EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
The healthcare sector’s digital evolution has advanced patient care while amplifying the complexity of cyber threats.
In brief
- Today’s healthcare organisations operate in a highly complex environment and are reliant on a wide ecosystem of third and fourth-party service providers.
- The dependence of healthcare organisations on outdated legacy infrastructure and unpatched systems presents severe cyber challenges.
- Healthcare organisations must look beyond Zero Trust and employ cybersecurity mesh architecture to address cybersecurity issues.
The integration of connected devices in healthcare is potentially transformative, promising better patient care, improved diagnostics, and streamlined operations. These devices include wearable health trackers, remote patient monitoring tools, smart medical devices, and even the incorporation of IoT in hospital operations. They provide real-time data and analytics, enabling healthcare providers to make informed decisions and enhance patient care.
However, the rapid adoption of these technologies has exposed the healthcare sector to a host of cybersecurity challenges, exacerbated by a lack of investment in cybersecurity infrastructure. Connected devices collect and transmit sensitive patient data. Protecting this data from breaches is paramount, as unauthorised access can lead to identity theft, fraud or even endanger patients’ lives.
Many connected devices lack robust security features, making them vulnerable to cyberattacks.
There are also regulatory challenges. Healthcare organisations must adhere to stringent regulations such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the upcoming NIS2 Directive in Europe. Non-compliance can result in severe penalties.
These challenges are aggravated by a reliance on outdated legacy infrastructure. Many healthcare organisations are still dependent on old and unsupported operating systems and software, making them more susceptible to security vulnerabilities. These older systems are often not patched and updated in a timely manner, leaving them exposed to known threats. And they are frequently incompatible with modern cybersecurity solutions, complicating efforts to secure the infrastructure.
Need to secure multiple threat points
There is no easy solution to these challenges. Replacing legacy infrastructure requires significant financial investment, and many healthcare organisations are severely constrained by limited budgets and rising costs. Furthermore, the interconnectedness of highly complex healthcare systems renders standard security solutions largely ineffective.
The way the healthcare sector functions and the manner in which services are provided to it creates what is best described as an “elastic perimeter.”
Healthcare organisations deal with a range of third and fourth-party service providers including labs, GP surgeries, other health professionals, and technology providers. And each of these bring their own cyber exposures and vulnerabilities.
Patient care is now delivered at multiple locations with multiple actors involved. Each of these actors needs to share patient data and each operates their own separate and distinct systems. We cannot ask the healthcare system to redesign itself to accommodate security solutions, the solution must be designed to meet the needs of the system.
Assess the threat of your ‘elastic’ perimeter
In essence, this means that the Zero Trust architecture which is now favoured by the great majority of organisations around the world will not work for healthcare systems. It is simply not designed to deal with the highly complex nature of healthcare systems.
In the case were the organisation concerned is a hospital, its expertise lies in the patient care, not in the design of technology systems. If it requires an electronic health record (EHR) for patients, it will go to a third-party provider for one. If that EHR system needs to take APIs from the Department of Social Protection or other data sources, those sources will become fourth parties.
In these circumstances, if the hospital wants to authenticate an IP address, it might not have come from the third party EHR provider, it might have come from a fourth party, and it may actually arise from a breach at that organisation. But the hospital has no direct relationship with the fourth parties and no way of verifying their security arrangements. They are left in the position of having to trust the third party to do so.
This is what creates the elastic perimeter. The hospital has one relatively fixed perimeter defined by its connections with third parties, but that becomes elastic due to their connections with fourth parties.
In securing this elastic perimeter, the first step is to review the contracts with third parties to ensure they have the systems and governance in place to be alerted to breaches in fourth parties and an obligation to inform the hospital of all breaches.
The existing systems within the hospital will likely not lend themselves to a single solution like Zero Trust or Secure by Design.
You can’t just throw out large electronic health record systems or electronic patient management systems because the costs would run into hundreds of millions of Euros. And that’s before dealing with the regulatory aspects of replacing such sensitive systems. This means these systems require their own security solutions and will continue to do so until the organisation has the resources to update them.
This is where Zero Trust breaks down. Applications utilising Zero Trust will not be able to accept data from those legacy systems because they are not within the Zero Trust perimeter.
Building a ‘mesh’ of secure design
That means the organisation needs to implement a mesh security architecture which is uniquely suited to meeting the needs of healthcare organisations.
At its most basic, a cybersecurity mesh architecture (CSMA) enables the extension of security controls across widely distributed assets. It is highly flexible and is very suitable for modular approaches such as hybrid and multi-cloud architectures where data is held in multiple locations both on and off premise.
It doesn’t require the organisation to throw out or replace anything it already has. It provides a means of bringing together the multiple systems and solutions and giving the organisation control over them. And when the resources become available to replace existing systems, the new systems can be accommodated seamlessly. It builds on the security investments already made by the organisation instead of demanding huge investments in new systems and infrastructure.
This does not mean discarding defence in depth, securing by design or Zero Trust. In the healthcare industry or in a critical infrastructure environment where there are legacy systems in place there are large numbers of third party and fourth-party involvements and the focus is on interoperability and collaboration. Zero Trust and defence in depth can be an inhibitor to both.
Implementation of a cybersecurity mesh fosters interoperability and collaboration among various healthcare entities, enabling swift threat detection and response while safeguarding sensitive patient data.
By prioritising proactive risk mitigation strategies and investing in innovative security frameworks, the health sector can mitigate vulnerabilities, safeguard patient privacy, and uphold the trust of stakeholders in an increasingly interconnected landscape.
Adoption of CSMA can help bolster the resilience of the healthcare sector against evolving cyber threats. By decentralising security controls and emphasising identity-based access, organisations can establish a robust defence mechanism that adapts to the dynamic nature of modern healthcare ecosystems.
Summary
The combination of a complex multi-stakeholder operating environment and a high level of dependence on outdated legacy infrastructure presents healthcare organisations with acute cybersecurity challenges. Solutions like Zero Trust will not in isolation solve the problem. Instead, CSMA, which has the flexibility to accommodate existing systems and cyber solutions while delivering robust security levels, is required. CSMA will serve as a pivotal enabler for the widespread adoption of AI in healthcare. This security-centric approach ensures the integrity and confidentiality of sensitive patient data, bolstering trust among stakeholders while facilitating the seamless implementation of AI-driven solutions.
Related articles
How organisations can simplify the tech environment to stem cyberattacks
Bolstering cyber defences with new technologies may have the opposite effect due to added complexity. Find out why.
How a Converged Security Operations Centre can bolster cyber defence
A Converged Security Operations Centre offers greater coordination of multiple security offerings and enables a more rapid threat response. Find out how.