Home Systems CrowdStrike and Medigate by Claroty Publish Joint Research: Healthcare IoT Security Operations Maturity

CrowdStrike and Medigate by Claroty Publish Joint Research: Healthcare IoT Security Operations Maturity


CrowdStrike and Medigate have announced the publication of a joint piece of research that advocates a more simplified approach to securing the Internet of Health Things (IoHT).

The research is entitled, “Healthcare IoT Security Operations Maturity, A Rationalized Approach to a New Normal.”  It promotes the idea that health systems should focus on improving essential “blocking and tackling” asset management and security skills before contemplating investments in more advanced, layered defense capabilities.

The paper highlights a governing philosophy that says an intimate understanding of connected assets is required before threat processing can be effective.

It delivers an advanced definition of “visibility,” how Medigate and CrowdStrike have combined forces to deliver it, and why such new-found visibility must be effectively orchestrated to unify modern detection and threat prevention capabilities.

Given the recent spate of healthcare-related intrusions in the region, this research is very timely. For example, the attack on SingHealth’s specialist outpatient clinics in 2018 resulted in the breach of 1.5 million patient health records, the largest in Singapore’s history.

In August 2021, Eye & Retina Surgeons (ERS), a specialist medical clinic in Singapore, was the target of a ransomware attack, affecting the data of over 73,000 patients.

For the first time, the report by Medigate and CrowdStrike presents for educational purposes specific data reflecting how their shared health system clients are managing widespread vulnerabilities, including missed opportunities to remediate many of them.

The facts provided identify immediate steps that health systems can take to quickly improve their respective cybersecurity postures.

As background, current cyberthreats to healthcare with an emphasis on the significant increase in ransomware attacks is detailed, as is a position on the “to pay or not to pay” policy debate that is now top of mind with public officials and hospital leadership.

Emerging Security Risk Assessment (SRA) perspectives are discussed in this context, including their relationships to the current transformation taking place in healthcare cyber insurance underwriting and credit scoring.

And notably, the paper reveals how no standard exists that hospitals are using to calculate attack restoration costs. In comparison, the average organisational cost of a data breach in ASEAN is US$2.62 million, with 96 percent of Singaporean businesses reported suffering a data breach between September 2018 and September 2019.

Perhaps most importantly, the paper discusses the need for professional convergence as a means for health systems to address long-standing shortages in IT and technology management staffing.

It discusses how technology can be used as a lynchpin for upskilling and how properly sequenced investments in automation can deliver solutions that are greater than the sum of their respective roles and parts.

The common reference foundation promoted in the paper is argued as essential, not only as a way to harden existing healthcare security infrastructures, but as a means to ensure the performance of future investments in layered defense capabilities.

And finally, because an integrated approach to security and asset management is described as a silo-busting affair that creates operational leverage, this paper ends by explaining how Medigate and Crowdstrike are jointly and separately translating that leverage into business value.

Both companies share details explaining how returns on security investments can now be effectively measured.

The views expressed are solely of the author and do not necessarily reflect those of ESPC Media.

Related Articles

1 comment

DPaaS Wednesday, April 13, 2022 - 12:24:09 pm

Accountability is one of the key principles in data protection law – it makes you responsible for complying with the legislation and says that you must be able to demonstrate your compliance.

It’s a real opportunity to show that you set high standards for privacy and lead by example to promote a positive attitude to data protection across your organisation.

Accountability enables you to minimise the risks of what you do with personal data by putting in place appropriate and effective policies, procedures and measures. These must be proportionate to the risks, which can vary depending on the amount of data being handled or transferred, its sensitivity and the technology you use.

Regulators, business partners and individuals need to see that you are managing personal data risks if you want to secure their trust and confidence. This can enhance your reputation and give you a competitive edge, helping your business to thrive and grow.

The framework is an opportunity for you to assess your organisation’s accountability. Depending on your circumstances, you may use it in different ways. For example, you may want to:

create a comprehensive privacy management programme;
check your existing practices against the ICO’s expectations;
consider whether you could improve existing practices, perhaps in specific areas;
understand ways to demonstrate compliance;
record, track and report on progress; or
increase senior management engagement and privacy awareness across your organisation.

The framework is divided into 10 categories, for example ‘Leadership and oversight’. Selecting a category will display our key expectations and a bullet-pointed list of ways you can meet our expectations. These are the most likely ways to meet our expectations, but they are not exhaustive. You may meet our expectations in slightly different or unique ways.

You can demonstrate the ways you are meeting our expectations with documentation, but accountability is also about what you actually do in practice so you should also review how effective the measures are.

Accountability is not about ticking boxes. While there are some accountability measures that you must take, such as conducting a data protection impact assessment for high-risk processing, there isn’t a ‘one size fits all’ approach.

You will need to consider your organisation and what you are doing with personal data in order to manage personal data risks appropriately. As a general rule, the greater the risk, the more robust and comprehensive the measures in place should be.

Comments are closed.

We use cookies to improve user experience, and analyze website traffic. For these reasons, we may share your site usage data with our analytics partners. By clicking “Accept Cookies,” you consent to store on your device all the technologies described in our Cookie Policy. Accept Read More

ESPC on the go