The intersection of technology transformation and security in healthcare

June 20, 2019
Security threats populate a much more varied threat landscape that healthcare executives must contend with

The evolution of technology in healthcare brings with it both incredible opportunities as well as risks.

Today, healthcare accounts for 30% of the world’s data production. Payors and providers made substantial investments by spending nearly $9 billion for cloud solutions just two years ago and that’s expected to double by 2021.  Organizations report solid ROI on that investment, including productivity gains of 15-20% primarily through the adoption of AI by cloud providers. 

Consumers also are behind the evolution of technology by adopting a "bring your own data" mentality, largely enabled by EMR (Electronic Medical Records) that improve access and portability.  By 2020, as much as 25% of data used in medical care will be collected and shared with healthcare systems by patients themselves. 

These developments are exciting, but they are accompanied by serious risks.  For example, ransomware attacks on healthcare organizations have doubled and providers have typically been unprepared to respond to these attacks and to protect patient and organization data.

The Four Pillars of Technology Transformation

We are often asked by healthcare clients about best practices to help them prepare for the opportunities and risks during their healthcare technology transitions. So, let’s start by identifying what the industry refers to as the four pillars of healthcare technology transformation.

  1. Health IT
  2. Precision Medicine
  3. Connected Health
  4. Security

Health IT -- Growth in clinical applications as well as the reliance upon private, public and hybrid cloud require modern infrastructures that can support new, growing workloads. Technology will continue to automate manual tasks and reduce bottlenecks to accelerate the speed of innovation. IT will deliver differentiated business models and capabilities to patients and internal healthcare users. All this will be achieved through a modern data center with automated service delivery and transformed IT operations that utilize multi-cloud integration.

Precision Medicine -- Rapid transformation is well underway in big data and analytics, machine learning, and clinical genomics and HPC. Organizations are expanding their capabilities to analyze data that exist across disparate systems. Big data analytics across EMRs, data warehouses, research, case studies and patient data will enable healthcare organizations to develop and exploit insights through massive volumes of data.

Connected Health -- Innovative devices, healthcare IoT, TeleHealth and patient engagement make up the Connected Health pillar. Innovative devices and displays put organizational success within the healthcare provider’s hands through technology designed specifically for the way they work. IoT and digital workplace solutions will deliver seamless user experiences without sacrificing management or security.

Solutions will integrate IoT, identity, application and enterprise mobility to deliver anytime, anywhere access to all apps and services across all devices. Of course, all this innovation we are witnessing will only accelerate with the adoption of 5G bandwidth. And perhaps most important of all, technology will empower patient engagement, including the development of technologies that provide new means of care, such as telehealth, teleconsultations, patient portals, etc.

Security -- The fourth pillar of transformation is security. It must be not only its own a center of innovation, it must protect the three other pillars along with entire IT infrastructure–from edge-to-edge, and end-to-end. This is new way of thinking about security as we move away from point security to comprehensive security and we’ll break in down in more granular fashion in just a moment.

The bottom line is, it’s our responsibility to protect data (and patients), detect threats, and control access to every point of the infrastructure. That operational construct is critical to our ability to effectively manage risk, today and tomorrow.

Transformation Brings Risk

The consequences of data breaches in healthcare go beyond identity theft because compromised data can put a patient at risk, incur costly fines, damage the provider’s reputation, and hinder organizational effectiveness. Worse yet is the potential loss of control of interconnected medical devices, systems and operational processes which could seriously endanger patient care.

When we think about the digital transformation of healthcare operations, it’s important to understand how it brings with it greater risk. First, technology allows more users in more places. Those accessing your system are no longer limited to the secure walls of a building. Whether it’s a hospital complex, remote physician offices or administrative support center, information is now shared via the cloud and accessed from both company and personal devices.

The number of applications and devices utilized daily is growing. On average, the typical worker utilizes three or more different devices to access company information, with 75% of them saying they’ve personally experienced attacks on at least one of their devices in the past year.

These endpoint devices are becoming increasingly more difficult to protect. Mobile devices, cloud data and user behavior are critical to address, hard to enforce. So, what’s a healthcare provider to do?  We are often asked, what are the best practices to protect information and ensure operations aren’t compromised. The response must be, direct, multi-layer threat protection. That requires a “unified” approach and it’s the best way to protect healthcare operations and keep them running efficiently.

