Healthcare organisations deal with a range of third and fourth-party service providers including labs, GP surgeries, other health professionals, and technology providers. And each of these bring their own cyber exposures and vulnerabilities.
Patient care is now delivered at multiple locations with multiple actors involved. Each of these actors needs to share patient data and each operates their own separate and distinct systems. We cannot ask the healthcare system to redesign itself to accommodate security solutions, the solution must be designed to meet the needs of the system.
Assess the threat of your ‘elastic’ perimeter
In essence, this means that the Zero Trust architecture which is now favoured by the great majority of organisations around the world will not work for healthcare systems. It is simply not designed to deal with the highly complex nature of healthcare systems.
In the case were the organisation concerned is a hospital, its expertise lies in the patient care, not in the design of technology systems. If it requires an electronic health record (EHR) for patients, it will go to a third-party provider for one. If that EHR system needs to take APIs from the Department of Social Protection or other data sources, those sources will become fourth parties.
In these circumstances, if the hospital wants to authenticate an IP address, it might not have come from the third party EHR provider, it might have come from a fourth party, and it may actually arise from a breach at that organisation. But the hospital has no direct relationship with the fourth parties and no way of verifying their security arrangements. They are left in the position of having to trust the third party to do so.
This is what creates the elastic perimeter. The hospital has one relatively fixed perimeter defined by its connections with third parties, but that becomes elastic due to their connections with fourth parties.
In securing this elastic perimeter, the first step is to review the contracts with third parties to ensure they have the systems and governance in place to be alerted to breaches in fourth parties and an obligation to inform the hospital of all breaches.
The existing systems within the hospital will likely not lend themselves to a single solution like Zero Trust or Secure by Design.
You can’t just throw out large electronic health record systems or electronic patient management systems because the costs would run into hundreds of millions of Euros. And that’s before dealing with the regulatory aspects of replacing such sensitive systems. This means these systems require their own security solutions and will continue to do so until the organisation has the resources to update them.
This is where Zero Trust breaks down. Applications utilising Zero Trust will not be able to accept data from those legacy systems because they are not within the Zero Trust perimeter.
Building a ‘mesh’ of secure design
That means the organisation needs to implement a mesh security architecture which is uniquely suited to meeting the needs of healthcare organisations.
At its most basic, a cybersecurity mesh architecture (CSMA) enables the extension of security controls across widely distributed assets. It is highly flexible and is very suitable for modular approaches such as hybrid and multi-cloud architectures where data is held in multiple locations both on and off premise.
It doesn’t require the organisation to throw out or replace anything it already has. It provides a means of bringing together the multiple systems and solutions and giving the organisation control over them. And when the resources become available to replace existing systems, the new systems can be accommodated seamlessly. It builds on the security investments already made by the organisation instead of demanding huge investments in new systems and infrastructure.
This does not mean discarding defence in depth, securing by design or Zero Trust. In the healthcare industry or in a critical infrastructure environment where there are legacy systems in place there are large numbers of third party and fourth-party involvements and the focus is on interoperability and collaboration. Zero Trust and defence in depth can be an inhibitor to both.
Implementation of a cybersecurity mesh fosters interoperability and collaboration among various healthcare entities, enabling swift threat detection and response while safeguarding sensitive patient data.
By prioritising proactive risk mitigation strategies and investing in innovative security frameworks, the health sector can mitigate vulnerabilities, safeguard patient privacy, and uphold the trust of stakeholders in an increasingly interconnected landscape.
Adoption of CSMA can help bolster the resilience of the healthcare sector against evolving cyber threats. By decentralising security controls and emphasising identity-based access, organisations can establish a robust defence mechanism that adapts to the dynamic nature of modern healthcare ecosystems.
Summary
The combination of a complex multi-stakeholder operating environment and a high level of dependence on outdated legacy infrastructure presents healthcare organisations with acute cybersecurity challenges. Solutions like Zero Trust will not in isolation solve the problem. Instead, CSMA, which has the flexibility to accommodate existing systems and cyber solutions while delivering robust security levels, is required. CSMA will serve as a pivotal enabler for the widespread adoption of AI in healthcare. This security-centric approach ensures the integrity and confidentiality of sensitive patient data, bolstering trust among stakeholders while facilitating the seamless implementation of AI-driven solutions.
