Health Technology, Digital Healthcare
Article | September 8, 2023
NIS2 Cybersecurity Rules Approaching: Is Your Organization Prepared? The EU NIS cybersecurity regulations are evolving for 2024, and if you’re not currently aware of how they’ll apply to your organization, now is the time to get up to speed with the desired requirements. Not only is the directive being tightened, but an extended range of healthcare and related organizations will be added to the list of ‘critical entities’ that must comply. These include certain medical device manufacturers, pharmaceutical companies, and organizations that carry out R&D. The Network and Information Systems (NIS) standards were set up in 2016 to protect essential services – such as water, energy, healthcare, transport, and digital infrastructure – from online cyberattacks. The updated legislation, NIS2, will have stricter rules,reporting requirements, and higher penalties for non-compliance. They will apply to medium-sized and large businesses that operate within one or more EU countries. Those based only in the UK can’t sit back; however, the original NIS regulations will still apply as part of British law. What’s more, a UK version of the rules is coming very soon, and it’s likely that the framework will closely resemble the EU’s. What will the requirements cover? There are a number of cyber risk management measures that all organizations that come under the scope of NIS2 will be required to put in place. For instance, they will need to conduct regular security assessments and risk analyses, adopt incident response and handling plans, and appoint a chief information security officer (CISO), among other obligations. The new directive will streamline and strengthen incident reporting requirements. Entities must notify regulators of any incident that has compromised data or had a significant impact on the provision of their services, such as causing severe operational disruption or financial loss. Applying information system security policies and business continuity plans will form part of the obligations, as will conducting cybersecurity testing and training for all staff. The use of multi-factor authentication (MFA) and encryption, wherever appropriate, will also be mandated. There is plenty of focus within the directive on the cornerstones of cybersecurity best practices particularly, the proper control of administrator-level account credentials, privileged access, and endpoints, all of which are prime targets for attackers. Under NIS2, organizations are being separated into ‘critical’ and ‘important’ entities. It’s important to determine which category yours’ will fall under, as each has different requirements. The third-party threat will also be addressed in NIS2 by pulling in managed service providers (MSPs) to the list of ‘critical entities’, with the aim of keeping digital supply chains secure. MSPs are often granted privileged access to clients’ corporate systems and networks, which creates security risks. What are the consequences of non-compliance? Organizations that come under the regulations’ purview will be subject to random checks, regular security audits, on-site inspections, and off-site supervision. For those found to be in breach, sanctions could include warnings, temporary suspension of certain activities, and temporary prohibition to exercise certain managerial functions. Financial penalties could be as high as 10 million Euros or 2% of an organization’s global turnover, whichever is higher. What steps should healthcare organizations take now? Organizations should take action to establish whether the EU or UK NIS2 regulations will apply to them and what their responsibilities will be. Having identified any gaps in existing cybersecurity processes, policies, and practices, they must determine what changes need to be made to address them. As a priority, they must review their incident response plans and incident management and reporting procedures. It’s also a good idea to begin assessing the security posture of partners and third parties in the supply chain and incorporating relevant security requirements into contracts. Given the framework’s focus on protecting privileged admin accounts, organizations should implement controls limiting the number of staff members with these robust credentials. Implementing privileged access management (PAM) will allow IT to control who is granted access to which systems, applications, and services, for how long, and what they can do while using them. Preparing for the introduction of the EU NIS2 regulations should be considered more than just a compliance exercise. By meeting the strengthened requirements, healthcare organizations will be building a foundation of resilience that protects them, their customers, and the essential services they provide.
Health Technology, Digital Healthcare
Article | September 7, 2023
The healthcare industry has become a prime target for cybercriminals in recent times.
According to The State of Ransomware in Healthcare 2023 report from Sophos, six in 10 healthcare organizations have been hit by ransomware in the last 12 months, up from 34% in 2021.
Among this uptick have been several headline-grabbing attacks. For example, Shields Health Care Group became the subject of the single-largest breach affecting any organization globally in April 2023, when 2.3 million patients of the Massachusetts-based medical services provider had their personal data stolen after a cybercriminal gained unauthorized access to the organization’s systems.
Meanwhile, in the UK, a ransomware attack on the University of Manchester occurred in June, affecting an NHS patient data set holding information on 1.1 million patients across 200 hospitals.
Critically, the wealth of data housed in healthcare networks, and the potential impact of data unavailability in healthcare, make the industry both attractive and lucrative to threat actors.
It’s no coincidence that the Sophos report shows the rate of encryption in the healthcare sector is at its highest level in recent years. Of those healthcare organizations which suffered a ransomware attack in 2023, 73% had their data encrypted – up from 61% in 2022. When cybercriminals can successfully take down hospital systems and/or encrypt patient data so it can’t be used, they can blackmail health service providers, demanding significant sums before reinstating systems and/or data availability.
Considering healthcare's critical role as the highest-stake industry in our society, where people's lives depend on its success, the likelihood of attackers achieving their goals is greater than in other sectors, as confirmed by the Sophos report. Indeed, of the 73% of healthcare organizations that had their data encrypted, 42% reported that they paid the requested ransom to recover data.
DSPT and the compliance burden
Without question, the security-related challenges in healthcare are mounting. Right now, industry organizations are operating against a backdrop of unprecedented operational and workforce pressures, spiralling demand for care and industrial action.
Moreover, there is a growing regulatory burden, with organizations continually asked to comply with evolving cybersecurity rules, battling with multiple compliance mandates at any given time.
Take the NHS as an example. According to the 2023 NHS Providers’ Regulation Survey, just over half (52%) of respondents said the regulatory burden on their trust had increased. And this is expected to ramp up further in the future, with the UK government setting out a new 2030 strategy aimed at bolstering cyber resilience in healthcare.
