Healthcare is one of the most heavily regulated industries globally. Healthcare providers and payers are subject to rigorous cybersecurity requirements and obligations imposed by law, regulation, and policies such as HIPAA and GDPR. Information Security (Infosec) is an increasingly critical group in any organization or sector – especially healthcare.
For this edition of the Women in Health Tech series, we caught up with Nishtha Kaura, Lead Systems Security Professional in the NantHealth Enterprise IT group, who shares her knowledge of cybersecurity and how healthcare organizations can be best prepared for the unexpected.
What makes cybersecurity challenging within the healthcare field?
Healthcare has become one of the top targeted industries by cybercriminals, mainly due to the sensitive patient data that healthcare organizations and entities store, including health records, personal and financial information, insurance details, and much more. This information is lucrative for cybercriminals: Stolen health records sell up to ten times more than stolen credit card numbers on the dark web.
What makes healthcare uniquely more challenging than other critical infrastructure sectors is the industry’s direct impact on human lives. The ramifications of a cyber attack in healthcare are beyond financial loss or breach of privacy. Ransomware, for example, is a particularly egregious form of malware for hospitals, as the loss of patient data can put lives at risk.
What gets you excited about your role in helping to pave the future of healthcare?
As the healthcare industry gets some breathing room from the pandemic, another one is surging – cyber attacks. Like the pandemic, these attacks can prevent hospitals from providing care to patients. Why? Malicious actors are targeting the healthcare industry specifically for that reason. Last year we saw ransomware-as-a-service become a normality in the cybercrime community, with cyber gangs being supported by nation-state actors.
Many healthcare organizations lack the necessary visibility to prevent cyber threats and struggle to reduce the time it takes to detect and respond to threats. This strain can significantly cripple patient care, risk patient safety, harm stakeholder trust, and compromise sensitive clinical data, not including the financial ramifications it invokes. Healthcare organizations today are bringing cybersecurity to the forefront of many boardroom discussions. We, as security experts, must seize this opportunity to educate and inform stakeholders on the current cybersecurity threat landscape and the actions needed to combat these attacks.
Technologies and tools being implemented do not guarantee that an organization is secure from these cyber attacks. Attackers often target employees as a way to bypass technical security controls, with tactics such as social engineering i.e., phishing. Infusing cybersecurity into the mindset of all employees is a cultural change that needs to be prioritized and adopted throughout the entire organization. Leaders must realize that employees are on the frontline of these sophisticated attacks. It is an organizational responsibility to be diligent in protecting patients and patient data.
To combat these gangs and their criminal activity, it is vital that we also adopt a collaborative mentality and create a security-conscious workforce. Developing a cyber aware culture is a necessity within the hospital and health system. Additionally, it is just as important to leverage other ecosystem resources to stay informed of emerging threats, listen to lessons learned from our peers, and discover additional tips used by other security professionals to stave off the bad actors to protect their environments, patients, and data. In my role, I’m excited to be part of these efforts that directly impact patient safety and outcomes.
How can a healthcare organization strengthen its cybersecurity resilience?
The cyber bad guys spend every waking moment thinking about how to compromise your cybersecurity procedures and controls. The best defense begins with elevating the issue of cyber risk as an enterprise and strategic risk-management issue. If possible, you should also dedicate at least one person full-time to lead the information security program and prioritize that role to have sufficient authority, status, and independence to be effective. Furthermore, you and your team should receive regular updates on your organization’s strategic cyber risk profile and whether adequate measures are dynamically being taken to mitigate the constantly evolving cyber risk.
Finally, the most important defense is to instill a patient safety-focused culture of cybersecurity – therefore any good security program needs to address people, process, and technology. This enables health care organizations to leverage their existing culture of patient care to impart a complementary culture of cybersecurity. A culture of cybersecurity, where the staff members view themselves as proactive defenders of patients and their data, will have a tremendous impact in mitigating cyber risk to the organization and patients.