Cyber Assessments and Patient Security: Looking Back at Key Themes from HIMSS 2019

From February 11th - 15th, more than 42,000 individuals in the healthcare and technology fields gathered together in Orlando, FL for HIMSS 2019. At this year’s conference, attendees heard from experts about healthcare IT and how new technologies are impacting security. Key topics centered on interoperability, patient empowerment (specifically in regards to data), and innovation. Other key points of discussion included ransomware, email-based attacks, and GDPR compliance

Fortinet at HIMSS 2019

At the Fortinet booth, attendees not only heard about the relationship between technology and security, but also observed a solution firsthand. Those who visited had the opportunity to experience a demo of a FortiCamera solution designed to offer secure visibility inside any location. Other points of focus included securing medical devices using intelligent segmentation, reducing complexity while meeting regulatory standards, and staying ahead of cyberthreats with the real-time FortiGuard Threat Map.

In addition to these discussions throughout the week, Fortinet also led several sessions. Among them was a social meet-up that centered on digital and physical security, data protection, and the power of artificial intelligence in healthcare.

Analyzing the State of Cybersecurity in Healthcare

In one of the many education sessions Fortinet offered, Tom Stafford, Vice President & CIO of Halifax Health, a Fortinet customer, led a discussion on the importance of understanding one’s own cybersecurity posture. During this presentation, attendees learned about potential threats facing their organizations and gained an understanding of how to predict and prevent data breaches. One key takeaway was that as organizations begin to assess their cybersecurity posture, it’s important to understand bad actors, their attack methods, and why they are targeting the healthcare industry. 

Another key area of focus was proper security hygiene, and the requirement that organizations have an understanding of their attack surface and the type of information they are trying to protect — including patient records, research data, and medical devices. For Tom Stafford and Halifax Health, this is where Fortinet’s firewalls play a vital role. By working at the firmware level rather than at the software level, Halifax Health has full control and visibility into its traffic, resulting in better protection of patient data.

This session also provided insight into the need for regular assessments and testing, including the use of ethical hackers; the goal for these individuals is to find vulnerabilities in an organization’s networks before cybercriminals have the opportunity to. Attendees heard about Halifax Health’s use of ethical hackers and the critical role they play in finding vulnerabilities that could put patients’ lives at risk. By taking steps such as these, security teams can help organizations improve their cybersecurity posture, enabling patient safety and data protection.

Establishing Effective Security Standards

Fortinet’s National Healthcare Practice Lead, Sonia Arista, spoke to an audience about developing a data security program and documenting risk assessments. She began by explaining that when determining how to keep patients and their data safe, healthcare organizations must first analyze their business environment and define the scope of the evaluation.

This initial step should involve speaking to one’s IT team, who can help provide insight as to which areas require a risk assessment. Session attendees learned that solutions will, and should, vary depending on an organization’s customers, data, and technology. Assessments should then be documented in order to define expectations and ensure compliance standards, specifically when going through the process of a merger and acquisition (M&A).

Once an assessment is conducted, there should be a variety of people making decisions when it comes to product choices, from infrastructure experts to the C-suite — this is a business imperative that requires an investment of time and other resources. By having a decision-making team with a blend of backgrounds and perspectives, organizations can better prepare for potential threats.

Organizations should also understand regulatory requirements when conducting risk assessments, especially the latest Medical Device Cybersecurity Guidance drafted by the FDA. When managing vendor risk, it is critical to define top priorities from the very beginning in order to bind third-parties to an understanding of what their security obligations are. This will enable vendors to be held accountable.

Addressing the Convergence of Physical and Digital Security

Back at the Fortinet booth, Troy Roberts, VP Enhanced Technologies and Customer Success, was joined by Tom Stafford, Erik Devine, CISO at Riverside Healthcare, Jason Dugenio, CIO at Bridgeway Senior Healthcare, and John Lynn, founder of HealthcareScene.com.

During this social meet up, it was made clear that as the healthcare industry continues to evolve and embrace new technology, digital and physical security can no longer be separate entities. In order for this convergence to be achieved, organizations need to adopt a security fabric architecture. Generally speaking, this architecture:

• Enables the collaboration of security into a single framework
• Reduces operational costs
• Accelerates response and remediation time 

These benefits are important to note due to the various challenges the healthcare industry sees every day. While a top priority is helping patients, this can lead to an environment that is too trusting. During this session, attendees learned about the importance of effectively managing risks in healthcare while understanding the human factor that plays a role in the industry. This applies to both patients and staff members.

Despite coming from different organizations, each CIO stressed the same point – protecting patient data should be about the patient, not about the organization’s reputation. An effective cybersecurity posture is a necessary component of every healthcare organization in order to reduce downtime, which can effectively save a patient’s life.

Attendees also had the opportunity to hear firsthand accounts of how Fortinet helps each of these organizations build an awareness of what is happening across their networks, and how to access and leverage actionable data. One example was from Jason Dugenio, who explained how his organization uses FortiVoice to hold its staff accountable when it comes to communications regarding patient care.

Final Thoughts

The healthcare industry is one that is constantly evolving and embracing new technologies. While these new solutions provide critical advances in patient care, they can also open the door to new vulnerabilities that could put patients and their data at risk. At HIMSS 2019, attendees heard from experts across the healthcare and technology industries to learn what this transformation means for their organizations. Fortinet actively participated in these discussions, both in the exhibition hall and within sessions, and will continue to play a role in securing the healthcare industry and keeping patients safe. 

Read more about Fortinet cybersecurity solutions for healthcare.

See how these organizations are protecting their patient’s data with Fortinet. Atrius Health and UC Irvine Medical.