How to Address 8 Critical Areas of Protection

Think of multi-layer threat protection in the form of a workplace security stack that addresses eight critical areas of protection. Historically, managers have applied security to one or more levels, in effect, protecting certain areas and leaving others vulnerable. A comprehensive, holistic approach requires that we apply edge-to-edge, end-to-end security, and that requires all eight layers be addressed, including:

  1. Endpoint management – monitoring and proactive/automated remediation for end user devices whether mobile, remote, or in office.
  2. Advanced malware protection – detection, containment and removal of threats across all endpoints.
  3. Secure remote access – secure connections to the enterprise network by any device, at any time or location.
  4. Secure internet gateway – To block malicious destinations before connections are established.
  5. Apple/IOS security protector – advanced protection for IOS devices over wired, wireless and cellular networks.
  6. Mobility management – single sign on access to business applications based upon the users’ persona.
  7. Identity management – visibility and dynamic control of users and devices accessing wired, wireless and VPN connections.
  8. Next generation firewalls – unified threat management with integrated firewall, IPS or intrusion prevention service, content filtering and advanced malware protection.

When we talk about endpoint management, many endpoint solutions claim to block 99% of the threats. With that level of effectiveness, why should you worry about anything else? Well, for one thing it’s that remaining 1% of threats that tend to be the most disruptive, challenging to defend against, and costly to healthcare operations.

For advanced malware protection, the focus is preventing, detecting and reducing risk. We can prevent with antivirus, file-less malware detection and cloud lookups. To detect, we can use static analysis, sandboxing, malicious activity protection and machine learning. And to reduce risk, we identify vulnerable applications, including low prevalence and proxy log analysis.

A critical place for additional focus is the cloud. Users and applications have adapted to the cloud, so security must as well. With 49% of the workforce now mobile and 82% admitting they don’t use a virtual private network (VPN), security controls must shift to the cloud.  We look to our workplace security stack areas, secure remote access, and secure internet gateway to provide protection for those accessing cloud data. With this layer of defense, we can block malicious destinations wherever users go, even when they connect outside of the VPN.

We must also now address iOS devices for security protection. Once assumed always safe, iOS devices are now increasingly targeted and vulnerable to attacks just like other mobile and desktop devices.  Ensuring the latest Apple phone is given the same attention as Android, Windows and other SaaS applications in your security plan will address some of the remaining 1% of threats that are lurking to find vulnerabilities.

Identity management is another important area to address. Who is the user, and should you grant them conditional access?  A best practice is a single point of identity and access management for all endpoints across the network–wireless and wired. This identity and access management should offer:

  • Profiling – Who is the user, what device, where is it?
  • Posturing – Is the device clean? Is anti-virus up to date?
  • Quarantining until device meets minimum standards
  • Access granted based upon role, device, time, location, application, etc.
  • Guest – Simplified self-service access
  • Real time view & analysis of all users and traffic

Implementation of next generation firewalls completes the multi-layer threat protection. Next generation firewalls deliver integrated threat defense across the entire attack spectrum.

In Summary

With the increasing technology being utilized throughout healthcare, security should be on the mind of every CTO, CMO, CEO and board member. And when we talk about security lapses, often we think about data breaches, and while a significant issue, security threats populate a much more varied threat landscape that we must contend with.

Security attacks upon healthcare are becoming more frequent and more serious just as they are among other sectors that make up our critical infrastructure. As concerning as a phishing attack or a loss of data might be, the loss of control over our critical healthcare systems and devices upon which we rely for quality of care would be potentially the most catastrophic of all. The good news is we have the tools and technology to secure our critical infrastructures and ensure the confidence of our users, patients and families.

About the Authors:

Louie Belt is the U.S. Principal Solutions Architect for Getronics. Louie specializes in advanced technologies and security. Todd Graham is a Key Account Director at Getronics, responsible for assisting healthcare customers with securing, protecting, optimizing and leveraging their data. Getronics is a global leader in Managed Workspace, Applications, Industry Specific Software Solutions, Multi-Cloud Management, Unified Communications and Security Services providing a proactive, end-to-end portfolio to enable the digital user – business or consumer, in both public and private sector.