It's an unfortunate reality—when it comes to hospital and healthcare delivery cybersecurity—that small and under-resourced hospitals have a lot stacked against their cybersecurity success. They tend to have tighter cybersecurity budgets than entities in other industries, face significant staffing challenges, operate with equipment that has stayed in the field for decades, and are targeted heavily by cybercriminals.
These organizations are also subject to stringent security and privacy regulations, which, if not appropriately managed, experts contend, can tip the focus too heavily toward compliance objectives rather than minimizing actual digital risk.
"For me, it's all about patient safety," says Martin Fisher, longtime healthcare security executive and current advisory board member at Kennesaw State University's Department of Information Systems and Security. "If a hospital loses your medical records, or if it loses your credit card numbers, that's one thing, and it's crucial to protect that data, but no one died."
With tight budgets and limited access to on-staff cybersecurity expertise, how do under-resourced healthcare delivery organizations best secure their data, systems, and patients? A number of experts advise the following:
The 405(d) Task Force is a collaborative effort made possible by the Cybersecurity Act of 2015. The task force unites healthcare and cybersecurity experts who work to strengthen the healthcare sector's cybersecurity defenses. Their primary publication is Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients [.pdf]. The task force published two healthcare security technical volumes, with the first dedicated to small healthcare organizations.
"The smartest thing they did was break healthcare organizations into small, medium, and large groups. If you're a small provider, they detail what you're supposed to do," says Fisher.
Endpoint detection and response (EDR) provides continuous monitoring and real-time analysis of endpoint devices: computers, smartphones, and IoT devices so that digital threats can be spotted and responded to by collecting endpoint data through endpoint agents and then analyzing through algorithms to identify suspicious behavior.
"For me, a quality EDR system as widely deployed as can be supported provides the biggest return," Fisher says. "The challenge is that most clinical devices can't support EDR, but you're trying to develop something like herd immunity in your environment," says Fisher.
Not only do healthcare organizations handle vast amounts of sensitive data through email, but most ransomware attacks begin as phishing attacks. "Email security is an essential area healthcare organizations must focus on to keep their systems secure, and a focus here will help to increase security substantially," says Kurt Osburn, a healthcare security expert and a director at cybersecurity services provider at NCC Group.
According to the 2024 Verizon Data Breach Investigations Report, 68% of breaches were insider errors, such as having fallen for a phishing email or social engineering scheme. Security awareness training aims to equip healthcare staff with the tools to identify and avoid such mishaps. "They need to do security awareness training. And they need not just to do it once a year. They need to do it all the time," advises Osburn.
There's no doubt ransomware is a big challenge faced by healthcare organizations, and effective endpoint and email defenses, coupled with security awareness training, are significant steps toward defending against ransomware attacks. But nothing will be 100% effective. So healthcare delivery organizations must be able to quickly recover from such attacks. That typically means having secure backups on hand. It also means being able to operate with manual systems if needed.
"Of course, they need recoverable backups," says Osburn. "But they also need to be able to operate without the electronics, and most places no longer do that," he says.
For Austin Allen, an experienced healthcare systems analyst and currently a director at cybersecurity provider Airlock Digital, that means managing preventative security tools in-house and outsourcing other aspects of cybersecurity.
"They know their systems and where the more sensitive infrastructure and medical VLANs reside, as well as other machines that can't run EDR and can't be outsourced as effectively as they can be managed in-house," says Allen. "By managing preventative security tools in-house, such as firewalls and application controls, you have faster response times and better control," he says.
The answers for under-resourced healthcare delivery providers won't be found when completing a handful of objectives. Still, their security posture will improve if they focus on their most pressing risks and vulnerable areas. "They have to conduct risk assessments and focus on closing their gaps," says Osburn. "But there are these areas where many providers are currently slipping on the basics, and that's a great place to start," he says.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
