Deep dive: Endpoint security in healthcare

A healthcare infosec expert talks why CISOs and CIOs should prioritize unified endpoint management, what a UEM strategy looks like and much more.
By Bill Siwicki
11:20 AM

Apu Pavithran, CEO and founder of Hexnode

Photo: Hexnode

Remote healthcare certainly has gained traction via the pandemic. As a result, some healthcare information security experts contend a unified endpoint management system has become a top priority for provider organizations conducting telehealth.

Remote healthcare facilities can be a breeding ground for security breaches. These can pose a tremendous threat – especially if sensitive patient information is exposed. Additionally, with healthcare taking a digital shift, tablets and smartphones have become accessories to enable better and faster patient care.

This means an increased dependence on technology and a resulting IT overload, said Apu Pavithran, CEO and founder of Hexnode, a vendor of a unified endpoint management (UEM) platform housed by Mitsogo.

Healthcare IT News sat down with Pavithran to discuss the digital shift in healthcare and what that means for security, why CISOs and CIOs should prioritize endpoint management, what a UEM strategy looks like, and why CISOs and CIOs should consider one.

Q. How is the digital shift in healthcare opening doors for security risks?

A. The history of digital health dates back to 1897, when a child's viral infection was diagnosed via telephone consultation. Despite the early appearance of telemedicine, long-distance diagnosis was reserved for Antarctica expeditions and space missions for almost nine decades.

However, the pandemic deserves praise for how it turned technology around and spurred innovations. The digital transformation wave that was expected to hit a decade later got accelerated and was accomplished in three years.

Routine interactions like finding a doctor, scheduling an appointment, paying bills and processing insurance revolutionized the healthcare experience, which was otherwise dull and slow.

On the flipside, this sudden wave also took a toll on the healthcare system, especially when the IT was undernourished. While the whole concept of digitizing healthcare was to provide exceptional patient care with timely access to services and resources, it ended up converting IT assets into silos of private data, making them susceptible to phishing, ransomware, DDoS and data breaches.

The attacks on these systems varied in methodology and severity. Malicious actors stole Social Security numbers and other personal information in some instances, while other attacks directly posed danger to patient safety by compromising or shutting down crucial medical systems and equipment.

I believe that lack of training, absence of creating awareness regarding internet threats, businesses' focus on providing the finest service and the employee's reluctance to move away from legacy systems have made healthcare systems easier access points.

Healthcare regulations like HIPAA and HITECH demand that healthcare information ought to be open and shareable while also ensuring privacy. Unfortunately, these hazy distinctions between security and privacy make it hard for hospitals to stay on top of cybersecurity.

For smaller organizations, winning the race of digital transformation becomes more difficult. A lower, restricted budget forces them to introduce outdated technology into the mobile network, raising the bar of security concern.

In addition, following IT, logistics and retail, the BYOD trend also found its place in healthcare. While these personal devices house patient health information, there is a greater likelihood that these documents would leave the corporate perimeter.

Healthcare cybersecurity attacks do not only cost loss of revenue or payouts; the consequence can go up to affecting patient lives as well. For instance, in Alabama's Springhill Medical Center in July 2019, a ransomware attack led to IT outages for about three weeks, resulting in the death of an infant as the mother wasn't informed that the hospital was amid fending off a cyberattack.

The cyber assault on Chicago-based CommonSpirit, the second largest nonprofit hospital network in the United States, is only a sign that these are darker times for healthcare. Many fail to realize that a patient's privacy is as important as their health in healthcare.

Today, crossing the value pegged for stolen credit card and Social Security numbers, medical records are valued at $250 in the black market.

As the estimated cost of a healthcare data breach rises to $7.1M, regulatory bodies have tightened the reins, and the maximum fines on HIPAA violations have increased to a maximum level of $25,000 per violation category.

The threat landscape in healthcare is quite dynamic, and this has compelled various governments to focus more on the industry. For example, the Biden administration has indicated that healthcare will be one of the major focus areas for the White House regarding security infrastructure.