Among the compliance burdens that the NHS faces is the challenge of meeting the requirements of the newly updated Data Security and Protection Toolkit (DSPT).
Mandated to minimize cyber risks and enable healthcare providers to maintain a robust information security posture, the DSPT is not a simple checklist of security controls, but a comprehensive toolkit to evaluate current security maturity and establish a risk management programme.
Indeed, in more recent times, DSPT has moved away from being a guide for achieving certain levels of assurance, and toward a mandatory evidence-based system which demands NHS organizations align with 10 precise National Data Guardian (NDG) standards: 1. The organization assures good management and maintenance of identity and access control for its networks and information systems. 2. The organization closely manages privileged user access to networks and information systems supporting essential services. 3. The organization ensures passwords are suitable for the information being protected. 4. Process reviews are held at least once a year where data security is put at risk and following security incidents. 5. Action is taken to address problems as a result of feedback at meetings. 6. All user devices are subject to anti-virus protections, while email services benefit from spam filtering and protection deployed at the corporate gateway. 7. Action is taken on known vulnerabilities based on advice from NHS Digital, and lessons are learned from previous incidents and near misses. 8. The organization has a defined, planned and communicated response to data security incidents impacting sensitive information or key operational services. 9. The organization has demonstrable confidence in the effectiveness of the security of technology, people, and processes relevant to essential services. 10. The organization securely configures the network and information systems that support the delivery of essential services.
Reducing Compliance Challenges with the Right Solutions
Taken individually, these standards may not seem too strenuous to adhere to. However, to be compliant with DSPT, all 10 items need to be completed and deemed ‘satisfactory’.
To tick all 10 key boxes in the most effective and efficient manner simultaneously, organizations should consider their strategy carefully. This could involve embracing supportive tools to accelerate and enhance their compliance journey.
Boiled down, DSPT demands several key things, including unincumbered visibility of the entire ecosystem, as well as the ability to demonstrate secure access, logs and storage, and essential auditing processes to maintain data security.
Achieving these things might appear complicated, even daunting. However, there are solutions known as Security Information and Event Management (SIEM) systems on the market that can make achieving these capabilities, and in turn DSPT compliance, easy.
Here, we outline some of the key features to look out for to meet compliance: • Log retention: A modern SIEM should be able to provide a centralized log storage and big data platform that scales to any organization’s size. Platforms should be able to provide role-based access to log data, including ‘data privacy’ functionality that can mask sensitive data until approved. Log data should not be modified or removed by users once ingested into the platform, while all data held should also be indexed and fully searchable. • Identifying and disabling unnecessary accounts: A good SIEM will also provide account auditing facilities for Active Directory that allow administrators to quickly identify dormant accounts. They should also be able to remove privileged user access when no longer required or appropriate. More sophisticated platforms will be able to do this in an automated manner. • Easy identification of issues: Clear and easily readable dashboards, alerts and reports for user logging activity should be provided, including failed login, apparent brute-force attempts, and bad password management practices. Further, those using machine learning will be able to identify unusual behavior patterns based on a baseline of activities of users and their peer group. • Integrate with third-party threat feeds: It will also be able to integrate with a wide variety of third-party threat feeds that provide information about specific known threat payloads/hashes and destination domains/addresses.
Meeting the mandate
Of course, having the right features in place is only part of the puzzle. For organizations to be truly successful in embracing tools that enable them to meet DSPT compliance more effectively, they should work to ensure that solutions providers offer them ongoing support – both in terms of ease of deployment and to ensure that they are using key systems in an optimal manner.
Scalability is another important aspect to consider.
Systems should be able to scale and continue to support the organization as data volumes increase and become more complex over time.
In respect of scalability, organizations should take time to think about pricing models, ensuring that these are based on the number of devices (nodes). In doing so, it will become easier to accurately budget future costs, as well as provide greater budgeting certainty over the short, medium and longer term.
A converged SIEM allows organizations to prioritize the big picture over individual tools, enabling them to develop a seamless and easy to use security operations setup. Not only does this approach boost cost transparency and eliminate potential complexities with managing a variety of siloed products – equally, it reduces the burdens on security teams, eliminating complexities over system integration and enhancing performance.
A converged SIEM combines key technologies easily to offer improved security outcomes. In doing so, organizations can easily home in on specific standards and adopt security best practices while reducing the burden on security teams tasked with meeting DSPT compliance.
Health Technology, Digital Healthcare
Article | August 16, 2023
With medical system consolidation and increasing numbers of medical records created, the need for digital access and storage is gaining steam. Digitizing records allows clinicians to improve accuracy and decrease redundant testing and studies, as well as reduce treatment delays. Greater availability of digitized records has other perks too. With vast amounts of accessible medical data, researchers can move public health studies forward, also potentially improving care and treatment of individual patients. As a result, cloud storage is taking off, though healthcare organizations are adopting it more slowly than other industries. According to a 2019 Nutanix report, 71% of healthcare organizations using cloud were considered the least mature – relative beginners – in that they were using fewer cloud services. Compare that figure to finance or retail, where 13% and 15% respectively were beginners. However, that is changing.
Article | February 10, 2020
During the past decade, the healthcare industry has undergone an unprecedented technological transformation. The industry, once defined by manual processes, has moved squarely into the digital age. As patients, we’ve all become accustomed to seeing physicians as well as clinical staff use laptops during office visits. And behind the scenes, hospitals and health networks have made substantial investments in financial and HR systems, among others. One of the more significant digital advancements has been the industry’s focus on applying greater levels of automation to supply chain processes. In doing so, provider and supplier organizations have improved the efficiency of their supply chains, driven out millions of dollars in cost and waste, all while keeping patient care front and center.