Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

How to Protect Sensitive Health-Related Information Against Cyberattacks

Digital transformation has disrupted the healthcare industry. New online platforms and applications are continuously introduced to accommodate the ever-increasing demand of users seeking remote, flexible healthcare options.

Healthcare and patient data is typically represented in various formats, creating a barrier when sharing information between entities. Thankfully, standards such as Fast Healthcare Interoperability Resources (FHIR) have emerged to speed up digital transformation and make it easier to share health data between different applications and services. Additionally, with the digital transformation of health data, controlling who should access a patient's records and under what circumstances becomes challenging to control and enforce. Health Relationship Trust (HEART) is a standard that puts the patient in control and outlines a set of specifications for securely authorizing access.

According to a research analyst from Deloitte UK Centre for Health Solutions, more than 90,000 new digital health applications were added to app stores in 2020. This digital trend aims to make healthcare more accessible and efficient for patients and medical staff. At the same time, it also creates opportunities for malicious hackers to carry out data breaches of sensitive patient information. This article will examine how healthcare organizations can securely exchange patient data while complying with privacy laws.

The Rise of Healthcare Cyberattacks

COVID-19 significantly accelerated digitalization as healthcare providers faced the challenge of providing services online during the pandemic. Since then, consumers began prioritizing convenience and accessibility as they realized that physical contact to access medical assistance wasn't always unnecessary. Today, many healthcare organizations consider digital services as an effective way to provide better customer experiences and maintain their patients' loyalty. 92% of technology executives say achieving better patient experience is a top desired outcome of digital transformation, found a survey conducted by Deloitte and the Scottsdale Institute.

The rapid digitalization of healthcare has also brought an increased threat of cyberattacks. Since the beginning of COVID-19, healthcare organizations have been highly targeted by cybercriminals due to the large amount of personal-sensitive data that became available online. This vulnerability also stems from the fact that the healthcare sector doesn't incorporate a single digital system across different healthcare organizations.

This reality means that health organizations must develop their own digital systems, which are often not sufficiently secured. In fact, 83% of medical imaging devices run on unsupported operating systems, increasing the risk of exposing sensitive medical information. An example of a recent attack was the data security breach of the Shields Healthcare Group in 2022, where a hacker gained access to the company's network server from March 7 to March 21, 2022, accessing the personal information of patients. The data breach could have been prevented if the healthcare provider had a zero-trust approach in place. This could have helped identify the hacker's presence in their network and thus not allow it to continue for days.

Solutions for Protecting Sensitive Health-related Information

Adopting a robust identity and access management (IAM) system and a scalable security infrastructure should be a priority for healthcare providers to provide an identity platform for digital health services. An IAM system is a security framework that can be implemented to safely share technology resources by authenticating users using a token-based approach. Such a platform would allow healthcare providers to deliver secure login experiences to customers, employees, partners (and other bodies) by establishing a proof of identity and delegating the correct type of access.

Authentication and Authorization

Various agents perform different roles within the healthcare sector: medical personnel, contractors, and patients have different levels of access to medical information. Within an IAM system, authentication and authorization ensure that user access is granted and revoked according to the level of access that the agent should have. With a token-based architecture, the authorization is handled using tokens. The identity server will first authenticate the user and then issue a token that can be presented to determine what data can be authorized. With an effective authentication and authorization mechanism, healthcare providers can ensure the security of user data and prevent unauthorized access to applications.

Going Password-less and Multi-Factor Authentication

Password-less authentication is an authentication method that doesn't require a password for logging into applications or IT systems. Since passwords can easily be leaked, password-less authentication allows the user to access applications and services through mobile phone applications, fingerprint, voice or facial recognition, or software tokens/certificates. Password-less authentication is often used with multi-factor authentication and single sign-on as these methods combined increase log-in efficiency while maintaining a higher security level. To offer password-less logins, healthcare providers should consider adopting webAuthn. This API can allow a web service, for example, to incorporate robust authenticators giving users various options to authenticate.

Multi-factor authentication (MFA) is a complimentary option to SSO that aids in proving the identity of the user and securing information. It is a popular authentication method as it relies on multiple factors when giving access to the user. With MFA, the user must verify their identity twice (or more) before gaining access to the system or service, either through a code generated by the Google Authenticator app, via an email link, or through a hardware security key. MFA enforces stricter authentication requirements and ensures stronger user authentication. MFA is often implemented for resources and data under more stringent control.

Conclusion

Massive amounts of sensitive data flow between digital apps, medical devices, and services in healthcare organizations. Much of this data is essential information that hackers can easily access unless strong security measures are in place. Protecting this information can be achieved by implementing a robust identity and access management system to delegate the proper access to the right type of resources.

Jonas Iggbom
Jonas Iggbom
Director of Sales Engineering at Curity, Jonas Iggbom has over 20 years of experience in product management and technical sales in access control and endpoint security. His expertise lies in identity and access management, and access control solutions for privileged users, databases, and applications. In his free time, he likes to bike, hike, ski, and travel.

Related Posts

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM