Increasing complexity in healthcare leads to increased risk

The healthcare sector not only faces a greater number of threats from cyber-attacks compared to other industries but it could also be one of the most vulnerable industries to cyber attacks. These cybersecurity vulnerabilities were most highlighted by the recent attack on the UK's NHS this August, which resulted in widespread outages across the NHS.

Today, the healthcare industry continues to increasingly digitalise to ensure its resilience while improving the quality of care. This transformation has most recently, and rapidly, been driven by the Covid-19 pandemic which called on the industry to add new dimensions to the way that care is delivered to patients as well as increase the efficiency of overwhelmed healthcare systems. This resulted in the addition of new and innovative processes and applications such as telemedicine and the adoption of AI capabilities such as chatbots and real-time data analytics like medical imaging. However, with new technological additions, also new vulnerabilities and cyber risks are introduced into the healthcare systems.

This environment is made more challenging by the fact that the sector is already made up of a complex web of systems which are all responsible for critical information and processes that are interdependent and oversee elements from patient health and care all the way to administrative functions.

The increased complexity that results from this ever-changing and increasingly digital environment is muddying the ability of healthcare to maintain a clear and comprehensive view of all these connected systems, making it difficult to identify, understand and act on any vulnerabilities or threats to business-critical applications such as enterprise resource planning (ERP) systems.

While ERP systems are used in every industry, in healthcare these systems are responsible for improving the accessibility and quality of patient care by streamlining and reducing both operating costs, which subsequently reduces the cost of healthcare, and clinical errors, thereby helping to improve patient outcomes.

As the access to these applications by malicious actors through the exploitation of these vulnerabilities could have devastating consequences to both patients and medical practitioners or result in entire healthcare systems being compromised, it is vital that the healthcare industry ensure the protection of business-critical applications.

Mitigating the risk of third-party sources

The nature of healthcare systems often means that it is reliant on third-party providers for various parts of health services and applications. Many of these third-party systems could potentially connect back to business-critical systems exposing them to the possibility of a breach. For example, if SAP trusts a third-party system, but that third-party system is insecure, then that is a ripe attack target that can be exploited and used to gain access to critical systems. However, by making use of tools such as automated security testing that is specifically designed for SAP applications, healthcare organizations can analyze both internal and third-party custom code throughout the development lifecycle to ensure that any changes are not introducing risk to critical systems.

Protecting critical applications in cloud environments

Healthcare organizations are increasingly leveraging the cloud to unlock value from the large amounts of data that the sector already collects, processes and stores. However, the rapid adoption of cloud has also brought with it an increase in security and data privacy compliance concerns.

This is because companies, in their rush to digitize everything, favor velocity of project completion over the security of these projects, which can result in increased risks and vulnerable applications that connect to foundational business-critical systems such as billing or supply chain from SAP. This becomes a larger problem due to the lack of visibility into the true risk of a complex, yet critical, ERP landscape.

Minimizing this risk requires visibility into business-critical application layers within the cloud, whether deployed on private, public or hybrid cloud environments. This enables organizations to identify and understand which activities are putting critical applications at risk as well as the impact of new and existing vulnerabilities while empowering security teams to respond swiftly and accordingly.

Addressing threats and interconnected risks

When it comes to security, the old adage remains true -- the best defense is a good offense. This means a proactive approach which reduces vulnerabilities within business-critical applications and ensures that systems are hardened and not exploitable is preferential to a reactive approach which responds to threats that have already become a reality.

This is particularly true for critical infrastructure such as healthcare as when healthcare systems come under attack, their ability to provide necessary patient care is impeded, resulting in serious implications for citizens and the country as a whole.

Healthcare is an essential part of any country’s infrastructure which prevents disease, improves the quality of life, and contributes significantly to the economic health and growth of any nation. Therefore, we must ensure that healthcare systems are protected as extensively and swiftly as possible.

Image Credit: everything possible / Shutterstock

JP Perez-Etchegoyen is CTO of Onapsis.