Under the best of circumstances, information security in healthcare is challenging. With HIPAA requirements guiding an organization’s operational policies and architectural designs, safeguarding protected health information (PHI) is a perpetual priority.
These are not the best of circumstances. With fallout from the COVID-19 pandemic stretching resources thin and scattering workforces into various work-from-home and remote-work scenarios, concerns about security are at unprecedented levels. Securing systems — and, more importantly, patient health information — is difficult enough when you’re operating inside the walls of your organization. Now that security perimeters have extended well beyond direct organizational control, complexity and risk have increased exponentially.
In addition to that, three highly-reputable organizations — the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) — coauthored a November advisory to warn of increased risk of imminent ransomware attacks to heathcare entities. This is yet another bad circumstance that amplifies the daunting task of securing your patients’ health data.
Over the last few months, I have met with healthcare executives around the world to better understand their challenges and the strategies being developed to handle the current and future state of work. While these conversations have spanned many topics, security was a priority, and my findings are the focus of this blog post.
It Takes a Village
While this is an old adage that can be applied to many situations, it has special meaning in the context of security because that village consists of many different practitioners and disciplines, both internal and external. Each discipline comprises a separate but important layer of protection and must operate in a Shared Responsibility model to be most effective.
Like most villages, the symbiosis of diversity across the disciplines of identify, protect, detect, respond, and recover is paramount to overall success. Leveraging tools such as the NIST Cyber Security Framework delivers insights into the architectural aspects of a solid security program.
Security as a Village
When thinking about security, I combine the core building blocks into three groups: people, processes, and technology. My conversations with healthcare leaders have constantly reinforced this approach.
Undoubtedly, you have built documented processes to guide your workforce through the various policies applicable to security and privacy within your organization. Presumably, you have spent time educating your workforce on proper technology use and security awareness in the context of those policies.
These “village rules” provide a solid foundation, but like most rules, they tend to be broken or ignored from time to time (be it intentionally, or inadvertently). With the rapid, unplanned expansion of work-from-home scenarios, many villages are finding that the tried-and-true processes that have long been a staple of culture are no longer sufficient to handle the expansion over the horizon.
Cloud sprawl, SaaS solutions, and remote access — as well as a host of other services — have already expanded threat vectors in healthcare in many ways we would have never imagined less than a decade ago. When this magnitude of change occurs, whether it’s the people, the processes, or an unforeseen shift in the workforce culture, ultimately it’s the technology layer that organizations rely upon to provide the last line of defense.
Rethinking Delivery of Security
With all the changes in how we work, the locations from which we work, and the devices we use to get work done, many organizations are rethinking the way security must be delivered. Zero trust strategies are at the forefront of these conversations and are a departure from the old perimeter-focused, castle/moat designs. Zero trust concepts can be adapted to and implemented with various technologies to give you a significant advantage in securing your organization in our ever-changing times.
Starting from the end user perspective is key. What does my user need to do? What access do these users need to have, especially to sensitive data? What device features are required for these tasks? What do I need the end user experience to look like to be optimally productive and secure? While device diversity (thin client, full client, laptop, desktop, tablet, mobile) needs to be considered, so do the ways you deploy solutions to those users and their devices.
Virtualization/container-based solutions offer added flexibility, and enhanced features such as sandboxing for improved security controls. This is especially valuable when virtualizing and containerizing browsers (along with cloud-delivered security services for secure internet access) to reduce the browser attack surface and thwart ransomware.
Multifactor authentication (MFA) also adds an additional layer of security to user, device, and resource authentication, authorization, and access. With the advancements in this space, you are no longer locked into just token-based and or push notification-based solutions. Not only does MFA need to be enforced for all access to sensitive data, but also for privileged users, including system and network administrators.
If you have not done so already, this is also a great opportunity to layer analytics into your security program. Real time insights into user access and user behavior can deliver not only an understanding of what is going on in your environments, but also feed directly into automated processes that expedite threat mitigation responses, as defined by your security team.
Let’s take a closer look at some of the concepts and technologies I’ve covered in this blog post:
Zero Trust
At its most basic level, zero trust is a security model dictating that all trust must be earned. Trust is never assumed and never an afterthought. Trust is carefully instantiated, measured, and verified to be commensurate with risk. After an organization has implemented a zero trust framework, every action and decision must be continuously situationally aware and contextually risk appropriate.
This validation continues throughout the entire user session — internal or external — and pulls data from credentials to device to behavior. Because this security model is constantly monitoring for anomalies across a broad spectrum, real-time insights can be gleaned and proper security measures can be deployed rapidly. Learn about zero trust the Citrix way and how partners like Guardicore can help.
Virtualization/containerization
Virtualization and/or containerization offer expanded security controls that enable organizations to isolate environments (desktop, server, network, database) for their intended use. The flexibility of these solutions delivers many options to security teams for fortification of systems across your resource locations, whether on premises, hosted, or cloud-based. Learn about app protection for SaaS and internal web apps and about zero trust security and Citrix Workspace.
Multifactor authentication (MFA)
While MFA has been around for some time, there continues to be development in this mainstay in security programs across the globe. Beyond standard token and push notification solutions, biometric, and even password-less scenarios are becoming more common. Many security measures detract from the user experience, especially if they are too tedious for the user. This can lead to workarounds. Newer developments in these technologies aim to improve user experience and deliver improved security compliance. Learn why passwordless MFA is a natural for securing digital workspaces.
Secure Internet Access
With the proliferation of SaaS solutions within healthcare, more key operations are being consumed via the internet than ever before. The browser, a primary threat vector for your organization, has become business critical. Browsers are used not only to access these key solutions, but also, in personal consumption and in a myriad of other business-related workflows. With the expansion of work from home and BYOD initiatives, the browser has become a gateway to your users, systems and data. Securing this pathway into your organization has always been important, but with all the changes to how we work, the complexity has only increased. Learn about Citrix Secure Workspace Access and how security starts with secure internet browsing.
Learn More
While it may seem as though securing your environments has become more complex with the COVID-19 pandemic, rest assured this all can fold seamlessly into your current Citrix infrastructure. Learn more about Citrix security solutions and how we support healthcare. Want a more detailed conversation on how to enable and deploy some of the inherent security features in your current Citrix portfolio? Contact your Citrix account representative.