• Healthcare

Insights from HIMSS23: Mitigating Healthcare’s IT Security Risk

May 11, 2023

At the HIMSS23 conference, healthcare security leaders gathered to discuss the challenges and strategies for enhancing device security and managing third-party risks in the healthcare industry. With healthcare organizations relying on a vast ecosystem of connected devices, ensuring robust security measures is critical. 

The discussions shed light on the need for collaboration, proactive risk management, and innovative approaches to protect patient safety and safeguard sensitive healthcare data.

The Complexity of Healthcare Ecosystems

Healthcare organizations face the complexity of managing a diverse range of network-connected devices. 

According to a 2022 Proofpoint and Ponemon Institute report, the average organization has over 26,000 connected devices, including medical equipment and clinicians’ mobile devices. 

Insecure medical devices and vulnerabilities in the supply chain are significant concerns, with only 51 percent of security professionals reporting that their organization has a prevention and response plan for potential attacks.

Expanding the Security Perimeter

The traditional view of healthcare organizations as contained within the four walls of hospitals or health systems is no longer sufficient. 

Erik Decker, CISO of Intermountain Health, highlighted the need to acknowledge the interconnected nature of healthcare, with numerous back-channel accesses between medical device manufacturers, third-party service providers, and cloud solutions. Embracing a digital environment requires a paradigm shift in thinking, where technology becomes an integral part of healthcare innovation and transformation.

Collaboration and Enterprise Risk Management

Successful security initiatives require collaboration across departments and effective enterprise risk management. 

Dee Young, CISO of UNC Health, shared the importance of bringing together diverse teams, including Biomed or clinical engineering under the IT department, to bridge the gap in skills and facilitate seamless patching and security efforts. Donald Lodge, Compliance Officer at Advocate Health, emphasized the need for cross-identifying key risks and aligning risk management goals throughout the organization. Effective communication and breaking down silos are crucial for building a resilient security framework.

Managing Third-Party Risks

As healthcare environments become increasingly interconnected, managing third-party risks becomes more complex. 

Anahi Santiago, CISO of ChristianaCare, highlighted the need for tailored risk assessments that evaluate vendors’ cybersecurity practices and the maturity of their products. Vugar Zeynalov, CISO of Cleveland Clinic, acknowledged the challenge of balancing cybersecurity concerns with the life-saving potential of the equipment. 

Product management and ownership fragmentation pose additional challenges, emphasizing the importance of resilience, response, and continuous monitoring in mitigating third-party risks.

HIMSS23 provided valuable insights into mitigating risks in the healthcare industry’s interconnected environment. With the growing network-connected devices, healthcare organizations must adopt proactive security measures. Collaboration, enterprise risk management, and practical third-party risk assessment are crucial in building a secure healthcare ecosystem. By prioritizing patient safety, safeguarding data, and embracing innovative security approaches, healthcare organizations can navigate the complexities of an increasingly connected world.

Sources:
https://healthtechmagazine.net/article/2023/04/himss23-mitigating-risk-healthcare-increasingly-connected-environment
https://www.proofpoint.com/us/cyber-insecurity-in-healthcare
https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-cyber-insecurity-healthcare-ponemon-report.pdf
https://intermountainhealthcare.org/
https://www.unchealth.org/home
https://www.advocateaurorahealth.org/
https://healthtechmagazine.net/article/2023/02/zero-trust-in-healthcare-perfcon
https://healthtechmagazine.net/article/2023/02/zero-trust-how-to-approach-connected-device-security
https://healthtechmagazine.net/article/2022/04/3-shifts-driving-need-improved-incident-response-healthcare
https://christianacare.org/us/en
https://my.clevelandclinic.org/