How to Systematically Manage Risks in Healthcare Cybersecurity

Share :

Frost & Sullivan forecasts the Internet of Medical Things (IoMT) will grow from an estimated 4.5 billion devices in 2015 to as many as 30 billion by 2020. For medical providers, these devices are the answer to more efficient and reliable healthcare delivery.

But for cybercriminals, weak medical device security is practically a godsend. This is why managing risks in healthcare cybersecurity has never been more important. 

A consistent and systematic approach is imperative for protecting against risks posed by medical devices. To that end, the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework offers a roadmap for developing a comprehensive risk-management strategy. While the NIST Cybersecurity Framework is voluntary, its standards, guidelines, and best practices enable your healthcare organization to minimize threats systematically.

The framework outlines five steps:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

These steps help you prioritize risks and improve infrastructure resilience. It’s a flexible approach that you can fully adapt to your organization’s needs.

A variety of medical devices inside of a hospital room.

Start with Asset Discovery

Protecting what you can’t see is like prescribing medication without a patient diagnosis. It doesn’t work—and it’s dangerous.

Yet the 2019 HIMSS Cybersecurity Survey found that only 47 percent of surveyed organizations included medical devices in their security risk assessments. The challenge is the lack of visibility. To solve it, you must identify all network assets. Once you’ve discovered the assets and understand the attack surface, you can implement effective remediation.

Assess, Prioritize, Patch

The next NIST framework step—protect—puts the focus on prevention by assessing risks and prioritizing vulnerabilities.

Recommended best practices for assessing vulnerabilities include the use of the:

After you’ve assessed and prioritized vulnerabilities, it’s time to implement patching policies Compliance frameworks often have strict patching requirements—for example, the latest PCI-DSS version (3.2) recommends installing a security patch within one month of release. But the reality is that reaching a 100-percent patch level is extremely difficult for healthcare organizations.

Even with consistent patching, threats slip through. A strong patching policy isn’t fool-proof because of the gap between the discovery of a vulnerability and the patch release. In the case of WannaCrypt0r (or WannaCry), the infamous ransomware took advantage of a vulnerability that had been known publicly for two months before Microsoft released a patch.

Detect and Respond to Healthcare Cybersecurity Threats with 24/7 Monitoring

In complex healthcare IT environments, detecting and responding to anomalous events is an ongoing priority. Establishing a security operations center (SOC) allows you to consistently monitor the OT and IT networks for those threats.

A typical healthcare organization lacks both the expertise and the technology for a SOC —as well as the financial resources to invest in both. That’s why a SOC-as-service partner can take the pressure off your IT team while lowering the costs of running a SOC.

To learn more about best practices for systematically managing healthcare security risks, download our free white paper.


Healthcare White Paper



Arctic Wolf

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Share :
Table of Contents
Subscribe to our Monthly Newsletter