In this episode

A strong cybersecurity posture is table stakes not just for healthcare organizations, but also for the thousands of vendors at each health system that interact with healthcare data. And as threats continue to grow, what makes a strong cybersecurity posture becomes more complex, too. In this episode, Ryan Winkler, Practice Director at 360Advanced, provided practical takeaways for both healthcare organizations and vendors to improve their security.

• • In healthcare settings, cybersecurity is a non-negotiable part of patient care.
  • Large-scale trends in the healthcare industry are converging to increase security risks.
  • Ensure that everyone, from staff to leadership to vendors, follows security practices.

“When we’re talking about healthcare data and patient data, security and compliance are at the forefront and a foundation, not optional.”

– Ryan Winkler

Key takeaways

In his security and compliance practice, Winkler works frequently with healthcare organizations of all sizes and levels of cybersecurity. He covered the evolving cybersecurity threats in healthcare and practical tips that go beyond the basics. Here are his takeaways:

In healthcare settings, cybersecurity is a non-negotiable part of patient care.

“With any size healthcare organization, the one thing I always drive home is that security and compliance are foundational,” said Winkler. “When we’re talking about healthcare data and patient data, security and compliance are at the forefront and a foundation, not optional. Security breaches have a direct impact on patient care.”

Winkler emphasized that healthcare is uniquely vulnerable to security threats, not just because of the amount of data provided but because of the impact to the individual patient. “Healthcare is one of the only industries where if there’s a breach, it can directly affect a single individual — and with that comes a level of responsibility,” he said.

He said that most healthcare organizations recognize that cybersecurity is important, but a differentiator among health systems is how foundational it is to their culture and decision-making. “Is it being talked about at the top levels?” he asked.

Large-scale trends in the healthcare industry are converging to increase security risks.

Winkler covered how seemingly disparate trends in the healthcare industry are combining to increase the value of healthcare information to bad actors — and the risk points for healthcare organizations.

First, he said that an increased level of security at healthcare organizations is a net positive, but actually increases the value of healthcare data to bad actors. “Organizations are doing a good job at managing their programs and maintaining security and compliance. But when you make it harder for a threat actor to get into your environment…that inherently increases the value of that healthcare data because it can be sold for more on the dark web,” he said.

Second, he said that the increase in medical devices and WiFi-enabled technology increases risk. “Make sure that you’re thinking of those things even at the hospital level,” he said. “Individual nurses may be using devices [like heart rate monitors that connect to WiFi] and they need to have that foundational [security] knowledge.”

Third, he said that staffing and resource constraints — which might be more typically recognized in front-line roles — also impact security. “Security teams are scarce in the healthcare industry,” he said. “Security teams face burnout, there are a lot of staffing shortages and we need more people in the cybersecurity industry. We need to be able to facilitate entry-level-roles…we can try to always hire the greatest, and people that have a very unique experience. But we’re limiting ourselves by doing that,” he said.

Ensure that everyone, from staff to leadership to vendors, follows security practices.

Throughout the episode, Winkler emphasized that a strong culture of security and monitoring across every potential point of data sharing or weakness is a must. His recommendations include monitoring remote devices and laptops and establishing a culture of security from leadership down.

He also recommended following established security frameworks to give your organization a practical and easy-to-follow set of standards. “Anyone in the healthcare industry knows about HIPAA,” he said, “But a lot of those requirements are relatively high-level and it’s up to an organization to interpret that correctly.” He recommends the HITRUST framework because “HITRUST has really made waves in the industry around making it simple to maintain a security and compliance posture, while still meeting the current threats that are out there today.” He said that HITRUST provides a practical framework that maps directly to HIPAA rules and is one of the best frameworks to get started on with an included self-assessement.

Speaking about all the vendors a healthcare organization is likely to have in place, Winkler said that “you’re only as strong as your weakest link,” so ensure that you have a solid vendor management program and ask your vendors for their security certifications. “Look at things like HITRUST certification, do they have SOC2? Look not just at whether they have those things, but look at the contents, see what findings or issues there were,” he recommended.

Asked for his number one recommendation for all healthcare organizations to follow, Winkler said: “It starts at the top. Get buy-in from leadership. Have a clinically-aware security program that accounts for patient safety…ultimately, at the end of the day, our responsibility is to protect patient information.”