Why health technology businesses should revisit security

If you’re a technology provider working in any corner of the healthcare sector, now is a good time to take a fresh look at your security posture. The cybersecurity landscape is more nuanced than ever, featuring highly determined threat actors as well as expanded regulatory scrutiny. 

Traditional defense strategies are also more complex, as companies struggle to secure increasingly outmoded legacy and on-prem infrastructures or work to select the right security tools and services to support highly scalable AWS environments and other cloud technologies. No matter your chosen mix of architectures, the safeguards that previously kept your systems and data safe may no longer offer the level of protection you need, and you don’t want to wait for a breach to occur before updating your practices. 

Let’s look at why now is the right time for healthtech firms to rethink security. 

Ransomware and other attacks are growing 

Hackers are stepping up their efforts to infiltrate companies across the spectrum, including healthcare provider organizations and the technology companies that support them. The MOVEit exploit is just one example that remains an active incident months after it was first discovered. So far, more than 2,000 organizations and over 55 million people—healthcare firms and patients among them—have fallen victim. Unfortunately, large-scale cyber events are no longer rare. Entire healthcare systems, comprising multiple large hospitals and dozens of smaller clinical sites, have suffered attacks that kept systems offline for weeks at a time. 

What’s worrisome for healthtechs is that healthcare organizations themselves aren’t always the first ones breached. Compromised technology partners can be a goldmine of poorly secured data repositories and unprotected connections that lead attackers to even more lucrative targets. As healthcare providers become savvier about their own cybersecurity, many are recognizing the growing risks posed by downstream technology vendors. If third-party providers have outdated or insufficient security practices, it could make everyone along the chain more vulnerable to a breach. 

Regulatory scrutiny is changing in healthcare

Updated regulatory guidance and new rules are further influencing the security discussion in healthcare. Tracking pixels, including those from Meta, Google, and others, are one significant area of concern. These trackers have likely been embedded on providers’ websites and scheduling portals for years without either the organizations or their patients being aware of them. Many consumer-facing healthcare apps also include tracking technology, such as those used to monitor insulin levels or ovulation cycles. The Health and Human Services (HHS) Office of Civil Rights (OCR) has made it clear they are more closely scrutinizing the use of these tracking tools by healthcare organizations, telehealth providers, and healthtech partners, warning they may represent a serious and reportable HIPAA breach. Despite the years-long presence of some trackers, regulators began taking action earlier this year via letters sent to more than 100 entities about potential data privacy and security violations related to their use of tracking tools. 

Medical device tech firms and manufacturers are also managing recent changes in regulatory requirements. Ongoing worries about a lack of security standards, the continued reliance on legacy technology, and the growing attack profile of medical devices have led to new cybersecurity rules set out by the Food and Drug Administration (FDA) related to vulnerability disclosures and security controls, among other elements. Elements of the updated guidance replace regulations set out almost a decade ago. 

More technology dependencies in healthcare mean more risks to manage 

To expand their telehealth offerings and other services while maintaining a focus on their core mission of serving patients, many healthcare organizations rely on a network of technology partners. But as cyber risks, compliance rules, and patient expectations evolve, some of those tech providers may have fallen behind on the latest security concerns and challenges. 

Your customers—whether they’re patients, care providers, or other technology partners—need you to help maintain a strong security perimeter around the networks and data that power the healthcare industry. If you’re working in or near healthcare, thorough reviews of your risk profile, your practices, the security measures deployed within your AWS environments as well as any on-prem infrastructure, and your network of technology partners are in order. 

  • Are your own cloud and physical environments secure? 
  • Does your team consistently follow security best practices? 
  • Do you have the right monitoring tools in place to proactively identify potential risks? 
  • Where do you rely on other providers to deliver services? 
  • When was the last time you discussed your tech partners’ security strategies? 
  • Where might your solution or service be vulnerable if a downstream technology provider experiences a breach? 
  • How do your partners ensure patient data is protected against deliberate intrusion as well as accidental disclosure? 

Between the escalating threat picture and dynamic regulatory environment, any practice or measure you haven’t looked at recently could prove to be less effective than you expect. Legacy infrastructures can easily fall behind on security patches and updates. Companies with sensitive cloud environments may not yet use some of the newer tools and services offered by AWS to further enhance security. Considering all the recent changes, this is a prime opportunity for healthtech enterprises to review their security and compliance postures and address any gaps that may have appeared. 

Cloudnexas team of healthcare cybersecurity experts today to help identify and mitigate your organizations security risks, assess your compliance programs, and evaluate the network of downstream suppliers and providers you rely on to deliver your services.