The Future of Healthcare Cybersecurity: The Best Defense is a Good Offense

Andrew Hicks, Managing Principal, Coalfire

In the last five years with the increasing digitalization of health information, healthcare security breaches have increased four-fold with the industry experiencing more breaches than any other in 2013. With a large number of potential targets and the high value of personal medical information on the black market, healthcare organizations will continue to be more appealing targets.

Data security in this particular sector is behind other industries and we’ve already seen how compliance alone didn’t keep electronic protected health information (ePHI) secure at Anthem. So how should healthcare organizations move forward and reduce the probability of a breach?

Get Proactive

Often by the time security issues land on many organizations’ radar it’s too late. In the healthcare sector especially, organizations need to take a proactive and pre-emptive approach to ePHI security. This strategy of safeguarding both the organization itself and patient data, including tactics like scanning, penetration testing and social engineering, should be considered mandatory as opposed to best practices. A major breach could have drastic implications for a healthcare organization and therefore every effort should be made ahead of time to prevent disaster.

A Quick Fix is Not a Fix

While there are many fast and inexpensive security technology solutions available to organizations of all sizes, throwing hardware and software at the problem is no longer a viable option. There’s no “set and forget” solution (and no “one and done” assessment) that can provide the comprehensive and thorough risk management program needed to properly secure data. As cybercriminals become increasingly sophisticated, so too must our methods of protection.

There is enormous pressure to increase security maturity in healthcare.  And to acquire a mature security posture, organizations must understand security and risk budgeting and learn how to gain support from the executive and board level for the investment needed to protect data. However, by investing in proper analysis of existing security protocol now, organizations will save money in the long run by identifying gaps so they can prioritize future spending.

HIPAA & HITRUST – Future Annual Requirements?

Moving forward, the industry needs to push for more government-mandated security guidelines that include required annual HIPAA and HITRUST assessments.

The HIPAA Privacy and Security Rules are comprised of three types of safeguards: administrative, physical and technical. They provide basic compliance guidelines but often experts will recommend HIPAA assessment in tandem with HITRUST certification that can provide an actionable roadmap to securing ePHI.

HITRUST (The Health Information Trust Alliance) is an organization developed by healthcare and IT professionals to help healthcare organizations protect patient information more extensively than a HIPAA assessment alone. Currently, while HIPAA is the federal mandate, HITRUST approaches security in a more holistic manner while simplifying the process. HIPAA regulations are now nearly 20 years old and can be difficult to interpret. Sole reliance on HIPAA guidelines can leave gaps in security protocol, even when all recommendations have been met.

If government mandates were to shift towards HITRUST standards, the healthcare industry as a whole could benefit from a compulsory, uniform methodology across the board that enables organizations of all sizes to become certified. In this way, the industry can focus more on patient care and less on the fear of an impending data breach.

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS