Top Trends in Healthcare IT
Introduction
Healthcare is unique for cybersecurity for a couple of reasons. For that reason, the approach may seem unique. But is it really?
First, the culture of helping people and protecting their health records is much more focused on people than on the usual customer / data-centric focus of cybersecurity. In healthcare, people’s well-being is at risk and may be affected by a breakdown of our ability to protect the confidentiality and integrity of the data as well as the availability of the systems and the data.
Second, the use of OT (Operational Technology) and IoT (Internet of things) devices as well as remote access from tablets and other handheld devices, makes the environment highly susceptible without proper cybersecurity practices. Identity and access management as well as business continuity are still paramount, but ensuring both in such a potentially permeable environment requires a different mindset in addition to the usual cloud and on-premises focus.
In this article, the intention is to share some current trends and how to address them. This will not be a comprehensive list but will provide you with a better sense of the challenges.
Generative AI and Data Sensitivity
Generative AI is more accessible than ever and is enabling advanced applications in healthcare. Two types of AI use should be considered: AI within applications provided by the vendor used to enhance functional capability; and democratized AI directly accessible to the end-user to be used for a variety of information support and generation activities. The first type can be managed with proper GRC diligence in your Third-Party Risk Management (TPRM) program. The second requires greater attention.
With end-user democratized AI, two challenges arise: protection of confidential and sensitive data from exposure outside your company and validation of results and suggestions provided by the AI solution. Data Security Platform Management (DSPM) should look at how company and personal data are protected from inadvertent leakage through AI. This starts with a robust data classification program as well as least privilege access management and Role-based Access Control (RBAC) as well as Attribute-based access control (ABAC), also known as policy-based access control. Governance must be in place and then all data must be classified or defaulted to a suitable level of classification. This is most difficult for unstructured data like that created by users and kept in online storage solutions like OneDrive, Google Drive, Box, etc. Modern data management solutions also employ AI to help classify data because doing so manually is not possible.
Once governance and data classification are in place then RBAC and ABAC should be implemented where possible. Structured data policies should be handled through application and database access controls using RBAC and ABAC.
Unstructured data should be addressed next and there is no easy solution for this type of data. A good practice would be to include a Rights Management Service (RMS) to protect documents that do inadvertently or intentionally leave your company. RMS will require authentication back to your company for any leaked documents or unstructured files.
By 2026, over 80% of enterprises are expected to use generative AI, enhancing decision-making and operational efficiencies (Gartner).
Legacy Systems and Modern Digital Technologies
Many health systems still use outdated technologies with poor security. Those systems often cannot adapt to newer security practices or the cost to retrofit is not practical. Healthcare organizations are increasingly adopting digital technologies like electronic health records (EHRs), telemedicine, and Internet of Things (IoT) devices. While these technologies have many benefits, they also create more entry points for cybercriminals.
The unfortunate short answer for legacy systems is that a good strategic plan to upgrade must be developed. In the meantime, mitigating controls must be considered and implemented. Again, starting with strong Identity and Access management (IAM) practices is most important. Cybercriminals cannot steal what they cannot access. The strategy may also include isolation of legacy systems to prevent any lateral movement should they be compromised. This should be considered a tactical solution until a strategy to replace the systems is implemented.
As modern technologies are adopted, it is imperative that the cybersecurity architects and data specialists are included in the acquisition decision and implementation project from start to finish. Their consultative expertise will help ensure that your data is and remains secure in the new systems. Pay attention to finding solutions that meet your needs by first engaging all involved stakeholders in determining the functional requirements of the new system before buying it. For every function decide whether it is critical, a business enhancer, or a nice to have. Make sure the solution addresses all your critical functions and as many business enhancers as reasonable once cost to value is assessed. Insist on proof of concept or proof of value demonstrations using test data that replicates your mix of data from the few finalists chosen. Be very aware of access to the new system in the form of remote devices, OT, and IoT devices. Do not forget about wearable devices that patients attach to their bodies to collect health and fitness data, which they may provide to doctors, health providers, insurers, and other relevant parties. Examples include fitness trackers, blood pressure monitors and biosensors.
