Internal and External Forces Mean Healthcare Security Has to Adapt

Posted on by James Christiansen

The complexity of healthcare information security grows daily. Paper records are long gone. With more than 700 security technologies to consider, millions of threat actors to detect and new attack vectors to defend against, simply working harder will not solve the problem.

Healthcare is a prime target for hackers due to the vast amounts of private health information (PHI) and the pure complexity of the system, one that combines healthcare providers, insurance companies, clinics, labs, and many other business associates that handle and analyze PHI data.

There are other concerns as well. Medical devices have embedded software that can be attacked just like any other operating system, which can mean risk of bodily harm to people with devices such as pacemakers. In addition, the operations of a healthcare center are critical to patient care and disruption of services can be costly, both in terms of dollars and potentially human lives.

Considering what’s at stake, how can healthcare organizations be better prepared?

Pivoting from Compliance to Risk

HIPAA and HITECH were written in an earlier age. The velocity of threats is now so high that there isn’t time for older methods of analysis and defense. Yes, healthcare organizations need to be compliant, but if they are to survive, they must go much further to be secure. In 2013, the HIPAA Omnibus Rule changed from “harm” to a “risk” view, paving the way for more effective security. Table stakes for security today go way beyond security regulations.  

What Needs To Be Done?

Healthcare association administrators must understand that quality care involves protecting patient information. By investing in security staff and programs, healthcare admins can increase the value to their patients and protect the systems that are providing patient care. Healthcare CISOs must be enabled to influence operations and assist the management team in making informed decisions regarding healthcare data security. Healthcare entities and business associates need to have three key building blocks for security:  

1. Create a security strategy that aligns the security program with the healthcare culture and goals using the six forces (see below) of a security strategy.

2. Understand the real threats to the healthcare systems and patient data by reviewing the threat landscape that is impacting the safety of patients and their sensitive information.

3. Take a holistic approach to security. Consider the entire landscape of systems and information that need to be protected, and adjust as needed for changing threats and business conditions.

Healthcare security leaders are navigating troubled waters that are littered with the shipwrecks of compromised healthcare organizations. Just as ship captains have to deal with external threats like uncharted reefs, pirates and storms, as well as internal threats, such as old equipment and inadequate training, CISOs protecting healthcare organizations have a variety of internal and external forces that present intricate and complex challenges.

Healthcare information security leaders must completely rethink the way they do business, by transforming from being reactive and infrastructure-focused to proactive, business-aligned security leaders.

Six Forces of a Security Strategy

While it may not be shipwrecks or storms, healthcare organizations face a number of internal and external forces that need to be considered when analyzing a security program.

Internal forces

Business strategy; information technology organization, systems and infrastructure; and organizational culture are three inside forces that are directly related your business. As they change, so must your security strategy.

Internal forces can be actively changed. Therefore, getting everyone – from executives to contractors – to take security seriously is critical to guiding the direction of your organization’s security program.

External forces

Adversaries and threats; government and industry regulations; and global social and political forces are three impactful external forces. Since these are out of your organization’s control, they demand a high level of awareness. Ignoring shifting laws and regulations or not being up-to-date on the latest threats will doom a security program.

While internal and external forces shift constantly, being aware of each goes a long way to crafting a sound security program.


Healthcare security is complex and growing in importance every day for the safety and welfare of our citizens. Build a cost-effective security program by focusing on the real risks to the organization and aligning the strategy to the company culture. Keep your security strategy relevant to the organization by understanding the internal and external forces that cause changes.

To survive this era of ransomware and threats that will follow we haven’t even seen yet, organizations must conduct risk and threat assessments by experts familiar with today’s threats. They also must act quickly to remediate the IT infrastructure, as well as adjust the business processes, engage with the employees, and align to the business culture.

James Christiansen

VP CSO, Cloud Security Transformation, Netskope

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community