Critical Cyber Protection Strategies
Healthcare organizations face unprecedented cybersecurity challenges today. From resource constraints to expanding attack surfaces, these institutions require robust defenses against increasingly sophisticated threats. According to Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center (Health-ISAC), maintaining strict cybersecurity standards is no longer optional—it’s essential for survival.
“I think back to my time in the banking sector,” Weiss reflects. “We literally had an army of people just in cybersecurity – thousands of people just doing cybersecurity for a bank.” By contrast, even large health systems struggle with limited resources and skilled security personnel despite facing greater vulnerabilities.
Health-ISAC: Strength Through Collaboration
What healthcare lacks in resources, it makes up for in collaborative spirit. Weiss, who joined Health-ISAC six years ago after 13 years in financial cybersecurity, notes: “The level of collaboration, cooperation – the spirit of wanting to help each other out – was just so much better here in healthcare than anything I ever saw in financial services.”
Health-ISAC specializes in sharing actionable cybersecurity information across the healthcare sector. Membership costs less than many expect and delivers tremendous value, particularly for smaller organizations.
“If you have questions, if you need best practices, people are very willing to put something out there, share example policies that they’ve developed that people could reuse,” Weiss explains. Members regularly compare notes on third-party risk management approaches and implementation strategies.
Balancing Innovation With Security
Healthcare’s technological revolution presents both opportunities and vulnerabilities. “There are some really cool things happening in healthcare when it comes to advances in medical technology,” including remote patient monitoring, hospital-at-home programs, and artificial intelligence applications, Weiss observes.
However, these innovations create new avenues for adversaries to compromise patient safety and privacy. Technology developers racing to market may shortcut essential cybersecurity measures. Hospital-at-home programs particularly expand attack surfaces by depending on patients’ typically vulnerable home networks.
“It’s not just about breaking into a hospital,” Weiss clarifies. “That might be well-protected, but now going after a patient at home who’s on their home network that’s probably not at all well-protected and a lot more vulnerable to these kinds of attacks.”
Regulatory Challenges and Resource Constraints
While HIPAA security rule updates provide more specific requirements for data protection, implementation barriers remain significant. “There’s a big but,” Weiss cautions. “It’s the money, the resources and the talent to make all of that happen.”
The regulatory estimates for security measures like penetration testing appear unrealistic to seasoned professionals. “I would call the estimate ludicrous,” Weiss states. “It was orders of magnitude way off in terms of how long it would take to properly do a regular repeating penetration test of a network.”
Resource constraints in rural facilities often mean IT staff juggle multiple responsibilities. Weiss shares an anecdote about a security specialist who also maintained the hospital grounds, cutting the lawn weekly alongside his cybersecurity duties.
Essential Security Resources for Small Providers
For resource-limited organizations, Weiss recommends starting with fundamental security hygiene using these key resources:
- HHS Voluntary Cyber Performance Goals: “If you can get through the first part, then maybe it’s time to start tackling the second part,” he advises.
- CISA’s Known Exploited Vulnerabilities (KEV) Catalog: This critical resource helps prioritize patches against active threats. “We’re seeing exploits from vulnerabilities that literally came out in 2014,” Weiss warns, emphasizing the importance of this recently endangered resource.
- Functional Backup Systems: Organizations must maintain working backups and regularly test full system recovery—ideally twice yearly. “Can I rebuild from scratch? How would I do that and try it out and make sure it works?” Weiss recommends.
- Multi-Factor Authentication (MFA) Audits: Regular validation of MFA implementation is crucial. “Sometimes whole classes of users do not have MFA turned on, or tokens were turned off and never turned on again,” Weiss notes, connecting MFA failures to major breaches like those at Change Healthcare and Ascension.
Building Industry-Wide Resilience
While rural hospitals have traditionally been considered most vulnerable to cyberattacks, recent incidents demonstrate that organizations of all sizes face significant threats. The healthcare industry’s collaborative approach through resources like Health-ISAC offers a crucial support network for improving cybersecurity resilience across the sector.
With near-daily attacks targeting healthcare providers, cybersecurity has become a shared responsibility requiring collective vigilance, resource-sharing, and continuous improvement regardless of organizational size or location.
Discover the latest Provider news updates with a single click. Follow DistilINFO HospitalIT and stay ahead with updates. Join our community today!
Leave a Reply