Oct 11, 2016 3:28:25 PM
Certificates as the Rx for Embedding Security Into Vulnerable Healthcare Systems

The healthcare sector continues to build some of the largest, lucrative and vulnerable stores of data, making them attractive targets for cyber criminals. Further, malicious actors are more prevalent, organized and creative in their attacks on vulnerable vectors. While HIPAA security rules have long been in place, compliance continues to move at a snail’s pace and those responsible for product innovation are being forced to pay closer attention to security, IT, legal, risk and regulatory considerations earlier in the development life cycle. Many organizations are also having to revisit those same considerations for products and services already in use to satisfy regulatory or compliance requirements, remediate an issue, preserve reputation and promote a competitive advantage

But there’s hope for healthcare. Digital certificates are one solution being used more widely as an authentication and encryption method between vulnerable data, devices and software within complex enterprise and medical systems. Layered on top of other multi-factor authentication tools, certificates can be a cost-effective solution for potential healthcare systems vulnerabilities.  

Where Hackers are Lurking - the Current State of Healthcare Cybersecurity:

The current state of healthcare cybersecurity is highly influenced by healthcare’s ownership of the most valuable data available, and with multiple access points. In the past, financial records were of the greatest worth to malicious actors.

According to InfoWorld, today, healthcare records greatly exceed the worth of financial data, primarily because financial data limits a thief to the amount of fraudulent transactions they can carry out before a customer becomes aware—at which point the financial data is worthless. Conversely, most of the information contained in healthcare records are permanent, such as social security numbers and medical records; this allows for a much longer shelf life, and involves enough data to carry out full-on identity theft.

Not to mention, healthcare systems contain multiple access points. Data, applications, devices, and various third-parties are exchanging data constantly; then there are the endless websites and servers that are networked, and the mass proliferation of the IoT and healthcare digitization. There are multiple points of entry for a malicious actor who is trying to find a way in—and they will, eventually. Unsurprisingly, healthcare organizations are scrambling to employ as many security controls as possible and optimize security posture overall, but it’s common knowledge that the effort is an endless game of whack-a-mole.

Healthcare bears quite an active threat landscape. HealthData Management reported that the top security threats in healthcare include:

  • Insiders
  • Vendor supply chains
  • Medical devices
  • Malware and advanced persistent threats
  • Mobility

…And those are just a few. It’s a fast-paced, dangerous environment to manage.

5 Healthcare Industry Drivers Creating Security Challenges  

Today’s innovations in information technology are benefitting healthcare organizations and end users from an efficiency and operational perspective, but the same innovations are creating challenges of securing the data they’re generating.

Here are some of the drivers of the industry-wide scramble toward healthcare’s secure future state: 

  1. The pace of innovation—The approach to IT is becoming more advanced, making things more efficient, but also generating new problems in addressing security.
  1. Increased use of mobile devices and the great cloud migration—Mobile devices are the norm for operating medical facilities and patient communications. More end users have information and convenience at their fingertips, but now their healthcare data is more available to the individuals who want to steal it.

Healthcare is still hesitating in some areas when it comes to transitioning to the cloud, but most non-critical SaaS applications are always being hosted there. The cloud isn’t necessarily unsecured inherently, but the hesitation typically comes from security concerns. 

  1. Pervasive interconnectedness—More technologies are interconnected than ever before. People, devices, applications, web services, servers, third parties, and integration in general, to name a few.
  1. Industry and government compliance requirements—Compliance is a huge impetus for enhancing security controls, but also comes with its own set of challenges. A number of regulatory bodies dominate the healthcare space, and each contain regulations concerning data security, but those regulations aren’t necessarily specific so much as they’re a baseline for a secure future state. They do not stipulate specific security practices.
  1. Identifying who owns and builds security and choosing the right tools—Deciding which individuals are responsible for security can be a challenge. Many healthcare organizations find themselves asking: is it a covered entity of the business, associated with the developer? Is it the IT or security department within an organization?

Identifying where to apply different security tools is also a struggle because there are extensive amounts of interconnected technologies and access points between data, applications, devices, third parties, and web servers. Prioritizing and deciding where risk is highest while taking budget limitations into account is a balancing act.

Prescribing Digital Certificates for Alleviating Symptoms of Security Vulnerabilities

The above is not an exhaustive list—there are many factors that are making data security such a complex challenge for healthcare. However, there are a number of fundamental security controls among the many tools available that all healthcare organizations can benefit from implementing, including digital certificates. Digital certificates can work as a strong, economically feasible solution for healthcare systems vulnerabilities by enabling authentication and encryption for data, devices, and software—three technologies that dominate healthcare IT.

There are a myriad of methods, tools, and technologies used for authentication, encryption, or signing software and data for validation, and more healthcare organizations are shifting toward multi-factor authentication and layered security. Considering elements of the digitization movement, things like IoT systems, for instance, require all three of these security controls within one system, which is why digital certificates can be used as an additional layer of embedded security for enterprise and IoT systems.

Common practices in healthcare are driving the need for digital certificates. For instance, when it comes to e-prescriptions for controlled substances, the convenience for the end user is great, but the prescribing physician needs to be verified; this requires multi-factor authentication to prove that the doctor is actually authorized to write prescriptions for controlled substances. This requires a username and password to authenticate the individual, and often a pin specific to the doctor, followed by a one-time token code for each prescription. This is only one of many uses cases, but certificates offer healthcare organizations an additional layer of device authentication, encryption, and security, that may be required for greater security, and even market differentiation.

Understanding How Digital Certificates Fit Within Your Organization

Cybersecurity threats in healthcare will only multiply. Having proper security controls in place is key to preventing data breaches and protecting patients. Digital certificates are one critical tool for authentication that will greatly reduce organizational risk.

CSS recently held a webinar, Digital Certificates - Rx for Embedding Security into Vulnerable Healthcare Systems, to do a deep dive into the details of healthcare’s threat landscape, security challenges plaguing healthcare, and using certificates to effectively reduce risk. Specific topics covered include:

  • Diagnosis of the current state of healthcare cybersecurity
  • Future vulnerabilities prognosis
  • Security symptoms - aches, pains and consequences
  • Prescribing certificates to alleviate symptoms related to authentication, encryption and code signing
  • Treatment plans to embed security into enterprise and medical systems
  • Preventative medicine to minimize attack vectors and influence positive security outcomes

Download the webinar presentation to learn more about how digital certificates can improve the security of your healthcare organization.

If your security team is interested in learning more about the health of your security posture and how digital certificates can work for you, please connect with a CSS Digital Certificate Expert today, or feel free to call us at 877.715.5448 for immediate help.  

Speak with a PKI Expert