No industry represents a more tempting target for cyber attackers than healthcare. Providers — from small clinics to large medical centers — hold a treasure trove of valuable and sensitive data, including patient records, financial information and intellectual property. What’s more, due to the critical nature of medicine, they’re ideal targets for ransomware.
Healthcare companies in the U.S. endured 542 breaches in 2023, according to the U.S. Department of Health and Human Services. These attacks impacted more than 112 million people. Meanwhile, ransom demands have hit the tens of millions of dollars, shut down essential procedures and caused a handful of deaths.
“In many cases, healthcare providers severely underestimate the security they require,” said Michael McWilliams, vice president of healthcare sales at Meriplex, a firm that specializes in managed IT and cybersecurity solutions. “Most do not have the necessary budget and many simply aren’t equipped to handle security in-house. They lack the necessary expertise.”
Ben Masino
As a result, healthcare firms are increasingly turning to outside providers for cybersecurity.
“There are significant opportunities for MSPs and MSSPs that specialize in this space,” said Ben Masino, chief revenue officer at Avertium, a managed security services provider (MSSP) specializing in healthcare.
Getting to Zero Trust
A starting point for MSPs and MSSPs looking to boost their healthcare security portfolio is to understand the pain points for healthcare providers. While some large companies have dedicated security teams, many companies — particularly regional and community clinics — depend on internal IT teams to address cybersecurity.
These healthcare companies often find themselves in over their heads, said Masino. “They cannot keep up with the level of threats and the sophistication of attacks that now take place. They do not have the resources or the bandwidth to map out an effective strategy and deploy essential security.”
Ideally, an MSP or MSSP can help these companies evolve beyond a bandage approach that merely heaps more security tools atop an already complex stack by serving as a long-term trusted adviser and spending time devising an effective defense framework.
“It’s possible to build in automation and get to more holistic and effective protection in a cost-effective way,” McWilliams said.
Meriplex, for example, conducts a detailed cybersecurity risk assessment and then uses a layered approach built around a core group of security solutions, including 24/7 monitoring and response. It adds other protections on top of the core, depending on a client’s needs.
Meanwhile, Avertium has a three-step process that revolves around assessment, design, and protection. Advisers map out a multiyear strategy using Microsoft Sentinel technology. Deeper knowledge and a more focused approach centering on a single technology vendor translate into more consistent and effective solutions, Masino said.
Michael McWilliams
“An important objective is to simplify a company’s security footprint,” Masino pointed out. Communicating this fact is critical when an MSP or MSSP is looking to sell itself to healthcare companies. “When you reduce technology vendors, tools and technologies and work with a single cybersecurity provider, costs typically go down and protection improves,” he added.
Rx for Success
By breaking down silos and integrating functions such as identity, access controls, network security, application security, and phishing and malware protection, an organization closes gaps and gets closer to a Zero Trust model.
When education and training are added to the mix, risks markedly decline.
“The goal is to focus on the benefits of a partnership—and how you can help put out fires, reduce risk and help the organization solve its specific cybersecurity challenges,” Masino explained. “It can’t be a focus solely on the widgets and technology. It must be a more expansive view of the organization and how a trusted advisor can help.”
Added McWilliams: “It’s important to emphasize the importance of a coordinated approach to cybersecurity, including assembling the right technologies, educating employees to spot phishing attempts, and using [penetration] testing to find weaknesses.
“It’s important to emphasize that while you can’t outsource risk, you can greatly reduce it with the right partner and cybersecurity framework.”
Image: iStock
