Tom Finn, Director of Business Development, MedigateBlog

Taking your risk management to new heights

By Tom Finn, Director of Business Development, Medigate

Health IT Security reported a 45% spike in attacks on healthcare providers between November 2020 and the end of the year. The healthcare sector alone accounted for 79% of all reported data breaches in 2020. And there are no signs that attacks are slowing. As we’ve quoted before, the healthcare sector is expected to be the target of two to three times more cyberattacks in 2021 than any other industry.

Singapore is not unfamiliar with the cost of these attacks on the healthcare sector. The assault on SingHealth’s specialist outpatient clinics in 2018 resulted in the breach of 1.5 million patient health records, the largest in Singapore’s history. In August 2021, Eye & Retina Surgeons (ERS), a specialist medical clinic in Singapore, was the target of a ransomware attack, affecting the data of over 73,000 patients.

The results of such successful breaches include the disruption to operations, violation of patient privacy and safety, and erosion of confidence and reputation, all of which can have long lingering consequences. Last year, security breaches cost healthcare companies upwards of $6 trillion. So, it’s reasonable that healthcare organizations are doing all they can to minimize their exposure and manage their risks.

Not on our watch
Claroty raises $400 million in Series E round to acquire Medigate

Unfortunately, there is no simple answer, no single silver bullet that can give you the protection you need against all the risks in your organization. For each health system, there is a unique combination of people, processes, and technologies that need to be in place to ensure appropriate governance and risk mitigation efforts align with the organization’s desired business outcomes.

A lack of visibility, communication, and coordination between all the security, biomedical, clinical engineering, and business stakeholders within an HDO creates gaps that make good governance difficult and effective risk mitigation almost impossible. That’s why it’s imperative these gaps be identified and understood. The self-assessment tool that Medigate has developed, “The Real-Time Healthcare Convergence Maturity Assessment” can help. It generates cybersecurity, operations, and business gap analysis that you can then leverage to assess and then collectively address your enterprise risks.

“Mind the Gap”

Once these risks are understood, you can start to fill in the gaps to ensure everyone and everything is working together. It starts by establishing a “single source of truth” for your environment — one that provides a common language and understanding that can help bridge operational disconnects and divides. A single system of record can help everyone, from cybersecurity to biomed to business stakeholders, see what’s going on in the clinical networks and start to make effective decisions that will improve the organization’s operations and care.

Medigate provides this foundational visibility with our Medigate Device Security Platform (MDSP). We are working with organizations, large and small, to help them see and understand not only what is in their clinical networks, but also what these devices are doing (and whether or not they should be doing it). This gives stakeholders what they need to collectively establish operational and security frameworks for their clinical setting in line with their tolerance for risk.

Medigate’s visibility and insights can be used to power the key components of any successful risk management program. Here are what we feel are the main components to consider:

6 Components of Successful Risk Management Programs

  1. Accurately Assess Device Risks

Within healthcare organizations, risks need to be considered within the context in which they exist. This requires a combination of cybersecurity and clinical expertise to accurately identify whether something is tolerable (and even necessary) or a risk to the connected health system. A healthcare-specific risk framework can make these nuanced determinations, identifying and scoring risks, so they can be appropriately evaluated, prioritized, and addressed to keep patients and care safe.

  1. Manage Vulnerabilities

Because devices are often involved in care, risks have to be managed much differently from traditional IT to ensure dependencies are respected and operations kept intact. Health systems need to apply a clinical lens to their vulnerability management to ensure activities, such as scanning and patch management, can be carried out swiftly and without risk to the patient care protocols.

  1. Recommend Appropriate Remediations and Mitigations

Shutting down devices or blocking communications can have dire consequences within a clinical network, so it is important cybersecurity is inserted when and where it will be able to protect, without impacting care. Considering actions within their clinical context allows healthcare organizations to start to enforce policies and risk abatement strategies — through network-based control points (e.g., firewalls, NACs, etc.) — that can prevent attack propagation and minimize attack impacts, without interfering with ongoing operations or the delivery of care.

  1. Maintain Good Clinical Cyber Hygiene

To prevent the spread of threats within clinical networks, health systems need to constantly discover, assess, and manage the cybersecurity risks that medical, clinical, and other unmanaged connected devices introduce to the clinical network.

  1. Consistently Protect from the Core to the Edge — Don’t Forget About Clinics

All types of Health systems, from large Health Delivery Organizations to Clinics, need to ensure the same rigor is being applied throughout their distributed facilities and ecosystem to keep their operations and patient care operating as they should.

  1. Operationalize Risk Management Programs

The dynamic nature of healthcare means securing them is never done. There is no “set and forget”, but there are tools and services that can help automate and operationalize ongoing risk management activities.