3 Ways to Use Zero Trust to Reduce Cybercrime Risk in Healthcare
Data breaches are increasingly common in healthcare and life sciences, and the consequences are becoming more severe. Besides reputational damage, the financial impact is steep — IBM reports that the average cost of a data breach for healthcare organizations tops US$10 million.
One of the primary reasons behind the rise in data breaches is that cybercriminals have become more skilled, organized, and sophisticated, according to the American Hospital Association and Porter Research. Malicious actors are now capable of targeting medical devices themselves, not just an organization’s networks.
Without addressing how to prevent data breaches in healthcare, hospitals, provider groups, their patients, and beyond are vulnerable to potentially devastating attacks. That could mean organizational downtime, financial impact, and affect the long-term resilience of healthcare institutions.
Why breaches are becoming more common
Legacy computer systems rarely meet current security standards and often miss security patches.
Staff turnover can also create knowledge gaps for how to maintain these systems, which has become especially problematic since the Great Resignation. Many staff with legacy knowledge retired or left, and there is a broad lack of skilled cybersecurity personnel in healthcare.
In fact, the Healthcare Information and Management Systems Society’s recent annual cybersecurity report finds that the most common barrier to achieving a robust cybersecurity program in healthcare settings is a lack of qualified staff.
Administrators outside of IT also tend to underestimate cybercriminal risk. This underestimation, when combined with healthcare’s frequent use of third-party vendors that can introduce vulnerabilities and widen attack surfaces, increases the likelihood of a security breach.
How Zero Trust can help
One of the best approaches to fighting cybercrime for healthcare organizations is Zero Trust, a security framework that relies on strong authentication and authorization for every device and every person before any access or data transfer takes place on a private network.
Zero Trust ensures that no user or device — regardless of that user’s status in the organization — is trusted as authentic until verification. This is true even if the user has logged in many times before, and whether attempts to access the network come from inside or outside the organization. Zero Trust provides a comprehensive set of security strategies that go beyond traditional, perimeter-based measures.
A key aspect of Zero Trust is microsegmentation. This lateral defense strategy helps IT organizations map and understand which applications are communicating with other applications, users, and devices.
3 ways healthcare can use Zero Trust to reduce the risk of cybercrime
There are three key approaches that healthcare and life sciences organizations can use to implement a Zero Trust security framework and help reduce their risk of a breach:
Leverage microsegmentation
Apply Zero Trust principles inside and outside of the traditional perimeter
Implement effective "bring your own device" policies
Leverage microsegmentation
Microsegmentation helps by limiting access to specific parts of the network. Even if cybercriminals gain access to a single segment, they will not be able to move laterally and access other parts of the network. When access is contained, harm can be mitigated.
If a network segment is attacked and taken offline, the devices on it must still operate.
Example. Consider a neonatal monitoring system that talks to a centralized data collection system — If the network fails, can that monitor continue to run? Microsegmentation allows the system to be architected in a way that if the core network fails, the system can keep running and the babies can continue to be monitored.
Apply Zero Trust principles inside and outside of the traditional perimeter
Electronic health records systems — most of which have patient-facing portals or apps to request medications or pay bills — are enormous clinical and financial targets for hackers. Because these resources require strict protective measures, organizations should adopt a Zero Trust approach to these solutions by requiring secure login protocols for both staff and patients.
Example. Zero Trust protocols and patient-facing Zero Trust principles should also apply to patients who require chronic care and use remote patient monitoring devices. Connections to organizations’ networks should be secured. Solutions for how to protect healthcare data should allow healthcare organizations to track the risk posture of connected medical devices and evaluate vulnerabilities like FDA recalls, patch updates, and more.
Implement effective "bring your own device" policies
Bring your own device (BYOD) policies can establish clear guidelines for how employees use their personal devices for work-related tasks, including which types of data can be accessed and how that data should be protected. This can help prevent data breaches and other cyberattacks that result from unauthorized access. BYOD policies are also important for support staff and clinical staff who work from home and have remote network access.
Example. Sound policies should require employees to install and frequently update security software on their devices, use secure Wi-Fi networks, encrypt data transmitted over these networks, and report any lost or stolen devices immediately. Taken together and vigilantly enforced, these policies can help prevent unauthorized access to sensitive data and mitigate the impact of potential cyberattacks.
Data breaches won’t wait: Act now
Because data breaches are a significant threat to healthcare provider organizations, hospitals, and those who interact with them across the industry ecosystem, it's necessary to take proactive steps to protect patient data. By investing in security infrastructure, training personnel, and adopting a Zero Trust approach, healthcare organizations ensure that patient data is protected and that their reputations remain intact.
Don't wait to implement a healthcare cybersecurity Zero Trust model. Protecting patient privacy and data security is vital to continuous uptime and the ability to deliver excellent patient care. As patients become more aware of the risks of data breaches, healthcare providers that prioritize data security will have a competitive advantage.
Find out more
Learn more about how Akamai can help secure your organization — and protect your patients — by hardening your infrastructure to prevent downtime from cyberattacks and data breaches.