Cybersecurity leadership panel shares perspective on healthcare IoT and protecting patient data
IoT devices have advanced healthcare efficiency and productivity, while supporting better care. But they also pose serious patient data security risks. Hear from cybersecurity leaders on the inherent challenges and best practices.
In late May of 2023, a panel of cybersecurity leaders discussed the impact of healthcare IoT devices on patient data security. Hosted by business consulting firm Frost & Sullivan, the cybersecurity Think Tank, “Protecting Patient Data: The Importance of Cybersecurity in Healthcare IoT” yielded timely insights on this evolving issue. The discussion was facilitated by Frost & Sullivan moderators Greg Caressi, Senior Vice President, and Dr Rishi Pathak, Global Research Director. Panelists included Gus Malezis, President & CEO at Imprivata; Timur Ozekcin, CEO at Cylera; and Tapan Mehta, Global Leader of Healthcare & Pharma Life Sciences Strategy at Palo Alto.
Following are three pivotal questions posed to the panel and a summary of their perspectives.
Setting priorities to combat healthcare IoT security risks
Question posed to panel: Across the US healthcare market, the strategic priority of security management for all HIT applications has been growing since 2019. However, spending on security solutions as a percentage of total spending on IT is not increasing proportionally. Even in 2023, more than 50% of health systems are either inadequately trained or lack robust security infrastructure to prevent disruptions in day-to-day clinical operations.* Given this environment, what do healthcare organizations need to prioritize to remain safe in a reality of expanding risk?
What they said:
- With healthcare organizations relying on IoT devices in the hospital, ambulatory, and in-home care settings, it’s critical they take a more holistic security view beyond on-premises needs to an anytime-anywhere-any device-any application approach. Organizations should apply the same level of security protocols across this perimeter-less environment to improve access to IoT devices and secure patient data. Strong remote access security solutions coupled with identity management practices can enable healthcare organizations to easily scale their security strategy across endpoints to follow Zero Trust principles.
- While the focus on investments in EHR efficiency and clinician productivity is vital, healthcare cybersecurity spending is below average compared to other industries. The investment in data protection – and preventing ransomware attacks in particular – needs to be increased to help avoid significant vulnerabilities.
- Third party vendor operational and security issues create significant risks to healthcare organizations’ data, patient care, and continuity. More attention needs to be given to improve supply chain access. Panelists recommended that organizations create better policies focused on response in the case of a third-party security event (and preventing third-party access issues in the first place).
- Along with technology, healthcare IT teams need to make greater investments in people and skills to ensure proper security and mitigate risk. Managed services providers can help fill that resource gap, and leveraging cloud services will give providers faster, easier access to optimize their expertise.
- While the government has provided helpful guidance surrounding privacy, healthcare organizations need more government guidance when it comes to the use of IoT devices. That includes overall device security, patching requirements, and processes for device certification/recertification.
Patient data security best practices in an expanded network landscape
Question posed to panel: Privacy and cybersecurity will expand beyond the traditional network landscape to secure a connected, adaptive, and collaborative ecosystem, irrespective of the asset’s location, type, or function. What are some of the best practices you have seen/recommend to mitigate some of these healthcare industry cybersecurity challenges?
What they said:
- It’s important for healthcare organizations to take a closer look at rolling back access privileges and implementing privileged access controls. The more individuals with elevated privileges, the greater opportunities there are for a lateral explosion of malware and ransomware infiltrating critical assets.
- Given the proliferation of healthcare IoT devices, organizations need greater visibility to better understand potential risks. How are they being used? Do you need them all? They also need stronger enforcement of policies addressing device privacy, security, and compliance considerations, as well requirements for manufacturer risk mitigation.
- The need for greater visibility also extends to policies focused on setting up alert capabilities to flag anomalies. This attention to internal- and external-use high risk devices – especially medical devices – can help better protect data, including critical assets.
- Healthcare organizations have an ongoing, unique level of challenge when it comes to balancing strong security and easy access. Both are vital, and you can’t compromise one for the other. Making a strategic investment in digital identity solutions designed to achieve the crucial security/access balance will continue to be imperative.
Preparing for change driven by emerging cybersecurity solutions
Question posed to panel: More than 90% of all US-based healthcare organizations reported at least one security breach from 2019 through 2023.* Emerging cybersecurity solutions for advanced medical devices and IoT enablers are disrupting how traditional cybersecurity vendors operate in this space. How do you see this trend evolving in the next two-to-three years?
What they said:
- Vendor consolidation will play an even greater role in improving efficiency and solution integration. As part of that, healthcare organizations need to address risk assessment and remediation processes among multiple vendors, including legal, procurement, and vulnerability disclosure issues.
- Massive cyberattack disruptions to both large and smaller healthcare organizations will continue to plague the industry, underscoring the need for greater investment in cybersecurity measures and more government guidance on cybersecurity in general.
- Healthcare organizations will continue to struggle to secure highly restrictive cyber insurance policies, which make it extremely difficult to qualify for and afford the coverage they need, especially as they look to make every dollar count to enhance cybersecurity, improve patient care, and protect patient privacy.
To learn more about protecting patient data in an expanded network landscape featuring a proliferation of healthcare IoT devices, make sure to check out the recording of the panel discussion.
*Frost & Sullivan
“Along with technology, healthcare IT teams need to make greater investments in people and skills to ensure proper security and mitigate risk. Managed services providers can help fill that resource gap, and leveraging cloud services will give providers faster, easier access to optimize their expertise.”
- Gus Malezis, President & CEO at Imprivata
“It’s important for healthcare organizations to take a closer look at rolling back access privileges and implementing privileged access controls. The more individuals with elevated privileges, the greater opportunities there are for a lateral explosion of malware and ransomware infiltrating critical assets.”
- Gus Malezis, President & CEO at Imprivata
“Massive cyberattack disruptions to both large and smaller healthcare organizations will continue to plague the industry, underscoring the need for greater investment in cybersecurity measures and more government guidance on cybersecurity in general.”
- Gus Malezis, President & CEO at Imprivata