There's plenty of work to do in shoring up network security at healthcare organizations. While the retail sector has been been making headlines for months due to oversights that led to record-setting breaches at Target, Neiman Marcus and Michaels, hospitals and clinics may be even more vulnerable to attack than these chains, even if they haven't been the subjects of similarly high-profile incidents yet.
Healthcare lags retail, finance in network security
A recent report from BitSight Technologies rated the security postures of different verticals on a scale from 250 to 900 (a higher figure means stronger protection). Healthcare received a 660, falling well behind retail at 685, with utilities and finance even farther up the ladder.
"Unlike the financial institutions and electric utilities in the S&P 500, the healthcare and pharmaceutical companies do not view cybersecurity as a strategic business issue," stated the authors of the BitSight report, according to Cruxial CIO. "They do not spend enough resources to protect their data, in part because cybersecurity has not received the executive level attention it deserves."
The results are surprising in light of how many regulations, including the Health Insurance Portability and Accountability Act, govern healthcare data. Security firm Redspin estimated that nearly 30 million records have been compromised in HIPAA breaches since 2009, and that the yearly total rose 138 percent between 2012 and 2014.
Mitigating risk with managed network security and virtualization
To avoid becoming victims, organizations can rely on a managed services provider to install and oversee mechanisms that shield important assets from surveillance and theft. Core capabilities may include:
- Dedicated private IP networks that carry encrypted data
- Secure remote access and collaboration
- Network authentication and integrity checking
- Firewalls for MPLS IP-VPN
- Around-the-clock security management
These fully-featured solutions have become increasingly appealing to healthcare providers, especially as initiatives such as bring your own device and technologies like cloud computing have revolutionized IT. Administrators may no longer feel confident in their networks' safety in the face of threats that could enter from any one of many possible attacks surfaces, including smartphones or unauthorized cloud apps.
Health IT Security's Patrick Oullette chronicled how one healthcare security executive had recalibrated his organization's approach to network security in order to deal with today's threats and usage habits. In practice, this shift has entailed moving beyond data loss prevention and incorporating exfiltration techniques to keep tabs on device activity and traffic flows across the entire network.
"We also have a robust data exfiltration capability that we've instituted at the core of the network and the perimeter so we can watch data flows," David Reis, vice president at Lahey Health, told Health IT Security. "Looked at that way, it becomes illuminating pretty quickly and easy to flesh things out. You ask where the data is moving in and out from, what devices are plugging in and out and what users are doing once they're plugged in."
The adoption of advanced network security measures is promising, especially in light of the healthcare sector having accounted for 43 percent of all breaches in 2013, according to the Identity Theft Resource Center. On this same front, healthcare providers are implementing technologies such as desktop virtualization to bolster security.
Virtual desktops are appealing to hospitals and clinics because they involve little more than dumb terminals, to which operating systems are supplied from remote server. Accordingly, there's less risk of misconfiguration or data theft than with a machine that was running a locally installed OS. Speaking to Health IT Security, Chris Logan, chief information security officer at Care New England Health, described desktop virtualization as "a huge win for security."