Simplifying Healthcare Cybersecurity

The FBI’s 2023 cyber crime report displayed an alarming fact that healthcare is not just being heavily targeted, but being a front runner for ransomware attacks. The issue can be complicated for several reasons, that have professionals wondering why vulnerable systems are remaining in production at clinics and hospitals. Not every business, in any industry runs the same environment, in healthcare especially, there are many nuances or unique environments, that make the “one glove fits all” approach by cybersecurity vendors, very challenging for the industry. We will dive into two of the top challenges that healthcare businesses struggle with and creates a barrier between them, and simplifying data protection.

Budget Constraints

What every sales person loves to hear when joining a call with a potential customer, is hearing the tight budget constraints, or in healthcare, no budget provisioned at all. This is common as it is the nature of the industry. Healthcare businesses rely on diverse streams of income like cash payments, insurance reimbursements, government funding or grants and even some doctors rely on real estate investments to boost their portfolio. Hospitals and other types of healthcare clinics that rely on insurance for majority of their income, can go 60 days or more, before they are paid for the service previously provided. This makes income streams irregular and add to the difficulty of budgeting appropriately. This also applies pressure on executive leadership to run “lean” prioritizing cost or ROI. Meaning a business is far more likely to invest in equipment or processes that cut costs or increases revenue, rather than a security tool.

“Well think of the cost if you get hacked!” This is the favorite line security vendors love to use, as if doctors and nurses do not have enough to worry about. Fear tactics will not change the industry nor improve its security posture. Instead I challenge security providers to become far more flexible and adaptive to the unique environments that desperately need protecting.

Nuances of Healthcare

Ok, what are these “nuances” that you have read several times already? Believe or not, healthcare will have some of the most creative “workarounds” from technical teams that will blow your mind. This is due to outdated software that has lacked the advancement with hardware technology. This forces healthcare business to still utilize EOL systems like Windows 7 or Server 2012. These are obviously very vulnerable systems, but it can also be the heart of that business. Combined with budget constraints mentioned above, upgrading or changing vendors is not always a viable option, especially for community healthcare centers. Secondly, there are so many businesses in this industry that offer specialized or niche services, that there is not a vendor that can check off all the boxes. These companies come up with clever workarounds and homegrown systems to patch together a product that comes close to accommodating their needs. These homegrown platforms or applications add to the challenges as they are reluctant to replace a “working” system that costs nothing, for a new expensive SAAS. These unique setups often come with “out-of-the-box” environmental constructs that are not always compatible with standard security practices.

Lost Cause?

Absolutely not! Healthcare businesses have one priority, patient care and saving lives. They need us, Cybersecurity professionals, to have that same mindset when we approach their organization. We need to support them in their mission, and protect the data they store and transmit. But how, should we do it for free? Re-capping what we already learned above, we need to be clever, flexible and adaptive to each healthcare business. We also need to recognize, not every vulnerability needs an expensive tool. It costs nothing to segment the network and isolate EOL devices, well unless there is not a firewall in place. So how can we help, or how can internal leaders address this issue? Simplify it! Too many professionals get star struck with the best EDR or the fancy SOC Service at Defcon or InfoSec World, that they forgot about some of the basics like “Defense in Depth” and “Defense in diversity”. One tool will not defend them sufficiently.

How to build a stack on a budget? Take a page out of MSP playbook. Analyze the budget, or propose a “per user” budget and build your stack within it. For example, propose that a solid security stack will cost $10 per user and you have 350 users. That means you have $3500 per month to spend on a security tool set. Now you can go and provision as many quality tools that can fit under that $10. Sure that may mean you will not be deploying the number one EDR tool, but there are great options out there that will not eat up 70% of the budget per user. Remember your training Master Jedi, 4 tools are better than 1. This doesn’t mean buying tools because they are cheap and possibly useless, but it does force professionals to think of the value of the tool, more-so than the brand. Healthcare businesses need something that works, and there are products out there priced as a Chevy, but come with Cadillac features. Just as healthcare professionals value their patient lives, thank goodness, we should value their needs and support them.

This approach also gives flexibility, as you now no longer need to be tied to one vendor, as long as it falls under the $10 or whatever the per user budget is, you can swap and interchange accordingly. Now you are in a position to adapt to the business needs as they change or grow.

We have heard how healthcare is in desperate need of our cyber skills to help them defend against the wolves at the gate. It is time we answer the call the right way. It is time we view data security the way a surgeon views his patient as he enters the room to perform a life-saving procedure. We were created out of love, let us live as such and remember why we became cybersecurity wizards in the first place, to protect people.