About

TechNation is the primary monthly magazine and ultimate resource guide for over 12,000 medical equipment service professionals. Its diverse editorial and information helps biomedical, HTM, imaging and I.T. professionals keep their finger on the pulse of the healthcare technology community, helping advance their careers and further their profession.

Register Now: Modernizing HTM Economics | April 22
TechNation.TV | HTM Jobs | Right to Repair | Advertise
Subscribe

Cybersecurity: A Balancing Act, The Two Sides of Cybersecurity

4 Mins Read

 

By Regan Gardiner

An organization can take a passive or active defense to cyber threats, but the best option is to create a balance of both. Hospitals, clinics, laboratories and health insurers are challenged every day with finding the balance between using cutting-edge medical systems to save lives and keeping up with the threats that would try to exploit those systems to steal patients’ health information, spread malware and hold a hospital’s network ransom. 

A passive security posture relies on the establishment of policies and controls regarding the use of applications, services and networks to defend a network. Best practices include configuring rules, access control lists (ACLs), firewalls, rules-based access controls (RBAC), group policy objects (GPOs) and other controls on systems, software and networks. Limitations in user access to only the specific data, resources and applications are needed to complete a required task. An inherent weakness to a passive security posture is policy management. If not properly maintained, policies can be outdated, introducing unnecessary risk to the network. If not properly planned, policies may be overly strict, restricting access needed for continued operations and security. Additionally, undefined policies can confuse non-technical staff, which can create procurement roadblocks with vendors. 

A Zero Trust model can also be implemented. Zero Trust is a more recent passive security model based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter. All access is compared or measured against the controls. 

Alternatively, an active security defense, which includes installing anti-virus and anti-malware that provides consistent scanning to detect, block, and remove viruses, malware, and ransomware, can serve to prevent identify theft, block phishing attempts, and avoid disruptions in business flow and patient care. In addition, utilizing industry best practices, budgeting for continuous network improvements, proactively scanning for system vulnerabilities such as unsupported operating systems, missing patches, and configuration weaknesses can aggressively protect an organization’s IT assets. 

In an active security posture environment, attention to cybersecurity threat intelligence information is critical to identifying emerging trends. Threat intelligence also helps organizations make faster, more informed security decisions and change their behavior from reactive to proactive to mitigate risks and combat attacks. Full-scope testing provided by an external service can expose network weaknesses and is critical to lending awareness to a network team on where specific improvements can be rendered. A consideration of active scanning is that it can create significant machine resource usage and burden systems, or saturate networks, making applications or services slower, less reliable and reduce critical functionality. 

Finding a balance in defending a health care organization’s network can be done by blending both passive and active defenses. Achieving a combined approach – leveraging the strengths of each and mitigating the weaknesses of either is a process that begins here:

  • Start with a strategic plan for cybersecurity that includes consensus or agreement from organizational leadership, finance, legal, front-line operations staff and IT.
  • Proactively engage cybersecurity resources in equipment planning and purchasing. 
  • Seek solutions with vendors on security options instead of deploying systems that do not meet the cybersecurity strategic plan. 
  • Create a strong partnership between your cybersecurity and procurement teams to ensure that system standardizations are utilized.
  • Provide and require information assurance awareness training for all staff.
  • Provide required training to support staff on monitoring active vulnerabilities on the medical systems they support armed with the knowledge of known threats and counter-active procedures once detected.
  • Perform routine risk assessments and network penetration testing as part of a risk management plan that would actively seek and deploy mitigating measures. 

Securing a network will always present new challenges. If an organization balances both sides of cybersecurity, active and passive defenses, they can successfully secure their network from external and internal threats. 

Regan Gardiner is a technical project manager with Blue Water Thinking LLC supporting VHA VISN 21, Healthcare Technology Management (HTM) Team prepare for its electronic health record transition to Cerner. She previously supported the Defense Health Agency’s MHS Genesis deployment and has a background in Health Information Technology Management.

Share.

Related Posts

Add A Comment

Leave A Reply

X