cyber Ranges focus on the practical application and assessment of hands-on cybersecurity training, while a comprehensive library of whitepapers can be found here. The SANS team is always happy and ready to help with any questions from the healthcare infosec community via the contact form at the bottom of this page.

Sponsored by SANS.