Key webinar takeaways: Cybersecurity game plan for digital health
Éanna Motherway
July 10, 2023
Table of contents
The digital health space is booming. Mobile apps, telemedicine platforms, and monitoring devices are transforming how healthcare is delivered and experienced.\n\nYet healthcare has long been among the most vulnerable, sensitive, and costly sectors when it comes to data breaches and cybercrime. Subject to near-endless regulatory and compliance requirements, and driven by customer expectations on data integrity and privacy, the digital health space can be tough to navigate for businesses.
Nord Security recently hosted a webinar “Cybersecurity game plan for digital health organizations”, featuring industry experts, Beth Cartier, Head of Information Security and Compliance at Maven Clinic, and Rob Picard, Security Lead at Vanta, moderated by Gerald Kasulis, VP of Business & Channel Operations North America at Nord Security, on how to better protect sensitive data, comply with regulations, and build reliable products.
Watch the recording in full now or keep reading to find out some of the key insights we took from the webinar.
Navigating Compliance
Know your data
Step one to navigating compliance, for Beth Cartier, is relatively straightforward: “Understand your data. What kind of data you have, where it’s stored, and where it’s going. Verify it’s encrypted.”
Identifying and documenting data types, creating a data map to track the flow of data, and classifying data based on sensitivity are stepping stones to a robust setup. But as Rob points out, this is true for any business that maintains data. Where things get health-specific, is when privacy and compliance are considered.
Rob cites classification as an example, but mentions that this is an area that still lacks granularity in regulatory systems.
As Beth says, “do the same set of regulations that apply to a hospital apply to a wellness app? When PHI (Protected Health Information) is the one bucket we have, I don’t think we’re nuanced enough.” Rob illustrates further, saying that when DNA genome data is legally classified under the same umbrella as a daily step count, more granularity is needed in the system.
Compliance landscape
Businesses should consistently assess their compliance status and landscape to ensure their legal standing.
In the United States, digital health companies need to carefully consider the Health Insurance Portability and Accountability Act (HIPAA). HIPAA protects the privacy and security of protected health information held by healthcare providers, health plans, and related organizations, and ensures that this sensitive information is handled safely and kept private.
In the EU, companies must function in accordance with the General Data Protection Regulation (GDPR). According to the regulation, processes that foster innovation and better quality healthcare, including mobile or digital health, need robust data protection safeguards in order to maintain the trust and confidence of individuals.
Compliance ≠ Security
“Compliance requirements are not built for the digital world.” This is the reality that digital health companies will have to confront, according to both webinar speakers.
Beth states: “Security and compliance are not the same thing, but they are necessary to operate in this space.” She recommends using compliance as a foundation towards security but understanding that it’s not enough in and of itself:
Rob agrees that there is often an inherent mismatch between regulatory requirements and security requirements, which can rear its head during audits.
How to communicate with your auditors
When it comes to audits, Rob feels it’s all down to good old-fashioned human communication. The audit industry tends to lean towards traditional and slow-moving approaches, which means conversations “really come down to explaining the difference, that this thing needs these requirements, even though you may not have heard of it before.”
Rob finds regulation is not always aligned to what security looks like:
So how can we turn our knowledge of compliance and data into actionable cybersecurity measures? The speakers agreed that the NIST Cybersecurity Framework is a useful way to get the ball rolling.
Laying the foundations with NIST CSF
HIPAA and GDPR demand that digital health companies have security programs in place. Both Rob and Beth recommended the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) for companies who are getting security initiatives underway. A set of “standards, guidelines, and best practices designed to manage cybersecurity risk”, the NIST CSF has become, according to Beth, the “go-to framework” for many businesses worldwide.
Cover your base
Evaluating your organization's current cybersecurity practices and identifying areas for improvement is a logical first step. Digital health companies are advised to set clear objectives based on their compliance context and focus on priority areas for improvement.
Rob mentions that “you can do a lot of this yourself. Number one is making sure you’re compliant with the law. Number two is making sure you have some security measures in place. Use an antivirus of some kind, use a password manager, cover your base.”
Beth states: “NIST CSF is more and more important, and supports HIPAA compliance. It’s very helpful for spotting the major foundational, “bedrock” items to do, like access controls.” Ultimately, both speakers see the framework as “a blueprint to align yourself with.” As Rob says: “With the NIST CSF, you have a framework for asking yourself, have I considered all the things that I probably should consider?”
Threat Modeling
Beth marks identifying potential threats as next up in the cybersecurity game plan.
To Beth, threat modeling is a crucial early step in effective security: “Understanding who’s coming after you. What’s valuable, what do you want to protect? How are we protecting that? Understanding what should be more protected – that’s pretty classic.”
She points out that this threat modeling is an established technique for many sectors, and it applies to digital health as well: “Cybersecurity involves risks just like anything else – you need to understand these risks and take steps to mitigate them. The environment changes every day.”
What follows is iteration, and further “gap analysis”, or spotting and analyzing the gaps in your defenses, based on threat modeling. Supporting this, Beth observes, is a positive shift towards security for cloud-based infrastructures in recent years: “Most systems are encrypted by default now. AWS and GCP are building out inherent security functions in the cloud, and that’s a really good thing to see.”
Aligning with your stakeholders
Both speakers find the NIST CSF framework to be increasingly relied upon in their respective industries. As such it becomes a powerful tool for building cooperation with stakeholders and communicating security gaps to leadership.
However, Rob emphasizes that the NIST CSF is not a compliance framework, but rather a set of outcomes for businesses to work towards. And while frameworks are generally flexible, issues can occur if the “spirit” of regulation is overlooked by auditors. The speakers agree that this is an expected occupational hazard in this space, and has to be resolved on a case-by-case basis. But an esteemed framework can support your cause:
Guardrails, not gates
As the cybersecurity space surges (12.4% annual growth, according to McKinsey), in-house security teams have the unique opportunity to shape their collective persona within their wider organization. Rob drops a memorable motto to keep in mind. “We’re here to build guardrails, not gates.”
By positioning themselves as guardrails, cybersecurity teams can take the role of proactive and collaborative team players. They become enablers rather than gatekeepers, working closely with other teams to facilitate innovation and growth.
Rather than impeding progress as a box-checking, mandatory obstacle for their colleagues to overcome, Rob recommends “[trying] to reduce friction with other teams, which builds trust and ultimately better results. Paved paths make you go faster.”
Beth agrees, advocating for a team-oriented attitude across organizations: “Working with the product teams, legal, IT, devs. Really getting that security awareness going through. I find that so many engineers just want to do the right thing, and are eager to build security functions into your product.”
She finds that her team is fielding more queries than ever, as interest and awareness of the space grows. Beth states that cybersecurity should be considered a business driver.
Closing comments
Undoubtedly, digital health companies face significant challenges when it comes to compliance and cybersecurity. The best approach, Rob and Beth find, is to implement cybersecurity standards into your product or service as early in development as possible. For Beth, “getting involved in the conversation earlier is preferable. You build it in [early], it’s easier, it’s cheaper.” Finally, Rob enthuses, there’s much to be optimistic about: “The security industry is in this really awesome space right now. There’s this blooming innovation happening all over the place. We have an entire generation of people who are dedicating their lives to this.”
To establish a robust game plan, security leaders must navigate the intricate dynamics of compliance and privacy requirements, while effectively engaging with external auditors and internal stakeholders. Embracing innovation will be key to gaining a competitive advantage as we move into a new era of digital health.