Last week, we looked at some of the emerging cybersecurity healthcare hazards in 2019, from ransomware to crypto. As healthcare continues to become more and more connected, the MSP’s role has never been more significant, especially with smaller to medium-sized healthcare enterprises.
This week we continued our conversation with experts, looking at the growing role of an MSP in healthcare. SmarterMSP spoke with two health security specialists: Eerke Boiten, Professor in Cyber Security and Director of Cyber Technology Institute, at De Montfort University in Leicester, UK and Hussain Aldawood, from the University of Newcastle in Australia.
Why an MSP?
Healthcare’s growth as an MSP client segment has been explosive in the past five years and the opportunities are only increasing. The marriage between providers and MSPs is symbiotic and logical; healthcare professionals are focused on treating, not phishing. MSPs often make the most sense for the small-town hospital, local sports medicine clinic, or cosmetic dentistry practice.
“As information technology and security are not the core business of hospitals, a lot of them usually outsource these services to a third party,” observes Aldawood, referring to MSPs.
The growing digitization of healthcare and the integration of IoT has created more attack surfaces to defend, which has made the role of the MSP even more crucial. Your doctor may be operating on you, but an MSP is often handing him or her a virtual scalpel. MSPs have cemented themselves as indispensable partners in all areas of the healthcare ecosystem.
While the role of MSPs in care has grown, so too have the security vulnerabilities. The trove of data in healthcare is too irresistible for hackers.
“Cybersecurity risks and cyber threats in the healthcare sector continue to become more complex. As a result, hackers may target healthcare organizations to steal data or ensure that they are not able to access their data until a ransom is paid. If a vendor compromises patient data in one way or another, we can then see major consequences,” describes Aldawood.
The proliferation of wearables, portables, and mobile healthcare technology is adding a layer of additional security complexity. This complexity is one that most healthcare organizations aren’t equipped to handle, but MSPs are.
Training and education, paired with top-of-the-line tools, is the best defense for an MSP in the healthcare trenches. “No tool is more valuable than training ever, especially when it comes to wearables and portable devices,” advises Aldawood.
The most significant vulnerability that healthcare organizations still face is targeted phishing attacks. “This applies to hospitals and physician networks, as they carry so much personal and sensitive data,” states Aldawood.
Innocent online searches can yield a trove of data for a bad actor. “Try searching for any product on the Internet. Go to their Facebook or Instagram after a couple of hours. They will most likely notice that they have been targeted by marketing in their feed based on their previous search,” details Aldawood.
“Additionally, the same data from the previous search is likely also sent to different organizations. As a result, we can observe that peoples’ behaviors online are no longer private, leaving them open for targeted or phishing ransomware attacks,” Aldawood says.
Defending against a phishing attack is where the security tools that an MSP wields are crucial. “To better protect the healthcare environment and keep infrastructure safe, a significant investment on the latest security tools and protocols must be made,” notes Aldawood.
The future of MSPs and healthcare
Boiten predicts that while ransomware and phishing attacks will need to be contended with, his concern for the future focuses on patient data protection. MSPs need to have a plan in place to secure data far beyond the minimum requirements.
“Apart from malware affecting the systems, I also worry about patient data,” admits Boiten. His worry goes beyond the traditional fear that data will end up in the hands of insurance companies looking to spike policy prices.
“With the large amounts of behavioral and location information that is collected by internet giants, I think the more worrying future is where the data ends up,” states Boiten. He adds that the information will likely be available to intelligence organizations, making it possible to be used for full-scale surveillance and control.
Boiten points to some internet giants that are currently looking at and harvesting data well beyond the scope of the company mission. Boiten says the technological tools are there to keep data safe.
“Protecting the confidentiality of e-health data is possible with current technology, and likely integrity as well. However, integrity becomes a more serious risk than with other applications, if we look at an adversary modifying a medical instrument reading or a medicinal dosage. The significant risks are at the systemic level from feature creep and data hoarding, rather than third-party attacks on e-health systems,” acknowledges Boiten.
Photo: aquatti / Shutterstock