Q. Why should CISOs and CIOs at healthcare provider organizations prioritize endpoint management?

A. The healthcare endpoint network is already a complex one. Apart from devices that house electronic health records, devices such as blood pressure monitors, MRI machines, IV pumps and implanted defibrillators are just other samples of endpoints.

A simple glance at the U.S. Department of Health and Human Services (HHS) Breach Portal points out that about half of the attacks originate from devices and hardware.

Digitalization has taken over the healthcare industry through AI-powered devices, blockchain, telemedicine, EHR and remote patient monitoring. As a result of the internet of medical things, which connects every device with a sensor, software or other technology via the internet, we now live in an era where a single exposed endpoint can be the cause of a major network breach.

In addition, the BYOD culture has introduced more unique endpoint security challenges. CISA has identified this rapidly growing threat landscape as one of the biggest threats to the healthcare sector.

Furthermore, point-of-care devices and kiosks collect patient health information in the form of EHR. These publicly placed kiosks are susceptible to vandalism, shoulder surfing and man-in-the-middle attacks. POC devices also collect documents that are expected to be legally confidential.

While all these security concerns point toward why it is essential to prioritize endpoint management, the Technical Safeguard protocol under the HIPAA Security Rule has established standards that mandate healthcare personnel to comply with practices that ensure the confidentiality, integrity and security of ePHI.

In addition, the guide published by the HHS's Office of the Assistant Secretary for Preparedness and Response also vouches for endpoint security solutions as means to protect patient data.

Static devices that exist within health institutes and remain connected to the corporate network are an old story. With healthcare taking a digital front and blurring organizational perimeters, stakeholders must initially evaluate the status of their endpoints.

Closing the security gap must begin with identifying your assets' crown jewels and securing them. With revenue losses from the industry soaring, medical institutes must define and document possible attack surfaces and focus on patching the same.

Hackers do not look for weak network schematics alone. With humans being the weakest link in cybersecurity, malicious actors look out for people prone to fall for phishing or social engineering attacks. In the wake of such events, organizations must dictate the access one has to healthcare resources. Additionally, it is necessary to create awareness among employees on how to treat their endpoints.

As attacks have been adopting a more sophisticated front, endpoint security has also been evolving from endpoint protection platform to endpoint detection and remediation to extended detection and response. As you construct your digital map, the key is to identify your right fit.

Q. What is a unified endpoint management strategy and why do you believe healthcare CISOs and CIOs should consider one?

A. Software that helps you manage, monitor and secure your corporate assets from a single console is a unified endpoint management solution. The following are some of the features to look for when subscribing to a UEM solution for the healthcare sector.

Visibility into mobility network. You can't protect what you can't see. To secure your devices, it is necessary to have visibility into the devices logged into your network. From a UEM console, admins can view the device's status and generate reports on compliance, ownership and device details.

Securing the Internet of Medical Things. The IoMT industry is predicted to reach $176.82 billion by 2026; however, the market is overwhelmingly easy to infiltrate. When each device in the network is connected to another, a vulnerability in one of those becomes a threat to the entire network.

With the help of UEMs, it is possible to have an overall insight into the devices, users, networks, settings, location and operational conditions from a single console. Furthermore, compromised devices can be removed and confidential data can be remotely wiped, securing the device from more significant harm.

Fortifying the BYOD bandwagon. Personal devices have found higher demand among healthcare professionals. However, the thin line between ensuring security and privacy has been a major challenge for hospital management.

A UEM's integration with corporate programs such as "Android Enterprise" and "Apple at Work" has helped organizations enforce the BYOD policy. While the Android Enterprise initiative clearly distinguishes between personal and work applications, the business container for iOS is concealed from plain sight. These built-in BYOD capabilities in a UEM guarantee privacy to the user and security to the enterprise.

Managing your kiosk network. A UEM's lockdown feature allows admins to restrict devices to pre-approved medical apps or telehealth software. In addition, device functionalities like camera, screenshots, calls, etc., can be disabled by converting devices into dedicated purpose-driven tools.

