Healthcare organizations face increasingly complicated cyber threats, from targeted ransomware attacks to cascading effects caused by third-party outages. With the stakes rising, a more comprehensive approach to cybersecurity is needed to protect digital systems, patient safety and operational continuity.
Healthcare facilities can bolster their defenses by focusing on three key areas: basic cyber hygiene, information sharing and building resilience. Each pillar plays a vital role in constructing a well-rounded cybersecurity strategy.
1: Basic cyber hygiene
Implementing basic cyber hygiene sets the foundation for any robust cybersecurity program. There are three main points to home in on, according to Errol Weiss, chief security officer at Health-ISAC:
- Keep up to date on security patches.
- Back up systems and ensure the backups work properly.
- Use multifactor authentication (MFA) everywhere remote access is allowed.
Weiss puts a finer point on MFA, saying that healthcare organizations should regularly audit every account and make sure all accounts are using MFA.
“I think about some of the large incidents that happened last year between Ascension Healthcare and Change Healthcare," says Weiss. “The root cause of both of those were the failure to have MFA enabled for everyone on certain remote access gateways.”
2: Leveraging information sharing
In healthcare cybersecurity, no one facility is just an island by themselves. Cyberattacks can ripple across different facilities and organizations, ultimately entangling everyone in a giant mess. A way to counteract this is to share information with each other and even join information sharing communities.
Information Sharing and Analysis Centers (ISACs) are one form of that, as they’re sector-specific groups that share cybersecurity threats and best practices. However, there are even more resources healthcare facilities can tap into beyond ISACs, says Weiss. Some are locally-based, and others are organized by critical infrastructure sectors.
“The whole idea is that you’re leveraging the power of the community and learning from it,” says Weiss.
3: Investing in resilience and redundancy
While a glut of focus in healthcare cybersecurity is fixated on threat detection and prevention, recent events highlight the need for a broader approach. Resilience and redundancy – which is the ability to keep operations going during unexpected disruptions – are becoming equally as critical as firewalls and antivirus software.
Case in point: the 2024 CrowdStrike outage. This served as a wake-up call for many in the healthcare sector, showing how just a single faulty update could cripple systems worldwide. For some hospitals, it felt no different from a ransomware attack, according to Weiss.
“That faulty update from CrowdStrike really served as a reminder that in information security, it’s not just about ‘security’ in the traditional sense,” says Weiss. “Your information security program needs to be a critical part of your overall resilience strategy. What I mean by that is that infrastructure teams need to be involved in the planning process for what happens when major IT systems go down and become unavailable.”
Success wasn’t determined by the strength of a cybersecurity system alone in moments like these. Instead, it was determined by how well organizations had prepared for downtime. Healthcare facilities that had regularly practiced and refined their backup and contingency procedures were able to maintain their continuity of care.
“This was a good reminder that it's not just about cybersecurity,” says Weiss. “Resilience is a key part of any good security strategy.”
Jeff Wardon, Jr., is the assistant editor of the facilities market.