top of page

Security Health Check: Hot Topics to Expect at HIMSS 2023

The Healthcare Information and Management Systems Society (HIMSS) Global Health Conference and Exhibition is approaching on April 17, 2023. The event, which will take place in Las Vegas, is one of the largest health IT conferences in the world, bringing together professionals from across the healthcare industry to discuss the latest innovations and trends in healthcare technology. The conference will feature keynote speeches, educational sessions, and an exhibition hall showcasing the latest products and services from leading healthcare technology vendors. This year's event will focus on several key themes, including cybersecurity and data privacy. We heard from security experts from organizations attending HIMSS on what the industry should expect at the event. Will LaSala, Field CTO, OneSpan

“During the pandemic, we know healthcare organizations were forced to quickly digitize, ramping up technological capabilities to meet the needs of patients — namely through virtual appointments and other telehealth offerings. However, in most cases, security was severely neglected - not for convenience, but to continue essential services as the world shut down. In 2023, convenience is now a patient demand, hackers understand how to take advantage of such virtual practices, and the industry has yet to widely implement the security measures needed to combat these growing threats. As a result, we’ve seen massive increases in data breaches coming from all areas of healthcare on a global scale — most notably, Australia’s largest health insurance provider, Medibank, suffered a data breach that compromised almost all of its four million customers. There has also been an increase in phishing, social engineering, and ransomware attacks that we expect will continue into the new year.

Looking ahead, there is a balance that must be struck between patient demands, privacy and lack of human interaction. Security should be considered a must have and should be interwoven into all the choices application providers are making. Data breaches from a variety of application providers mean threat actors can gain access to a wealth of knowledge and valuable personal identifiable information (PPI). Furthermore, threat actors can now see things like patient trends, patterns and the way patients interact in social settings — not just the obvious PII, like names and birthdates - meaning threat actors can now create almost impossible to identify synthetic identities. Without the correct technology to detect these fakes, these synthetic identities will severely disrupt people's lives and the way we do business. The response to all of this is the increased level of security that must be adopted into the fabric of all our transactions and agreements.”

Steve Gwizdala, Vice President Healthcare, ForgeRock

“Healthcare continues to be the industry most impacted by data breaches. In 2021, healthcare-related data breaches made up 24% of overall cybersecurity incidents, the largest across all industries. It should come as no surprise that as healthcare breaches rise, so has the average cost to mitigate them.

Vigilance and new ways of enhancing cybersecurity measures will be crucial to healthcare organizations and businesses responsible for protecting the personal information of consumers stored online in 2023 and beyond. The traditional password and username approach is no longer enough to properly protect such valuable information. Implementing multi-factor authentication (MFA), passwordless authentication, and zero-trust architecture ensures users experience a high level of security while mitigating risk and reducing opportunities for malicious actors to capture patient medical records.

The demand for security and flexibility is extremely high within the healthcare industry as members and patients navigate different insurance providers, medical providers and specialists, while also taking a hybrid approach to in-person and virtual medical appointments. As competition in the medical industry continues to increase for attracting patients and members, the medical industry must transition to deliver a more retail-like experience yet without jeopardizing security. Creating an improved patient experience while never losing sight of protection is no longer a nice to have, it is a need to have.”

Chad Peterson, Managing Director, NetSPI

“As ransomware attacks against the healthcare sector rise, it’s critical that organizations ensure they are remaining compliant with HIPAA. Last year, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) filed 22 HIPAA resolution agreements totaling over $1.12 million in settlement fines. A key issue is that HIPAA provides little guidance around the best practices to achieve compliance – leaving holes in healthcare organization’s security strategies. An often overlooked solution to this ongoing issue is penetration testing, which addresses the need to map, understand, and close gaps in an organization’s attack surface that could expose electronic protected health information (ePHI). Looking forward, healthcare security and IT teams must take a proactive mindset to HIPAA compliance. Organizations that implement comprehensive pentesting programs into their security programs will achieve better compliance and build resilience in the current threat landscape.”

Ryan Farris, VP of Products, Qumulo

“Many healthcare customers have voiced that storage efficiency is a big cause for concern. Without built-in analytics tools, medical centers do not have insight into poor small file efficiency and high operational overhead that may impact a doctor's ability to quickly serve the patient. What they need is a cost effective way to simplify workflows to provide the best possible patient services, while ensuring data safety.

Hospitals have a lot of extra securities around patient data and they need to process data through cloud-based monitoring in a flexible and efficient manner. Qumulo offers a cloud native managed storage solution that elegantly solves for business continuity and disaster recovery use cases, with built-in rich file analytics. When working with data of this volume, medical centers must be able to use the cloud swiftly, without the significant capital expenses of on-premises deployments. Efficiency and integrity is the key to ensuring the best possible patient services.”

Adam Rusho, Field CTO at Clumio

“Cloud solutions such as AWS have enabled healthcare organizations to decrease costs, improve operational and clinical efficiencies, and ultimately enhance overall patient care. Unfortunately, healthcare companies that have migrated to the cloud have found that the same data protection strategies they used for on-premises data don’t offer the complete protection needed, or the simplicity desired, especially when it comes to modern services like Amazon S3. Despite needing to comply with standards set by protective laws such as HIPPA and HITECH, critically important data can disappear in an instant due not only to cyberattacks, but more mundane threats like accidental deletions or data corruption. However data is affected, operational and informational disruptions are uniquely problematic for healthcare companies, because the inability to access health records can put patients at risk. Even when patient records are not directly involved, capacity planning, drug development, and important research can be derailed by data loss.

Applying strict data governance standards that keep data lakes backed up, air-gapped, immutable, and encrypted ensures that healthcare networks can secure private information on the cloud. It is also imperative for the protection and recovery to be radically simple. As the volume of data grows and spreads across multiple cloud services, snapshot-based backups or DIY tooling like versioning can get complex and expensive, and are not HIPAA-compliant. By simplifying data protection at scale, companies can define protection and recovery policies for particular data sets, optimizing cloud costs and keeping in compliance.”



bottom of page