The following is a guest article by Robert Arandjelovic, Senior Director of Global Solutions Strategy at Netskope
Led by the cloud and artificial intelligence (AI), digital transformation is revolutionizing healthcare: patients schedule appointments, complete pre-check-ins, and view lab results instantly via online portals. Doctors deploy AI to help them interpret X-rays and automate routine tasks. Hospital administrators rely on predictive analytics to plan for staffing and bed-space allocation. Nurses monitor data from wearable sensors and other smart/Internet of Things (IoT) devices to track vital signs in critical care units.
While the cloud has existed for decades, it’s still poised for additional industry growth. Four of five healthcare organizations are leveraging a public cloud provider, and they consider the acceleration of cloud migrations as a top priority for the next 12 to 24 months.
AI remains a relative newcomer in terms of widespread adoption, yet healthcare organizations are rapidly buying in: nearly nine in ten are integrating cloud-based generative AI (genAI) into their operations, and 98 percent use apps that incorporate genAI features.
Clearly, these adoption trends make life easier for both providers and patients, boosting efficiencies and greatly enhancing the efficacy of medical diagnostics and treatment, among other benefits. But, as is often the case, progress comes at a cost. Digital transformation frequently occurs at an uneven pace, whereby the adoption of transformative technologies like SaaS or mobility advances out of lockstep with the security controls needed to control risk.
Cyber criminals know that this misalignment leads to potential security gaps and view these innovations as new opportunities to compromise networks and systems, steal information, and launch ransomware attacks. In fact, cybercriminals target healthcare more than any other critical infrastructure industry, with nearly 450 incidents a year.
Alongside becoming vulnerable to cyberattacks, data security presents considerable challenges for organizations pursuing digital transformation. AI tools use data for training and ingest a significant amount in the form of prompts. Without proper security guardrails, this data is more likely to end up somewhere it shouldn’t and in the wrong hands. In addition, compliance issues can easily come into play when sensitive patient information is put into an AI tool.
This leads to legitimate concerns about patient privacy, data protection, data integrity, and accuracy issues affecting the deployment of AI in clinical decision-making. The uploading of patient information to cloud-storage services and/or the adoption of AI tools without robust safeguards will inevitably put data at risk while eroding patient trust.
Beyond internal data security practices, healthcare organizations must also assess how their data is protected within broader third-party ecosystems. Healthcare organizations share access and data with numerous third parties, yet fifty-six percent of them reported a breach involving a third party in the last 12 months. It is likely that if a partner is compromised, your organization’s data is as well.
In response to all these risks posed by cyber criminals, data sharing, and broader partner ecosystems, healthcare chief information security officers (CISOs) and their teams must rethink defense strategies as a whole. With digital transformation in full swing, a complete end-to-end data protection strategy – where all healthcare data is known and risk is contained – is especially important.
Three Essential Steps for Cyber Resilience
To transition to the next stages of the digital transformation with optimal cyber resilience in place, healthcare organizations should establish policies and practices that incorporate the following steps:
Implement Stronger Frameworks
Traditional security strategies no longer suffice in today’s highly connected and intricate digital universe. Instead, CISOs and their teams should consider more advanced and proven models based upon modern security frameworks such as security service edge (SSE), which delivers security directly from the cloud as a central mechanism to connect users via a safer, faster, and more reliable way to get to any app or website.
Because SSE is geographically distributed via the cloud, it readily supports multiple hospitals in a network without needing extensive infrastructure redesign. It can also help examine AI tools – as well as inputs and outputs – to determine whether they meet required governance policies for sharing or processing sensitive data.
SSE is an indispensable component of the modern secure access service edge (SASE) platform. SASE brings critical network capabilities like SD-WAN together with SSE security capabilities into a unified, cloud-based architecture. With this, healthcare organizations see and respond to an entire range of possible risks through a single lens, combining capabilities like access control, data protection, and threat prevention.
Enforce Zero Trust
Zero trust plays an essential role in modern security frameworks, continuously applying “never trust, always verify” principles in scrutinizing context signals and access decisions based upon user identity, behaviors, device location, data sensitivity, and risk factors.
At the heart of zero trust are “least privilege” controls, supporting continuous verification which limits doctors, nurses, additional personnel, and vendors/contractors to strictly the access required to do their jobs – and nothing more. This is especially important in environments like healthcare, where the sensitivity of the data is so high, and implementing zero trust becomes even more critical as that data can potentially end up in the data lakes of third-party GenAI tools without the right controls, and agents can represent new access risks as their adoption in healthcare rises.
Improve Oversight of Regulatory Requirements
Modern security solutions bring unified controls and centralized reporting to directly support compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA), and the current versions of Europe’s Network and Information Security Directive (NIS2) and Cyber Resilience Act (CRA).
Digital transformation remains a journey—one that probably will never reach a final destination. As older innovations evolve to maturity stages, new ones emerge. So think of securing the transformation in the same way, to continuously adapt cyber defense strategies as technologies and cyber adversaries’ tactics shift.
Regardless of the changes, the ultimate goal remains the same: Achieving optimal resilience to keep networks, systems, and third-party supply chains up and running, no matter what attacks are out there targeting healthcare organizations. By implementing strong frameworks designed for today’s threats, enforcing zero trust, and centralizing compliance tools and processes, industry leaders can significantly limit the potential for a cyber strike to result in the disruption of patient care or the compromise of private medical records.
