Defence in depth for the Healthcare Industry
August 16, 2017

In today’s connected, ‘never-off’ world online threats are fast moving, highly sophisticated, and targeted with precision. As touched on in a recent GDPR blog, healthcare organisations have been increasingly targeted, with many initial, smaller attacks commonly going unnoticed. Understandably this leaves many organisations vulnerable to data breach, costing time, money, patient satisfaction, reputation and potentially valuable resources.

With effective health decisions today based on the understanding that personal health information is secure and protected, cybersecurity is one of the top priorities in healthcare today regardless of where you store clinical data. On-premise, in the cloud, or externally. 

In any security attack, target organizations are only as safe as their weakest link. If any component is not secured, then the entire system is at risk. [1]
 

According to the UK Department for Business, Innovation and Skills, 81% of large corporations and 60% of small businesses in the UK reported a cyber breach in 2014. Without an obvious answer on how to stop these kinds of attacks completely, these security concerns will continue to loom over the potentional for innovation, stifle business and improvement in social welfare services. What is clear is that organisations and their leaders need right technologies and processes and a trusted partner to bridge the gap between innovation and security. 

With this in mind, Microsoft have employed a three-party strategy, systematically incorporating Privacy and Data protection into the development of their products and services, offering a “defence in depth” approach. Block. Contain. Backup.
 

Block Attacks

Exchange Online Advanced Threat Protection (ATP) and Microsoft Active Protection Service (MAPS) raise attacker costs to compromise entry points and prevent breaches.
 

Contain Attackers


Secure Privileged Access (SPA) protects administrative access against determined adversaries, while MAPS and Windows Defender leverage cloud-enabled anti-malware capabilities for real-time analysis and response.
 

Backup in case of Emergency


Microsoft backs up critical data while ensuring backups are inaccessible to attackers.
 

Microsoft, with its unique experience and scale, delivers these services to many of the world’s leading enterprises and government agencies. Today, the Microsoft cloud infrastructure supports over 1 billion customers across our enterprise and consumer services in 140 countries and supports 10 languages and 24 currencies.  Drawing on this history and scale, Microsoft has implemented software development with enhanced security, operational management, and threat mitigation practices, helping it to deliver services that achieve higher levels of security, privacy, and compliance than most customers could achieve on their own. [1]


With its unique experience and global scope, Microsoft delivers these services to many of the world’s leading enterprises and government agencies. Drawing on industry best practices and working relationships with healthcare organisations, Microsoft has identified and reduced threats to data security and privacy across a wide range of clinical devices, operating system, applications, and data. In addition, Microsoft have invested in the increase of security within their technologies and have moved to provide robust, physical, technical and administrative guidance to minimize the impact of malicious software.
 

Physical


Microsoft cloud infrastructure (Azure) has achieved SSAE 16/ISAE 3402 attestation and ISO/ IEC 27001 certification, meeting HIPAA requirements for privacy and security.

As an industry leader for infrastructure-as-a-service and platform-as-a-service, Microsoft Azure is the only major cloud platform ranked by Gartner. The core of Microsoft Azure provides four primary functions on which customers build and manage virtual environments, applications, and associated configurations. With 24-7 tech support, round the clock health monitoring and 99.95% SLA availability you’re guaranteed to be in good hands.

Technical


By using Microsoft’s risk assessment framework, organisations can protect infrastructure and sensitive information against malware, ransomware, breaches, and other cyberattacks. This framework also drives discussions around the concept of Shared Responsibilities.
 

Administrative


Built-in and automated control features that help healthcare meet compliance requirements. Software As A Service (SaaS) offerings like Office 365 include data loss prevention (DLP) controls that empower administrators to enforce company policies about sharing sensitive information.


While regulatory compliance is imperative, it’s vital to note that it’s not the most critical aspect of cybersecurity. As part of an applied effort to deploy a meaningful data protection strategy, healthcare organisations are advised to do more than just tick off compliance boxes and instead implement a “defence in depth” approach, to be precise, a physical, end-to-end enterprise cybersecurity plan with decisive actions.

 
"Defence in depth" measures 

 
  • Keep anti-virus software current. Additionally, don't rely on free versions found online, these are a major risk in themselves.
  • Keep software up-to-date with the latest patches and support.
  • Apply the “least privilege” principle to all systems and services. If individuals don't require access to something make sure they don't have it unnecessarily. 
  • Restrict permissions to install and run unwanted apps.
  • Educate users, patients, affiliates, and others on cybersecurity essentials.
  • Develop a “where used” matrix. Do you know where your data is?
  • Employ a data backup and recovery plan for all critical information.
  • Perform and test regular backups and isolate critical backups from the network.
  • Include recovering from a cyberattack in disaster recovery plans.
  • Use a different communication mode if breached. Hackers may be listening on the current system.
  • Employ an end-to-end data encryption strategy; control your encryption keys.
  • Ensure business associates are working with your security and compliance needs.
  • Employ analytics in your security. This should include behavioral, machine learning, partner information, advanced threat analytics.
  • Work to minimize “Shadow IT,” still a major challenge. By preventing duplications of infrastructure and other environments you reduce the risk of infiltration through a system with less control.
  • Whitelist apps to help prevent malicious software and unapproved programs

 

Ready to implement a “defence in depth” strategy for protecting your Healthcare data? A consultation with our expert teams could help you identify your strengths and weaknesses, an important step in your organisation's digital transformation. Call us today 028 9087 2222 or drop us an email below.


 Security code

 [1] Trusted Cloud: Microsoft Azure Security, Privacy, and Compliance


Return to blog

We're Hiring

Interested and want to know more?Send us an email