Beyond the Hype of Healthcare Cybersecurity Software
A hammer without a carpenter is useless, a scalpel without a surgeon is useless, and cybersecurity software without a cyber professional is useless. Although it might not seem obvious, cybersecurity itself is not difficult. On the surface it may appear complex, but the reality is that much of this ‘complexity’ is hyperbolic. When push comes to shove, complexity is simply a tool used by the cybersecurity industry to upsell services and cyber products. The more complex a job appears, the more a software company can charge for their so-called ‘cybersecurity solutions’. This is a very common trend seen throughout the healthcare sector, and it is something that fails to get the level of attention that it deserves.
Every industry has to worry about cybersecurity to some degree, but the healthcare industry faces some unique challenges due to the stringent, yet somehow very vague HIPAA regulations which declare the need for robust cybersecurity but provide very little guidance on how to achieve it. Pair this with high volumes of sensitive patient data, limited funding for cyber initiatives, and the complexity of daily operations, and the industry is left with a recipe for disaster. As doctors and covered entities work to save lives and help people, they are also forced to grapple with the added stress of ensuring cybersecurity compliance and protecting their patients’ privacy.
Protecting patient data is not only a legal obligation under the HIPAA regulations either; it comes with a fair amount of social pressure and ethical expectations as well. As patients become more aware of the value of their protected health information (PHI) which is sometimes mistakenly referred to as ‘personal health information’, there is a notable increase in the amount of protection that these patients expect from their healthcare providers. According to recent studies, the rate at which healthcare providers are attacked by cybercriminals is more than double that of any other industry operating in the public sphere. This fairly recent shift in social awareness paired with a significant increase in cybercrime activities against healthcare companies within the past decade has led to a cybersecurity ‘gold rush’ that has unfortunately brought circling vultures.
It seems that almost every major cybersecurity and IT provider in the market today sells some type of “miracle” cybersecurity software, promising that their tool will solve all of the world’s security problems and ensure compliance across the board with ease, but in reality, these products are merely a half measure. Putting aside the notable increase in cybercrime against the healthcare industry of late, many healthcare providers still mistakenly believe that buying the latest cyber software is some type of magic bullet for ensuring HIPAA compliance and the security of their systems, but simply put; cybersecurity goes far beyond simply implementing software tools. Without proper management and analysis of the data collected by these tools, healthcare companies are falling into a very familiar trap of “false security”. This lack of real security leaves the providers open to a vast amount of risk and opens the door to potential fines, legal action, and loss of clientele.
It is pretty obvious to see how a miracle software tool would seem enticing to a healthcare company, and it makes sense that it is tempting to want to place trust in expensive products marketed as catch-all solutions, but all too often healthcare providers invest in these systems without considering how well they actually integrate with their current infrastructure or how much work is required to operate them efficiently. Usually, these tools demand a high level of administrative overhead support to spin up and maintain, and even after they are running smoothly, they still require a trained professional to assess, analyze, and act on the risks that have been identified. This misunderstanding of scope regularly leads to software inadequacy over time, or even worse – a massive secondary investment in additional security solutions to supplement the software that is being poorly utilized. Although software can be a useful tool when properly managed, for healthcare providers who want a very hands-off approach to cybersecurity, software often has the opposite effect.
In an effort to appear valuable, these tools generate massive reports full of lengthy yet meaningless lists of technical jargon that do not add any real value to the healthcare practice. These reports certainly look impressive and have all the important buzzwords included but they fail to address core vulnerabilities or provide actionable insight into reducing an organization’s operational or strategic risk. These bloated reports, regardless of the content contained therein, are ultimately useless if there is no actionable guidance on remediating the vulnerabilities identified. Generally speaking, this is something that only a trained cybersecurity professional can provide.
Another key drawback with software solutions alone is that they do not offer flexibility in their structure, pricing, or mechanisms of implementation. Many software solutions are sold in pre-bundled packages that are very rigid and leave clients either paying for services they don’t need or underpaying and not getting the appropriate level of protection they should have. A quick Google search of “cybersecurity providers” will return countless results of large-scale cybersecurity software companies, all with similarly tiered cybersecurity software packages – none of which are clear, concise, or flexible in their application. In many cases, even after purchasing a tool from one of these cybersecurity companies, users are still not made fully aware of what their software packages include, leading to misconfigurations and underutilization. This gap-level security once again leaves organizations open to a wide array of cyber risks. To make matters worse, many services are sold on a per-user-per-month basis that surge recurring costs dramatically without actually providing any tangible return on investment. As if paying for unnecessary cybersecurity software was not bad enough, healthcare providers are now stuck paying for this software over and over again each month.
