One of healthcare’s most sacred responsibilities – keeping personal healthcare information protected - is getting a lot harder. Not a week seems to go by without a new security incident. That’s because online criminals have learned that healthcare and life sciences organizations are a particularly attractive target for two reasons:

• Their cybersecurity systems are not always the most robust.
• Their (patient & enterprise) data is highly valuable and many medical devices are an easy entry point for attackers.

It’s a combination tailor-made for cybercrime: easy targets that will pay to recover data or restore hijacked operating systems.

To make matters even more challenging, the attacks are coming at a time when healthcare and life sciences organizations are already stretched thin. The average cost of a healthcare data breach is $11 million. One healthcare system made recent headlines for estimating a ransomware attack will end up costing it more than $1 billion.

Healthcare hasn’t historically received the same type of pressure to invest in critical infrastructure that other types of industries have – think financial services sector, the electrical grid and water treatment plants – however, that is changing. The prospect of losing $1 billion is simply untenable.

The answer: Back to basics
Today’s cybercriminals may be using increasingly sophisticated technologies to find and exploit security weaknesses, but there is nothing particularly unique about healthcare’s basic security challenges. Many incidents have exploited known vulnerabilities that were not acted on. Legacy systems running outdated software are still common. The explosion of “smart” medical devices connected to online systems have opened portholes that did not exist before.

While it’s understandable – healthcare is in the business of saving lives, not running IT systems, many organizations are operating with inadequate security policies and controls, struggling with a lack of investment in security or failing to address a general lack of awareness or adherence to security best practices.

It’s a recipe for disaster, but one that can be tackled. As cybersecurity professionals, my colleagues and I talk with healthcare organizations that see the risks ahead and know it is time to strengthen their security programs. We know how to step into a situation, identify vulnerabilities, prioritize what can be done immediately and create actionable strategies to stay ahead of technology and business risks.

At the same time, we think of ourselves as part of the broader healthcare community and would much rather share our expertise to stop a breach rather than help an organization recover after one. In thinking through what healthcare and life sciences organizations can do right now to enhance the security of their operations, we always go back to basics:

• Reinvigorate security awareness training across all staff. Include anyone who has access to any device that can get online. Create a culture of security so that every person on your team, no matter the role, is on the lookout for risks and suspicious activity.
• Expand risk and vulnerability assessments/management throughout your entire ecosystem. That includes partners, collaborators, vendors and more. For staff security awareness training, include all business units that have access to your data, no matter the role.
• Plan and rehearse your incident response now. What will you do when you experience a data breach? How will you respond to a ransomware attack? How will you minimize damage and ensure a swift recovery (cyber resilience)?

Beyond the above, it goes back to basic blocking and tackling, deploying the fundamentals of security. Given the threats specific to the health and life sciences industry, we suggest:

• Leverage automation (scale and speed) to identify and prevent incidents.
• Address out of date operational systems through robust patching and vulnerability management.
• As the business moves to cloud, ensure security-by-design principles and functionality are operationalized.

The good news is that any one organization isn’t in this fight alone. Technology partners and industry support organizations are coming together to establish methods of mutual support. A few initiatives we, at Avanade, support strongly:

• The participation of Health and Life Science organizations with the Health-Information Sharing Analysis Center (Health-ISAC) and the Health Sector Coordinating Council-Cybersecurity Working Group as these are safe spaces where organization can openly discuss best practices after an attack without increasing its own liability. It’s important to share what is happening across organizations so we can warn others and band together to strengthen our joint defenses.
• Given how critical the situation is at present, industry support organizations are urging broader industry regulations that reflect healthcare’s position as a critical infrastructure that must be protected.
• Another initiative could provide a way for smaller healthcare groups and those in more rural areas to access both the expertise and funding required to deploy modern and robust security controls.

Many of us are preparing to attend RSA Conference 2024 May 6-9, the premier security conference, where these and related topics will be explored in depth. In collaboration with Accenture and Microsoft, we are hosting a networking cocktail reception and several speaking sessions.

Register now to join us at the RSA Conference and exchange thoughts on how we can collaborate and address healthcare security together.