Getting a handle on the unique challenges of hospital data security

"Healthcare IT leaders need to understand the broad range of technologies at use across a hospital and assess which of these systems and machines they would detect attacks against, and where they would be blind."
By Nathan Eddy
12:26 PM

A hospital must manage a traditional IT environment like any other business, but faces additional difficulty with two additional environments: Clinical technologies involved in delivering care, and the modern electronic health records system.

"Each presents its own unique security challenges for the modern healthcare delivery organization," said Scope Security CEO Michael Murray, who is scheduled to speak on the topic next month at HIMSS21.

He explained hospitals have the same traditional IT technologies (e.g. laptops, switches, routers, servers, etc.) that all environments have and securing those assets is similar to how that happens everywhere.

But Scope's research shows that, for a given revenue level, healthcare organizations have about 10 times fewer security staff than a traditional financial services organization.

"So, if you have a tool that that sends out 100 alerts per week, a hospital's team will be overwhelmed at the tenth alert," he said.

Another environment is clinical technology, that is, medical devices and all of the technology that is involved in delivering care.

These technologies' challenges are well known, with legacy equipment (Over 75% of devices in use today are on operating systems that no longer receive patches.), long device lifecycles and restrictions about being able to deploy security controls.

"These devices provide fertile targets for hackers to hide in a healthcare environment while they perform reconnaissance and evade detection," Murray warned.

The third environment encompasses massive EHR systems that hospitals have come to depend on. These technologies hold the key information assets of the hospital and, because of a lack of regulation, publish no information about vulnerabilities or how to detect attacks – meaning that most modern security products have no way of understanding how to protect these systems.

Murray explained visibility across all the environments and technologies is the first step to solving security challenges.

"Healthcare IT leaders need to understand the broad range of technologies at use across a hospital and assess which of these systems and machines they would detect attacks against and where they would be blind, he said.

"Because these three environments are interdependent on each other, having great security on just one set of technologies, such as laptops, won’t be enough if the attackers take another path, such as entering through the patient portal and hiding out on clinical equipment until the day they deploy their ransomware payload."

From Murray’s perspective, the critical issue in evaluating security solutions is understanding not just what a technology can do, but what the specific technology will take to implement and operate once up and running.

"The main challenge that healthcare organizations have is that most tools are built assuming a very different staffing level than they have," he said.

Murray noted that, while it is important to build a security strategy to deter and stop ransomware, the far scarier attacks are the ones that stay quiet forever.

He said security leaders in healthcare need to be thinking about all of those unseen types of attackers and how they would detect their presence hiding out inside of their EHR system or on legacy medical devices while they steal patient data and other important information assets.

"If they do a good job of that, ransomware will be taken care of as well," he said. "Unfortunately, focusing only on ransomware leads many organizations to build a security strategy that relies on that type of attack pattern."

Michael Murray will share some healthcare security best practices at HIMSS21 in a session titled, "A Hospital Isn't a Bank, Why Healthcare Security is Hard." It's scheduled for Wednesday, August 11, 11:30 a.m.-12:30 p.m. in Caesars Forum, room 123.

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209

HIMSS21 Coverage

An inside look at the innovation, education, technology, networking and key events at the HIMSS21 Global Conference & Exhibition in Las Vegas.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.