3 Ways Healthcare Organizations Can Improve Data Security
3 Ways Healthcare Organizations Can Improve Data Security

The amount of endpoints on healthcare networks is growing exponentially, from BYOD and corporately-owned mobile devices to a host of IoT devices such as printers and smart appliances. All are brought in with the well-intended motive of improved productivity but when you combine device proliferation with healthcare organizations’ legacy systems and inadequate security budgets, it’s easy to understand why interoperability is such a pervasive problem in healthcare today. Better endpoint visibility and control is needed now.

Add to this mix, mistake-prone employees who lose devices or see them stolen, click on a phishing link or inadvertently send Personal Health Information (PHI) across insecure channels and you’ve got a recipe for embarrassing, costly leaks of sensitive data, not to mention the likelihood of hefty fines from regulatory frameworks like HIPAA and HITECH.

Unfortunately, response is little better for most. A recent Ponemon study found that traditional endpoint security approaches are ineffective and cost enterprises more than $6 million per year and result in poor detection, slow response and wasted time. Without better endpoint visibility and control, healthcare organizations will continue to experience financial losses associated with data breaches and even ransomware, as Hancock Health most recently did.

Healthcare organizations must better address interoperability, protect data and maintain HIPAA or HITECH compliance. Adding fuel to this fire is the coming General Data Protection Regulation (GDPR) framework set for enforcement in May 2018. Massive fines could be on the line if appropriate data security measures of European citizens aren’t met.

To maintain control over critical PHI or other sensitive data, healthcare organization should consider the following 3 approaches:

  1. Regain Control Over Endpoints – When endpoints go rogue or become invisible due to faulty security agents, you need to act fast, and with confidence. Without urgency, you risk exposing your organization to ransomware attacks and security breaches. It’s not uncommon for laptops at a healthcare organizations to go missing for months before the loss is detected in a yearly IT audit. Focus your efforts on closing this critical flaw in oversight and ensure red flags go up immediately when a device misses an update, goes missing or shows signs of tampering.
  2. Add Resiliency to Security Solutions – Organizations should consider investing in endpoint controls and applications to protect their most critical assets, as well as ensure full application availability and integrity is kept intact. Critical applications such as VPN, antivirus, encryption, device management and other controls are too easily compromised by malware, corruption or negligent users and often leave IT and security pros flying blind. Improving visibility and control to the endpoint can help fix these holes in a healthcare security environment that might otherwise render existing and new security layers ineffective.
  3. Prioritize Real-Time Evaluation and Response – Organizations need to be able to evaluate security posture in real time to ensure all devices are patched for known vulnerabilities, whether that device is on and off the network. When new vulnerabilities crop up, IT teams need to be able to proactively address these emerging threats with data controls and/or patch distribution. Ponemon found 425 hours are wasted each week by IT teams chasing false negatives and false positives. Accordingly, greater automation of containment and remediation could save organizations an average of $2.1 million annually in time savings and it has a greater chance of preventing a costly breach.

While the financial implications of attacks on healthcare data are obvious, it’s the impact these breaches have on the safety and privacy of patients that places the greatest impetus on the need to correct these critical gaps in data security.

To get a better assessment of where your endpoint security stands or potential considerations when evaluating or strengthening your healthcare cybersecurity posture, check out Absolute’s healthcare resources.

ABOUT THE AUTHOR

Kevin Golas

Kevin is a Senior Director of Risk Management at Absolute Software. With over 15 years of experience in the information technology industry, Kevin has expertise in Information technology strategy, information security management, and application design and large scale system implementation. He has managed global cyber software implementations for fortune 500 clients. Prior to joining Absolute Software, Kevin was a Director in Cyber Risk Advisory Service practice at Grant Thornton.