Before shipping such devices, they can be preconfigured with necessary settings through remote deployment techniques. For instance, Android's Zero Touch Enrollment technique enables the remote enrollment of devices into the portal. Similarly, Apple offers Apple Business Manager, and Windows provides Autopilot.

Ramping up defenses. Most devices in the healthcare perimeter can be logged in via generic log-on information, and through techniques like shoulder surfing, credentials may end up in the wrong hands. The capability of a UEM to enforce password restrictions and multifactor authentication mechanisms forces the user to create complex alphanumeric passcodes that do not have recurring histories.

Furthermore, admins can restrict data transfer via USB tethering, Bluetooth, etc., thereby safeguarding PHI documents. Businesses can also configure firewalls, FileVault and BitLocker to encrypt sensitive data.

A UEM strategy can also help organizations dictate applications that need to be allowed or blocked in a particular device. The same stands for websites as well. Additionally, UEMs allow IT to enforce, schedule and delay OS updates, ensuring that existing security flaws are patched, and new features are updated to promote performance.

Finally, organizations can ensure that private data is accessed within the managed corporate network by implementing network restrictions. If a device is compromised, it can be locked and remotely wiped as the situation demands.

Every healthcare organization must comply with sector-specific regulations like HIPAA, HITECH, etc. A UEM solution in your cyber architecture ensures compliance and minimizes chances for a breach, thereby providing quality service to patients.

Q. What are upcoming trends and features to look for in healthcare information security systems?

A. Currently, 90% of businesses use the cloud, with multi-cloud infrastructure being the most common. IBM notes that an IT team's failure to secure their cloud-based assets accounts for 19% of data breaches.

Most of these misconfigurations are caused by human errors. Hence, we must evolve toward building technology on the cloud in alignment with privacy and security regulations. While encryption and blockchains will alter the infrastructure of the cloud, quantum computing may have a game-changing impact on cloud security.

Organizations will need to take giant leaps toward adopting quantum-resistant cryptography to protect themselves from quantum attacks. However, before bracing for the future, healthcare facilities must have a bird's eye view of the behavior of their cloud systems – the services it provides, the apps it hosts and the security flaws it presents.

It is advised to start by ensuring the security of their cloud footprint against today's threats for a safer tomorrow.

Given all the advancements the sector has witnessed, I believe it's time for healthcare to transition from manual to automated. Self-healing endpoints have been the talk of the town in the endpoint management industry.

With the benefit of AI and machine learning, businesses have enhanced the resilience factor of their self-healing endpoints. Sooner, healthcare endpoints can self-diagnose their existing cyber structure, reset themselves to specific configurations, and thwart potential and actual threats.

Organizations are always busy implementing strategies after an attack occurs; however, the real deal is to take a proactive stance and build an architecture that can draw lessons from previous attacks and fight those of the future.

By adopting an automated endpoint maintenance approach, IT teams could move from mundane security tasks to focusing more on infrastructure enhancement and inventory management.

The healthcare sector is integrating with several third-party vendors and gathering more patient data, so relying solely on conventional network security methods like VPN may no longer be effective. As an alternative, businesses must prepare to implement a Secure Access Service Edge architecture that guarantees enhanced network connectivity and security.

With Secure Access Service Edge, organizations can ensure that the required resources are allocated based on the employee's identity than their location. While VPN's methodology of offering broad access to the network once authorized might put the corporate network at risk, ZTNA, one of the core technologies of Secure Access Service Edge, tackles this issue by offering limited, granular access to specific applications and resources.

As the future of healthcare gets a distributed touch, with administrators working from home and physicians providing consultations over video calls, this technology will ensure a better patient experience.

Finally, leveraging the cloud's capability to collaborate, unified endpoint management solutions have been integrating with other security solutions like Identity and Access Management, passwordless authentication and Zero Trust solutions.

However, before re-architecting and re-platforming, organizations must re-evaluate their current security posture and opt for solutions that can satisfy the requirements of their futuristic business model.

Follow Bill's HIT coverage on LinkedIn: Bill Siwicki
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.