So how can healthcare providers and covered entities fix the problem? Simple. Remove the software aspect from the term “cybersecurity software provider”. It may not be common knowledge but there are cybersecurity providers operating in the industry today who have no desire to sell software or hardware. Their primary goal is to sell real cybersecurity. Sometimes referred to as ‘cybersecurity consultants’, ‘cybersecurity management firms’, or simply ‘cybersecurity partners’, these organizations do not just install a bundle of new tools and leave the healthcare providers to figure them out. Instead, they assess the current state of the existing systems, identify risks/vulnerabilities, and design resolution strategies that result in quantifiable decreases in operational risk. When properly integrated within a healthcare company, cybersecurity partners can be considered a part of the practice’s team – dedicated to providing hands-on, practical cybersecurity that provides a real-world ROI.
The dirty truth is that almost every healthcare practice in America already has systems in place that can be optimized to meet incredibly high standards of data protection, without the need for costly upgrades or the implementation of new software tools. Any cybersecurity company that says otherwise is simply trying to make money by preying on their clientele’s lack of awareness. The real key to effective cybersecurity is having a cyber partner that integrates with existing IT infrastructures and focuses on optimizing what is already in place. This type of integration provides a much more robust cybersecurity posture throughout the organization than can be achieved by software alone.
In circumstances where additional software tools or monitoring capabilities may be required, having the guidance of a trusted cybersecurity partner will ensure that there is an appropriate amount of support and analysis baked into the selection and implementation processes. Healthcare providers should be aware however that in many cases, cybersecurity firms and consulting agencies have reseller agreements in place with software vendors, so before making any decisions on what software to purchase, it is always a good idea to confirm that the cybersecurity provider discloses any potential conflicts of interest in this area. This is not to say that just because a cybersecurity provider has a preferred software choice, the selection is entirely self-serving, as in many cases firms choose to only resell products that they are comfortable using and that provide a valuable return for their clients. It is simply something to keep in mind during the vetting process.
Another benefit of partnering with a cybersecurity provider that focuses on personalized approaches to cyber initiatives is they generally have the ability to provide cyber-adjacent services that are usually necessary for understanding the full scope of a practice’s operational risk. Services such as onsite inspections, in-person user awareness training, operational security (OPSEC) assessments, physical security inspections, heatmapping, and policy development/control are not possible with traditional over-the-counter cyber software tools yet are included with many cybersecurity partnerships by default.
Partnering with a cybersecurity provider also represents a high degree of cyber diligence on the part of the healthcare provider and would likely satisfy the security requirements set forth in the HIPAA regulations. When vetting cybersecurity firms for partnerships, it is important to ensure that they have experience supporting HIPAA organizations and understand the level of effort required to support covered entities through pre-audit, audit, and post-audit activities. By partnering with a cybersecurity provider that understands healthcare-specific needs, covered entities can maximize the efficacy of their existing tools, avoid unnecessary spending, and gain greater insights into their systems via the support of trained and certified experts. The beauty of the whole situation is that these cybersecurity partners are almost always significantly more affordable than continually investing in unnecessary software. Traditional security software can range from several thousand to several hundred thousand dollars annually, and that cost is calculated before factoring in the costs of ongoing updates, licenses, training, maintenance, hardware upgrades, business downtime, opportunity costs, etc. Meanwhile, a managed cybersecurity provider that works within an organization’s existing framework can offer robust protection without overhauling the entire system or disrupting the status quo. This leads to a seamless integration, fewer growing pains, and a much lower rejection rate amongst users. This approach is minimally invasive, utilizes tools that are already in place to provide a meaningful assessment of organizational risk, and is presented in a way that is easy for healthcare companies to understand and take action on.
The real point here is that cybersecurity efforts need to be as unique as the healthcare practices in which they are being implemented and all-in-one software tools are far from the solution. Tailored security measures developed by trusted cybersecurity providers can easily adapt to the specific types and quantities of patient data being handled and the specific regulations that apply to the organization. It is important to remember that regulations in healthcare change; quite frequently in fact, and failure to stay up to date with these changes will result in audit failures and increased risk. When it comes to compliance, HIPAA auditors will generally place far more faith in a dedicated cybersecurity provider than they will in a poorly managed or underutilized software tool; and rightfully so.
Healthcare providers and covered entities should be wary of getting lulled into a false sense of security stemming from ‘magical’ cybersecurity software. Practical cybersecurity is not about software—it is about strategy. Again, software is absolutely a necessary tool, but it is not miraculous. By choosing to work with a cybersecurity partner who understands the unique needs of an organization and can integrate them into existing frameworks, healthcare providers can save significant amounts of money whilse reducing risk to a level that ensures their compliance and security. The simple fact is that personalized, managed solutions will always outperform one-size-fits-all software tools. Always.
