Managed IT Security for Healthcare

Written by Zach DeMeyer on March 27, 2020

Share This Article

In nearly every industry, businesses rely on managed service providers (MSP) to ensure their IT infrastructure is taken care of, from day-to-day operations to long-term security posture. Nowhere is the need for security more prevalent than in healthcare, the most cyberattacked industry worldwide. Let’s talk about security for healthcare and what an MSP can do to help.

Why Does Healthcare Need Security?

Healthcare has been the most attacked industry worldwide for several years running. This is due to the fact that, compared to other industries, healthcare contains highly valuable data with a historical lack of experienced cybersecurity personnel.

Highly Valuable Data

A common thread among healthcare organizations is electronic personal health information, or ePHI. ePHI consists of multiple key data points about a person, ranging from their name and address to their health status and insurance information. As such, ePHI is both hyper-sensitive and incredibly damaging if compromised, making it a lucrative target for attackers.

Given the critical nature of ePHI, all U.S.-based healthcare organizations are required to achieve HIPAA (Health Insurance Portability and Accountability Act) compliance. Unbeknownst to some, compliance and security are not equivalent, but compliance regulations do lay the framework for strong security practices. 

Inexperienced Security Personnel

With an industry centered around crucial data and HIPAA compliance, healthcare professionals should be tuned in to cybersecurity best practices. Unfortunately, doctors and other healthcare professionals have a tendency to be less aware of security issues than the general population. A Mediapro survey found that 78% of healthcare employees scored a “Novice” level security awareness or lower, with half of the employees surveyed admitting to activities that pose grave security risks.

Given the high stress environment that healthcare professionals face, it makes sense that they may not be as cognizant of security best practices. Due to this, many healthcare organizations turn to MSPs to manage their IT environment. So, what can an MSP do to help?

3 Tips For Healthcare Security 

1. Identity Management

Managing client identities is paramount to keeping their environments secure. Although there are many facets of identity management, two key criteria are:

Password Management

Make sure all client passwords in use are complex and unique. Comparing passwords to a deny list of commonly breached passwords reduces the risks of bot-based, brute force attacks. Some MSPs may even need to enforce mandatory password rotation (although it may not be a best practice for some clients). 

MFA Everywhere

Although strong passwords keep low-level attacks at bay, the addition of multi-factor authentication (MFA) safeguards authentication even better. MFA significantly cuts down on the possibility of a breach thanks to the addition of a second factor that is more difficult to compromise than conventional credentials. By adding MFA at the system, application, and even network levels, MSPs can rest assured that their healthcare clients’ data is tougher to crack.

2. Access Control

Beyond controlling how client identities authenticate, MSPs must also control what those identities have access to. Limiting ePHI access is crucial to both security and compliance, so MSPs need to lock down which users and systems can access ePHI data storage/applications and tighten sharing rights as well.

Although slightly outside the purview of access control, full disk encryption (FDE) also plays a big role in securing ePHI. There are a stunning number of cases where a healthcare company has been breached due to unencrypted systems. By encrypting data at-rest with FDE, MSPs not only protect their healthcare clients from losing data after a theft, but also save face themselves.

3. Awareness Training

Given the severity of a healthcare security incident, it’s imperative that MSPs instruct their healthcare clients about proper security techniques. Whether in person or remotely through a learning management system (LMS), MSPs need to teach their healthcare clients to spot threats, such as phishing, and deal with them before they become full-scale problems.

Next Steps

If you’re an MSP looking to stand up managed IT security for healthcare clients, please contact our Partner team. We work directly with MSPs to solve their identity and access management needs.

Continue Learning with our Newsletter