Whenever possible, implement modern technology in phases, limited geographies, or a single business unit to learn in small projects before rolling out globally. Doing so helps limit your risk exposure. Always ask for and approve a rollback plan that meets the needs of your business continuity agreements. Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) should be achievable for rollback.
Healthcare organizations often try to secure their digital landscape by stitching together point solutions that each provide a single security function. These products typically lack integration and cohesiveness, adding to the complexity of the deployment challenge. The industry is moving towards integrated platforms and away from point solutions. That is why we are seeing so much acquisition activity from larger cybersecurity players in the marketplace. Keep in mind that there is no single platform that can address 100% of your requirements. However, rather than dozens of point solutions instead think in terms of several platforms that work together to achieve your goals.
The industry is facing a shortage of cybersecurity and IT talent, which can strain risk posture. The increasingly complex IT environments, due to large numbers of point solutions, require significantly more technical resources. Integrated platform solutions will reduce your overall number of vendors and solutions thereby reducing the demand for talent required for point solution expertise. This will also open the market for more “as-a-service” solutions to alleviate Tier 1 support pressures internally.
Today’s healthcare cybersecurity cannot run on multiple disjointed products. Continuous care delivery requires a unified approach designed to identify and prevent known and unknown threats in real time. Achieving this while protecting your environment in an ever-evolving threat landscape is our mandate. Start by prioritizing these focus areas:
· Securely deliver care from anywhere.
· Secure connected devices.
· Simplify security through consolidation.
Steps to achieve success:
Recommended by LinkedIn
1. Assess your current IT infrastructure and identify areas for improvement.
2. Invest in training for staff to adapt to modern technologies.
3. Collaborate with technology partners to implement these trends effectively.
4. Regularly review and update IT strategies to align with evolving trends.
Compliance
Healthcare organizations often lack a proactive approach to security and compliance. Taking advantage of compliance management software can be a critical component to a successful program. The number of malicious attacks on healthcare have grown exponentially in recent years. According to the HHS Office for Civil Rights (OCR), large breaches increased by 93% between 2018 and 2022. Additionally, large breaches involving ransomware increased by 278%. Healthcare is a prime target.
Although compliance is not security, a thorough program can help give you assurance that you are doing what is right and making the best use of the company’s investment. We must make certain that our compliance program also addresses risk management assessments. A risk-based approach should be taken for all cybersecurity investments and decisions. Compliance can help ensure we are doing so. The cost of compliance is ever increasing. Establishing a strong compliance program minimizes those costs in the long-term. It sets a high-standard and ensures enforcement through periodic and timely compliance assessment.
Conclusion
Basics matter even though they are not exciting. Whether healthcare, given its unique customer base, or in other industries, doing the basics right mitigates much of the risk.
To achieve the least risky posture:
· Know your data
· Control access to it
· Ensure resiliency in case of an incident
· Know your users
· Manage your systems
Yes, healthcare has unique needs and concerns, but we also have much in common that needs to be addressed first. Modern technologies such as Generative AI will continue to tax our energies and challenge our thinking. Existing attacks in the forms of phishing, malware, ransomware, denial-of-service and many others will be there with ever-evolving nuances to avoid our detection and prevention. It is imperative that we keep in mind our real purpose: Protect our patients and their data through the best practices and best investment in those practices. Our mission dictates our strategy. Our strategy informs our tactics. As much as the healthcare IT environment is unique, the similarities with other industries are greater.
Sources:
· Gartner’s 2024 Top Strategic Technology Trends
· Verizon DBIR
· ISACA Digital Trends Report
· HHS Office for Civil Rights (OCR)
Global Chief Marketing & Growth Officer, Exec BOD Member, Investor, Futurist | AI, GenAI, Identity Security, Web3 | Top 100 CMO Forbes, Top 50 Digital /CXO, Top 10 CMO | Consulting Producer Netflix | Speaker
2moPatrick, thanks for sharing! How are you doing?