Electronic protected health information (ePHI) includes a wide range of sensitive data such as electronic medical record (EMR) systems and electronic health records (EHRs). This data is crucial to improving healthcare operational efficiency and treatment outcomes. ePHI presents healthcare institutions with data privacy and protection challenges. Healthcare providers need cybersecurity solutions including data protection and data encryption to protect this data against ransomware, malware, data exfiltration, malicious tampering, and other threats. Healthcare cybersecurity solutions need to protect secure confidential data while accommodating remote data accessibility.

The rapid growth of online health services introduces new security challenges. Identity and access management of both patients and doctors is critical. Applications and communications need to be secured using multi-factor authentication and roles-based access controls to prevent data exfiltration or service disruption.

Cybersecurity for medical devices such as bedside monitors, infusion pumps, medical carts, diagnostic platforms, and IoMT devices such as smart pills, smart insulin pens and the latest generation of implantable, is crucial because these devices contain onboard intelligence and points of digital connectivity. They present an increased risk of compromise (takeover) and data exfiltration attacks. Medical device cybersecurity is critical to ensure patient safety and confidentiality. It requires secure design by the equipment developer, and proper asset management by the operator. Medical device communications must also be secure to protect process integrity and data confidentiality.

Building management systems (BMS) are another potential cybersecurity vulnerability. BMS control various critical functions such as power distribution, water distribution, HVAC, elevators, lighting, security systems, and fire systems. These functions are critical in any building, but in a healthcare setting their disruption can have fatal consequences. For example, power disruption to critical care devices, lighting disruption in an operating theater or inoperative elevators can have catastrophic consequences. BMS must be secured with strong access control and network security that includes secure communications between BMS devices and their control systems, and segmentation from other healthcare networks.

Healthcare operators typically upgrade equipment gradually to stay within budgets and minimize the risks of new technology introduction. Consequently, healthcare facilities may operate end of life IT systems, and older OT infrastructure such as blood banks and medical oxygen systems that use legacy SCADA. Legacy equipment often has known vulnerabilities that are difficult or impossible to patch and outdated integration capabilities that can create additional security gaps. Layered security measures are critical to protect these devices and prevent them from being compromised.

Healthcare organizations need to carefully manage multiple supply chain risks. Electronic health records (EHRs), LIS, and billing systems are often provided by third-party vendors and are connected to systems managed by the client, and multiple other institutions. Connected medical devices can be compromised at time of manufacture or post-deployment during software upgrades. Healthcare organizations can protect themselves against supply chain threats with a holistic extension of security policy to cover third-party data exchange and equipment vendors.

A healthcare organization’s cyber defenses must comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) act in the United States, NIS2 and GDPR in Europe. It is important to emphasize that the GDPR has extraterritorial applicability, meaning that any healthcare organization worldwide that treats an EU resident must comply with GDPR.