Rethinking Healthcare’s Cyber Strategy for 2021 and Beyond

Updated on December 20, 2022

The past year pushed healthcare organizations to find new ways to enable remote work for some employees and offer more telehealth options for patients – on top of grappling with the other realities of a global pandemic. 

When they made the initial shifts in 2020, many healthcare organizations focused on speed first – looking for the quickest IT approach to enable these changes without interrupting service and patient care. However, even as the pandemic continues, healthcare IT teams have an opportunity to go back to the proverbial drawing board and make the changes to their IT systems more permanent and secure. And as ransomware attacks continue to proliferate, it’s  imperative to take this opportunity now. 

Reassess cloud and remote work technologies 

The rapid move to remote work laid bare the discrepancies between different organizations – some already had solutions in place like SD-WAN that were instrumental in providing the ability to support people, offer visibility and maintain connectivity. But for those that didn’t, they had to try to use what they already had and quickly adopt cloud and other technologies. 

Now, it’s time to take a second look to support these changes, such as the switch to hybrid work – which have become long-term to permanent for many organizations. CISOs must make sure that workforce mobilization technologies are scalable and eliminate security blind spots. This will enable greater protections for the remote workforce as bad actors pivot to take advantage of an expanded threat landscape. 

Examine the expansion of connected devices

Virtual care options also needed to expand in the past year. Speed was of the essence due to the urgent, real-time needs of the healthcare sector, meaning security sometimes got short shrift. For instance, there’s been a vast expansion of connected medical devices– also known as the Internet of Medical Things (IoMT). This was growing even pre-pandemic; in fact, it was top of mind for CISOs to improve their connected medical device security and governance, but that got put on the back burner for some during the pandemic.

Remote appointments via video are likely to continue this expansion, as is the use of sensors and remote diagnostic equipment. And that means cybersecurity can’t stay in the backseat. Both providers and medical device manufacturers need to initiate or re-initiate projects to secure the devices they’re using – or manufacturing. Hackers will continue to treat Internet of Things (IoT) and IoMT devices as front lines of attack. 

Re-evaluating identity and access management 

Central to any healthcare organization is maintaining patient care. No IT or security solution can be so convoluted that it gets in the way of this primary objective. As the healthcare industry adopts a more distributed model, nurses, doctors, clinicians and caregivers must have seamless, secure access to patient data, no matter what device they are using or where they are.

Healthcare organizations must be able to find and recognize new kinds of users. There are multiple devices connected to any hospital bed in the U.S. today. Consequently, there is a variety of both people and devices collecting, generating and curating data across organizations to help make data-driven decisions. This creates challenges about how organizations catalog and identify all people, devices and applications in their networks.

Zero Trust Access (ZTA) is ideal for just this situation. Fundamentally, ZTA focuses on identity and access management, which is why it provides value for healthcare organizations. In many ways, Zero Trust arose from network segmentation’s limitations. Although it is intuitively elegant, over-segmentation impedes business operations, while under-segmentation lacks the security needed to prevent compromises and the lateral movement of threat actors. The key to segmentation across hybrid and distributed ecosystems is understanding all role-based access controls and segmenting accordingly. 

Looking at long-term security

With the massive shift to remote work on top of the obvious stressors that the pandemic put on healthcare systems, healthcare IT has had to work overtime to keep up. Already overburdened resources became more so in the past year, and for many organizations, that meant moving to support a remote work strategy quickly, with a stopgap type of approach.

Though the pandemic persists, the initial IT scurry has died down. Healthcare IT teams now need to spend time making their cybersecurity strategy more sustainable for the future, especially in terms of how it supports remote work and telemedicine. Each organization must consider the security of its services and of the patients who put their sensitive data in the organization’s care, then make the needed changes for a long-term security strategy that serves everyone.

FTNT Troy Ament headshot 24Sept20 3
Troy Ament
CISO for Healthcare at Fortinet

Troy Ament is Fortinet’s field CISO for healthcare. He brings more than 20 years of experience to Fortinet, transforming information technology and security programs, with 14 years in the healthcare sector as an executive overseeing clinical technology implementations, and serving as the chief information security officer (CISO) at two of the largest integrated health delivery systems in the U.S. Before joining Fortinet, Troy held the positions of CISO and Director, CISO chief at Sanford Health where he had oversight of the Security Technology, Security Operations, Identity and Access Management, and Governance Risk and Compliance (GRC) Teams.