How to Systematically Manage Risks in Healthcare Cybersecurity

April 2, 2019 Arctic Wolf Networks

Frost & Sullivan forecasts the Internet of Medical Things (IoMT) will grow from an estimated 4.5 billion devices in 2015 to as many as 30 billion by 2020. For medical providers, these devices are the answer to more efficient and reliable healthcare delivery.

But for cybercriminals, weak medical device security is practically a godsend. This is why managing risks in healthcare cybersecurity has never been more important. 

A consistent and systematic approach is imperative for protecting against risks posed by medical devices. To that end, the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework offers a roadmap for developing a comprehensive risk-management strategy. While the NIST Cybersecurity Framework is voluntary, its standards, guidelines, and best practices enable your healthcare organization to minimize threats systematically.

The framework outlines five steps:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

These steps help you prioritize risks and improve infrastructure resilience. It’s a flexible approach that you can fully adapt to your organization’s needs.

A variety of medical devices inside of a hospital room.

Start with Asset Discovery

Protecting what you can’t see is like prescribing medication without a patient diagnosis. It doesn’t work—and it’s dangerous.

Yet the 2019 HIMSS Cybersecurity Survey found that only 47 percent of surveyed organizations included medical devices in their security risk assessments. The challenge is the lack of visibility. To solve it, you must identify all network assets. Once you’ve discovered the assets and understand the attack surface, you can implement effective remediation.

Assess, Prioritize, Patch

The next NIST framework step—protect—puts the focus on prevention by assessing risks and prioritizing vulnerabilities.

Recommended best practices for assessing vulnerabilities include the use of the:

After you’ve assessed and prioritized vulnerabilities, it’s time to implement patching policies Compliance frameworks often have strict patching requirements—for example, the latest PCI-DSS version (3.2) recommends installing a security patch within one month of release. But the reality is that reaching a 100-percent patch level is extremely difficult for healthcare organizations.

Even with consistent patching, threats slip through. A strong patching policy isn’t fool-proof because of the gap between the discovery of a vulnerability and the patch release. In the case of WannaCrypt0r (or WannaCry), the infamous ransomware took advantage of a vulnerability that had been known publicly for two months before Microsoft released a patch.

Detect and Respond to Healthcare Cybersecurity Threats with 24/7 Monitoring

In complex healthcare IT environments, detecting and responding to anomalous events is an ongoing priority. Establishing a security operations center (SOC) allows you to consistently monitor the OT and IT networks for those threats.

A typical healthcare organization lacks both the expertise and the technology for a SOC —as well as the financial resources to invest in both. That’s why a SOC-as-service partner can take the pressure off your IT team while lowering the costs of running a SOC.

To learn more about best practices for systematically managing healthcare security risks, download our free white paper.

 

 

 

Previous Article
Choose the Right Tools to Protect Your Healthcare Infrastructure
Choose the Right Tools to Protect Your Healthcare Infrastructure

Managed solutions are a cost-effective alternative that provides hospitals and other healthcare providers w...

Next Article
Do You Know What’s Running on Your Laptop?
Do You Know What’s Running on Your Laptop?

Just one unpatched device is all it takes for a hacker to get into your network, steal data, commit espiona...

×

Want cybersecurity updates delivered to your inbox?

First Name
Last Name
Company
!
Thanks for subscribing!
Error - something went wrong!