Cybersecurity For The Healthcare Industry

My first reaction when someone asks me about the kind of “cybersecurity for (insert specific industry)” is always to respond with this instant quip, “cybersecurity is the same for everyone, across every sector!”  Period.  End of my blog post on cybersecurity for the healthcare industry.  Wasn’t that a completely out-of-character quick read???

Then I start hearing the objections.

But what about HIPAA? And HITECH?

So, you’re not really talking about security.  You’re talking about compliance.  About regulatory issues.  Then why yes, every industry is somewhat different.  And I say somewhat because, while on the surface all these regulations may seem different, from a cybersecurity standpoint, lo and behold, they’re all very similar.   Do you know why?  Because first, most (if not all) of them reference NIST’s frameworks as a benchmark.  Secondly, when you start talking about perimeter defense, network monitoring, threat analysis, incident response, remote workers, IoT, Cloud and the various fashionable terms of now, the solutions for security are always the same.  Regardless of your sector.

FW, IPS, VPN, Web filtering, email protection, cloud security – providers won’t sell you a different one simply because you’re a healthcare provider.  They’re all the same.  And things like policies, procedures, information, user training – those are the same as well.  Case in point, our clients use the same exact solutions no matter which sector they operate within.

So, what’s the difference? Is there even one?

Well, yes, in some aspects, there are some differences but again, these pertain more to risk and requirements, which brings me back to compliance and regulations.

One thing I HAVE learned by doing this for hospitals is that these entities can’t afford downtime.  You may look at me with a surprised expression, but it’s true.  When you go in for an emergency CAT scan at 3AM, the radiologist on call isn’t in the hospital anymore.  No, he’s comfortably home, sleeping.  Staff on duty take your images and call him.  He then logs onto a server and reviews those images, types in his assessment, and goes back to bed.

That’s it.

Now you see why the Internet is fundamental here?

If you’re in the ER at 3AM and they’re taking an image of your brain, chances are you hit your head somewhere (and quite badly).  Knowing immediately if there’s an issue can truly make the difference between life and death.  Your life and your death.  And that’s the core difference for healthcare, I suppose.

No other sector has such a fundamental need, i.e., saving lives. Therefore, the internet needs to be available, always up, and well protected, to ensure your scan can be read within minutes or your life could be in jeopardy.

Back to the original question – is there then a cybersecurity specific for the healthcare industry?  No, not really.  While there are tons of regulations and requirements to comply with, the ones related to cybersecurity are pretty much the same.

So, don’t think you’re unique and different when in truth, yours is merely another network on the Internet.  Another target for hackers all across the globe.  True, your treasures might be different but how they’ll attempt to breach your walls to get to it, and how you can mount defenses from their attacks will always be the same.