XaaS Journal recently reached out to the following industry experts to get their take on the top IT challenges healthcare organizations are facing today along with the solutions and services VARs and MSPs should be offering:
- Luis Corrons, security evangelist, Avast
- Jonathan Tanner, senior security researcher, Barracuda Networks
- John Ford, chief information security officer, ConnectWise
- Kevin Raske, marketing specialist — cloud security, VIPRE Security
- Tyler Moffitt, senior threat research analyst, Webroot
Here are their responses:
Kevin Raske: The most significant cybersecurity challenge facing healthcare organizations today is ensuring the protection of both endpoints and medical devices (such as radiology machines) from potential cyberthreats. With more than 80% of all healthcare organizations implementing bring your own device (BYOD) policies and IoT (Internet of Things) becoming more of a mainstay within the medical profession, IT admins are finding it increasingly challenging to secure EHR (electronic health record) systems and device networks.
MSPs and VARs can overcome these challenges by offering a layered, cybersecurity approach to clients. They must assist in securing employee mobile devices and laptops through advanced, cloud-based endpoint security. At the same time, they must implement a cloud-based email security solution that goes beyond the security that comes with email clients and offers attachment protection, HIPAA-compliant archiving, malicious URL protection and secure encryption. This will mitigate the threats of ransomware and other malware from wreaking havoc on a healthcare organization’s system and network.
Luis Corrons: Of all the challenges facing healthcare organizations, cybersecurity proves to be of utmost significance. Hospitals and other facilities are a prime target for cybercriminals given the vast amount of highly valuable personal information they store on their patients. Meanwhile, the medical equipment on their networks are running old — if not obsolete — software, which provides an open door for hackers. We saw this during the WannaCry ransomware outbreak a couple of years ago (and even today, as healthcare organizations continue to struggle in the aftermath) because they had no choice but to keep their systems running despite being vulnerable to the attack.
MSPs play an important role in helping healthcare organizations understand and protect their patients’ data from cybercriminals. First, MSPs need to educate customers and prospects about the different types of threats that target the healthcare industry and why cybersecurity should be a top priority. Additionally, MSPs must evaluate the unique needs of each organization and provide a layered approach to security. At a minimum, this should include email security, antivirus, backup and recovery and a secure web gateway to give organizations complete control and visibility into their entire security ecosystem.
Jonathan Tanner: The Internet of Humans (IoH) is fast becoming a reality as medical device manufacturers look to improve convenience and the ease with which their devices are used and configured. Unfortunately, manufacturers seem about as adept at security as the IoT and router industries — a dangerous situation considering it now becomes a person’s life on the line rather than just their data, devices and privacy.
Earlier this year, the U.S. Department of Homeland Security issued an alert about vulnerabilities in 16 different models of Medtronic implantable defibrillators, including several that are still for sale globally. The vulnerabilities, which also affect bedside monitors that read data from the devices and programming computers used by doctors, include improper access control and cleartext transmission of sensitive information. As with IoT, the security community is taking up the torch to try to spread awareness about biohacking and IoH devices. One example of this is the Biohacking Village at DefCon.
However, many manufacturers still seek to bring products to market as quickly and inexpensively as possible at the cost of security. Even with the manufacturers who do take vulnerability disclosures seriously, many tend to do so in a reactive manner — addressing vulnerabilities as they are reported — rather than employing researchers and security practitioners to make devices more secure from the start. MSPs and VARs can help their clients overcome these challenges through security awareness training and by offering products and solutions, such as firewalls, web security and filtering solutions that help mitigate the threats associated with these connected devices.
Tyler Moffitt: The healthcare industry holds a significant amount of valuable data that’s frequently updated, which makes it a prime target for cybercriminals looking to gain info and re-access it in the future. This type of targeted persistent attack (TPA) typically starts with phishing; but, it can also be obtained by hacking unsecured network resources like Remote Desktop Protocol (RDP). Once inside the network, attackers can employ a variety of techniques that let them fly under the radar for extended periods, sometimes remaining there indefinitely. MSPs can overcome these attacks by implementing ongoing security awareness training and phishing simulations — because humans are every organization’s first line of defense. Combine this with antimalware software, and you have the beginnings of a security offering. Once the basics are in place, the MSP should turn its attention to securing the network, server, perimeter and the endpoint. Only a layered security offering coupled with training can mitigate against these evolving cyberthreats.
John Ford: Technology has benefited healthcare in many ways, and healthcare has become reliant on technology. Like many verticals, the challenge is securing the data, but the healthcare industry has the additional responsibility of meeting strict regulatory requirements set forth by HIPPA while delivering quality patient care. How do you keep a patient’s information private and free of security breaches when their data is stored and processed by many firms in the course of care management? Successful cyberattacks are a heightened risk when organizations do not have adequate security measures in place and lack sufficient knowledge of the at-risk data in their environments at rest, in motion and in use.
Security is everyone’s job. MSP’s and VAR’s evaluations should include at minimum a risk identification and assessment process, threat and vulnerability management, multi-factor authentication, identity management, and data discovery of information in both structured and unstructured environments. Cyberthreats will continue to be a challenge in healthcare, but by taking a proactive approach to implementing sound security practices, risks can be significantly reduced. 
