Best Practices for Healthcare Delivery Organizations to Safeguard Sensitive Data in the Age of AI

This Note was originally published in September 2023 and updated in April 2024 to incorporate emerging AI capabilities. 

A goldmine of vulnerable patient data and intellectual property 

Every industry has its own unique concerns, threats and challenges related to cybersecurity. Healthcare organizations, which deal with patient data and other highly sensitive information, are particularly attractive targets to bad actors. 

As AI continues to grow and evolve, balancing innovation with security is essential. Healthcare employees were the cause of 60 percent of cyber risks even before AI was so prevalent. Now, with the democratization of AI, there are new, potentially dangerous tools that are easy to use, such as chatbots and deepfake technologies.

It's important to note that the healthcare industry encompasses a broad group of organizations, including healthcare delivery organizations, insurers and life sciences companies. While each of these segments manages massive amounts of data, the most prominent threats and most effective countermeasures will vary depending on the type of data stored. 

For this article, we are focusing specifically on healthcare delivery organizations (i.e., hospitals, health systems and medical groups) that handle extremely high volumes of patient data, including personal health information (PHI), driver's licenses, insurance cards, social security numbers and more, which are highly valuable targets for any hacker looking for financial gain. Once hackers get ahold of this data, patients are vulnerable to financial damages including identity theft, fraudulent credit card charges and accounts, and loans. 

One of the less intuitive — and most harmful — forms of data theft can happen in pediatric healthcare delivery organizations. Hackers can steal the data of minors for financial exploitation, which may not be discovered for years until those individuals reach adulthood and go through the credit check process. 

Healthcare industry data is also vulnerable to secondary and tertiary extortion. For example, a hospital may be attacked with ransomware and compelled to pay a fee to regain access to critical IT data and services. Months later, the same attackers could demand another ransom with the threat of releasing the data on the dark web. They could also contact individuals whose data was stolen to further exploit them for financial gain. 

Connected medical devices 

Smart devices are becoming ubiquitous in healthcare settings, including implants (pacemakers, defibrillators, etc.), insulin and infusion pumps, telemedicine tools and surgical robots that connect to enterprise networks.

Each of these connected devices introduces risk and vulnerabilities to the organization, including:

• Sensitive patient data is not always properly encrypted.
• Lack of strong security mechanisms such as authentication and authorization.
• Lack of adequate security updates and patching, especially among older legacy devices.
• Various software and hardware components are vulnerable to third-party supply chain risks.
• Patient safety risks if IoT device is breached.

Zero trust security to protect your sensitive data

There are many tools you could invest in to protect your data from bad actors. However, if you want to comprehensively build protection into your security model — and you absolutely should! — zero trust security is the best approach. 

Here are some of the ways zero trust can protect your sensitive information from malicious actors. 

Visibility 

With hundreds of IoT devices in healthcare delivery settings, visibility is an essential foundation of any cybersecurity program. CISOs must first identify key IoT assets and existing network architecture and answer the following questions: 

• What is on my network?
• What is each application and device doing?
• Is that application or device doing what it should be doing?

A comprehensive inventory will help you understand the function, data flow, protocol, firmware and software of each device. 

Network segmentation 

Healthcare enterprise networks are incredibly complex with a mix of IoT devices, electronic health record (EHR) systems, imaging technology, information systems (IS) for various administrative functions, laboratory processes, pharmacies and more, to name just a few. The lack of robust security mechanisms means IoT devices can act as access points for bad actors, who can then move broadly throughout the network. 

Network segmentation ensures hackers won't have this broad, lateral access once the system is breached. This is a critical aspect of cybersecurity in healthcare settings that many healthcare organizations haven't fully tackled. 

A network segmentation strategy groups critical applications and assets within their own security perimeters. Key segmentation prerequisites include asset inventories, data classification, policies and regulations, application dependency mapping, network mapping, existing technology, zone architecture, and shared infrastructure. Each area will be a major component of your greater segmentation plan; discovering and filling gaps will form your roadmap for network segmentation.

Identity and access management (IAM) 

Healthcare organizations often employ thousands of people across dozens of departments. From physicians and nurses to researchers and technicians, administrators, human resources, IT and more, different segments of your employee base need different levels of access to effectively do their jobs. 

Additionally, healthcare delivery organizations rely heavily on contract labor (e.g., travel nurses) to supplement a shortage of providers. These are critical resources, but there must be a plan to quickly turn on and off access to only the data they need.  

This all underscores the need to have a firm grip on identity and access management. Protocols need to be in place to quickly manage credentials for these employees to grant access to only the assets they need and remove access quickly when the employee is no longer working for the organization. 

Using AI to combat emerging threats

AI can enhance data governance when privacy is built in. AI can be used to process vast datasets at high speeds, allowing cybersecurity teams to analyze and extract insights from large volumes of security-related data, including logs, network traffic and system events. 

AI can also use predictive analytics to forecast potential security risks and vulnerabilities. By analyzing historical data and trends, AI can help organizations prioritize security measures to prevent future incidents.

However, it's important to continuously update and fine-tune AI systems, as adversaries are also advancing their tactics to evade detection and response. For now, AI should complement human expertise to create a comprehensive and effective cybersecurity defense strategy.

Team approach 

Security is not just the CISO's job. Security is the responsibility of all employees regardless of type or rank. Healthcare leaders must focus on data governance, balance AI initiatives with security, and develop plans to systematically secure all diverse devices and environments. 

Collaboration across teams is a must. Using frameworks that engage stakeholders across silos and involve end users in the rollout of new tools will create ownership over shared security outcomes. This involves answering the who, what, where, when, why and how at the application layer of every transaction within the organization. This conversation will open the door to teams within the application layer, network, IT infrastructure, clinical workflow, and more, so that everyone can understand their role. 

The importance of rigor in cybersecurity 

The healthcare industry as a whole is constantly evolving, with a focus on developing new treatments and devices, researching novel pharmaceuticals, and coordinating care. The amount of data stored and transmitted will only increase, and bad actors will continue to innovate and capitalize on this continual flood of new information. 

In this environment, it's essential to continue developing and refining programs that can quickly evolve and adapt to the latest threats. 

Continue learning

With finite resources, it's imperative for CISOs to carefully prioritize budget dollars and staff time. WWT's team of security experts identified the outcomes that security leaders across all industries should prioritize to be confident their cybersecurity programs are providing thorough protection. 

By addressing challenges through a lens of opportunity, healthcare can transform security from an afterthought to a user-centric practice delivering on its mission with resilience.