Studies detailing the impact cyberattacks have on healthcare quality are rare. Anecdotally, they lead to delayed surgeries and cancer treatments, impact communication between medical facilities, and degrade the system’s ability to provide care. One cyber-attack was cited in an Alabama lawsuit as the reason a baby died.
In May of last year, the Journal of the American Medical Association shared a peer-reviewed study looking at the impact cyberattacks had on patient care in local but unaffected hospitals. The authors concluded that when hospitals experience cyberattacks, it “may be associated with disruptions of health care delivery at nontargeted hospitals within a community and should be considered a regional disaster.”
The study found that people in need of acute care for strokes and other medical emergencies experienced delays in treatment, which may have led to negative patient outcomes. In non-medical terms, that could mean a stroke victim permanently loses their ability to walk, use one’s arms, or chew food.
Of course, it isn’t only quality of care that is impacted by cyber threats. Maintaining HIPAA compliance while using SaaS applications requires careful consideration of every app configuration. The healthcare industry was slow to embrace SaaS applications; patients’ needs for digital access to records coupled with demands to meet interoperability mandates have helped drive SaaS adoption within the medical community.
With the global SaaS healthcare market expected to grow by 19.5% from 2021 to 2028, it’s clear that more medical facilities are turning to SaaS apps to manage their operations. To maintain compliance and protect the quality of care, healthcare organizations need to understand how they can secure SaaS apps that contain protected health information (PHI) and personally identifiable information (PII).
Sprawling Technology in Medical Practices
It wasn’t long ago when the technological footprint in medical offices was rather limited. Doctors saw patients and wrote their notes on paper charts, which were stored in the file room. Office staff then reviewed those notes and added relevant information to their billing software.
That world seems quaint in retrospect. Every healthcare professional has a tablet and creates digital medical records. Telemedicine physicians can see patients from their home over the Internet, increasing the medical community’s reliance on technology.
These changes occurred rather quickly, and the medical profession is still struggling to catch up. From a security perspective, they still have
Being HIPAA Compliant in a HIPAA-Compliant App
Over the past few years, we’ve seen medical practices and hospitals adopt popular CRM tools like Salesforce for billing and invoicing purposes. These files contain PHI like patient names, insurance information, and treatment information, data that are protected by HIPAA.
Salesforce’s core product is not HIPAA compliant. However, there are add-ons and settings that can be configured which allow the medical industry to use Salesforce in this manner.
Microsoft 365, another popular SaaS application, has recently undergone security audits under the ISO 27001 standard and – when configured correctly – is also HIPAA compliant.
The challenge for users of these apps and others like them is the configurations required to ensure HIPAA compliance can easily drift or be changed by someone who doesn’t realize the repercussions of their actions. It’s not always clear to admins that a setting they want to change could impact the organization’s compliance level. These applications must be constantly monitored to ensure that they remain HIPAA-compliant.
Weaving an Effective Identity Fabric
A recent report by the Office of Information Security and the Health Sector Cybersecurity Coordination Center (HC3) shed light on the significant impact of social engineering attacks on the healthcare industry. The study revealed that 45% of all attacks in the healthcare sector originated from phishing attempts, where employees were manipulated into revealing their login credentials. Such vulnerabilities allowed threat actors to gain unauthorized access.
To mitigate these risks, SaaS applications create a strong identity fabric, with multiple layers of defense against such breaches. For example, many SaaS applications enforce Multi-Factor Authentication (MFA) during login, requiring users to provide a one-time password in addition to their username and password. This added security measure significantly hinders threat actors’ ability to gain unauthorized access. Secondly, numerous organizations require Single Sign-On (SSO) for accessing their applications, adding an extra layer of complexity for potential breaches. There are over 100 security-related configurations in Salesforce and Microsoft 354, each adding additional threads to the security fabric and reinforcing access control measures.
In the past, breaching a SaaS application would grant threat actors extensive control within their permission set. However, the landscape has changed. Leading SaaS security tools have implemented Identity Threat Detection and Response (ITDR), adding another layer of protection to the identity fabric. ITDR enables security teams to receive alerts when threat actors gain access to the SaaS application, even if they use valid credentials.
ITDR focuses on identifying behavioral anomalies within individual users. If a threat actor enters a SaaS application and exhibits suspicious behavior, ITDR will detect these anomalies and promptly alert the security team. This allows the team to take immediate action, such as disabling the user account and initiating an investigation to safeguard the application’s integrity.
In the healthcare industry, role-based access to medical records is a well-established practice. It ensures that individuals without a legitimate need cannot view sensitive patient information. This approach plays a crucial role in bolstering SaaS security. By adhering to the Principle of Least Privilege (POLP), employees are granted access only to the resources essential for their specific roles. This means that if an employee’s credentials are compromised, threat actors will find it impossible to access the PHI data they seek, further safeguarding patient information.
Automate Healthcare App Monitoring
When it comes to defending healthcare applications, SaaS Security Posture Management (SSPM) emerges as a vital tool. This powerful platform conducts round-the-clock automated monitoring of security settings, vigilantly tracking configurations and promptly notifying security personnel of any changes. This proactive approach ensures that if a user inadvertently reduces the application’s security posture, the misconfiguration is swiftly addressed and rectified.
Additionally, SSPMs play a crucial role in monitoring third-party applications that integrate with core SaaS apps. They meticulously track permissions granted to these external applications, promptly raising an alert if these permissions exceed corporate policies or HIPAA standards. By diligently monitoring dormant users, external users, and authorized users, SSPMs ensure that each user’s access aligns with their role and responsibilities, preventing potential harm to the application.
Through the implementation of an SSPM, healthcare organizations can establish robust security measures, safeguarding the sensitive patient data stored within their applications. With continuous monitoring and proactive alerts, these organizations can uphold the integrity and confidentiality of patient information, bolstering overall security and compliance efforts.