5 Critical Targets Illustrate the Need for Cutting-Edge Healthcare Cybersecurity

By Troy Ament, Fortinet Field CISO for Healthcare

Despite the noble missions of fighting illnesses and saving lives, organizations in today’s healthcare industry are frequently under attack by cybercriminals. Why are healthcare organizations of all shapes and size under constant threat? The reason is simple: data. Extremely valuable personal, medical, and financial data.

Why is Cybersecurity Important in Healthcare?

Healthcare cybersecurity is vital and is becoming more important every day as medical organizations become more reliant on hospital information systems like electronic healthcare record (EHR) systems and physician order entry systems. The aim of cybersecurity, specifically in healthcare, focuses on preventing cyberattacks by defending these highly important medical systems from unauthorized access, use, and disclosure of patient data. Healthcare cybersecurity and effective healthcare data management is critical to ensure the availability of medical services and confidentiality of patient data, which, if compromised, could put patient lives at risk. 

Healthcare Data Management Plays a Vital Role in Effective Healthcare Cybersecurity

The healthcare industry has become more vulnerable as the attack surface expands due to newly deployed technology, telehealth, and other developments. Increasingly, third-party users are invited to access healthcare systems’ network resources. And, new Internet of Medical Things (IoMT) devices are being added to the network — many of which were not designed with security in mind and are, therefore, susceptible to cyberattack. Below are five cybersecurity risks in healthcare and three best practices for protecting them.

“Healthcare cybersecurity is critical to ensuring the availability of medical services and confidentiality of patient data, which, if compromised, could put patient lives at risk.”

Top 5 Risks in Healthcare Cybersecurity 

To protect patients and their data as well as provide them with the best experience, health networks need holistic, end-to-end cybersecurity at every point of care and in every facility. Below is a list of five types of security risks that are frequently targeted by cybercriminals and need to be expertly secured:

1. Email

Email is still the primary means of communication within healthcare organizations, making it an obvious method for launching attacks, including phishing, spear phishing, social engineering, and ransomware.

2. IIoT/IoT and IoMT Devices

IoT devices like smart heating systems or remote patient monitoring tools can have a significant effect on patient wellness and are often not very secure.  IoMT devices extend lives, improve the quality of life and clinical staff productivity, make the relationship between the patient and the care team less transactional, and enable more seamless care coordination. Like IoTs, these devices aren’t well-protected and can be exploited to gain access into the network.

3. EHR Systems

Electronic health record systems track extremely personal and sensitive patient data which, if stolen and made public, would be a perfect scenario for ransomware.

4. Physical Devices

Laptops, tablets, mobile phones, and other physical devices that are used in healthcare can be stolen and hacked or manipulated leading to the loss of credentials or other confidential information.

5. Legacy Systems

Old but not yet retired legacy systems still prominent in many healthcare organizations, and which are no longer supported by the manufacturer, can be an open invitation to cybercriminals. They must receive constant attention to be kept secure and not exploited.

Three Best Practices for Healthcare Cybersecurity 

1. Establish a Security Culture

Healthcare IT and security professionals can establish a security culture within their organizations by conducting regular risk assessments and providing employee cybersecurity education and training, which must include top management who can easily fall victim to spear phishing attacks.

Other tactics for instilling a security mindset: remind employees to practice good computer habits, use strong passwords and change them regularly, and encourage staff to be aware of their physical surroundings and the potential for mobile device theft.

2. Develop an Incident Response Plan

Chief information security officers (CISOs) and chief security officers (CSOs) need to be proactive and develop solid incident response plans with their IT and cybersecurity teams. Cybersecurity vendors have incident response and readiness services that you may want to investigate as you develop your plans.

3. Deploy Security Solutions with Automation and Integration in Mind

Healthcare organizations must have cutting-edge cybersecurity solutions that include next-generation firewalls, as well as the installation and maintenance of antivirus software. However, these are just the basics. 

Learn more about the latest healthcare cybersecurity solutions by visiting the Fortinet Healthcare Team at ATA2023, Booth #1304. 

Troy Ament, Fortinet Field CISO for Healthcare, has more than 20 years of experience transforming information technology and security programs, including 14 years in the healthcare sector as an executive overseeing clinical technology implementations. Before joining Fortinet, Troy served as Chief Information Security Officer at Beaumont Health and Director, Chief Information Security Officer at Sanford Health where he had oversight of the Security Technology, Security Operations, Identity and Access Management, and Governance Risk and Compliance (GRC) Teams.