Healthcare security as a service from the cloud
During the last year, IT incidents involving malware paralyzed hospitals and made headlines around the world. The reason: Within a few days, several serious incidents involving a specific kind of malware occurred. A ransomware called “Locky” paralyzed IT systems and encrypted important data, and the criminals demanded ransom to decrypt the data. The impact was huge: Patients could not be admitted, surgeries were delayed, and nearby hospitals had to help out. The failure of their IT infrastructures was costly for the hospitals and directly affected public life.
These incidents demonstrated that IT security needs to be a top priority in the medical sector to ensure continued operations and protect sensitive patient data. But what would potential solutions in the cloud look like?
One-third of companies in Germany are affected
According to a survey of the Bundesamt für Sicherheit in der Informationstechnik (BSI), about a third of companies were affected by ransomware at the beginning of 2016. Every fifth (22 percent) of the affected companies experienced a serious IT infrastructure failure, and 11 percent experienced a permanent loss of important data.
The Federal Government of Germany reacted to the increasing number of cyber threats with the IT-Sicherheitsgesetz (IT Security Act), which has been in force since 2015. Exact requirements will be finalized in spring 2017, and hospitals find themselves among the critical infrastructures (kritische Infrastrukturen, KRITIS) since they are part of the health sector.
Large hospitals will soon have to work with central reporting offices, and incidents that reach a certain size threshold will have to be reported to the BSI. The IT incidents occurring in 2016 led to an increased awareness of IT security in the healthcare sector.
Unlike many other varieties of malware, ransomware is directly visible to the affected users. Due to the encryption of data, employees can no longer use the infected systems. By demanding ransom to decrypt the IT systems, the attackers offer a way out which may help in the short term but won’t protect the user from future attacks. This is why any approach to IT security needs to be comprehensive and holistic. Hospitals should assess their specific risks and develop a customized approach to IT security.
Increased challenges for IT executives
In the healthcare sector, IT executives face increasingly complex and heterogeneous networks. The number of fixed and mobile devices is growing, and the effort related to administration and managing the infrastructure of a security solution quickly turns into a top priority. To manage the network centrally and provide updates and up-to-date signatures to all endpoints, a management solution is required. This means that a dedicated server must be purchased and operated, with IT staff needing to administer this server in addition to their daily tasks and, in case of an emergency, to respond in a timely manner. As a result, costs and risks are hard to control.
Customized security solutions are essential
A security solution needs to adapt to the requirements of the healthcare organization and, despite its complexity, has to be easily manageable. Proactive and holistic security solutions are essential to protect IT networks from viruses, Trojans, and other internet threats. The solution needs to be extensible to enable the organization to add relevant features as needed, and it must offer features like a firewall, antispam protection, or policy management. Additional modules for patch management and network monitoring, as well as email/web gateways should complement the specific protection.
Modular solutions offer advantages since they allow companies in the medical sector as well as organizations tasked with IT security to be flexible and respond proactively to emerging threat scenarios. It is important, though, to view security as a permanent and holistic process.
Solutions from Microsoft Azure Deutschland
Outsourcing a part of the IT infrastructure could be a potential solution scenario. Medical institutions, however, are faced with the challenge to remain compliant with strict data protection laws. G DATA, an IT security solutions vendor based in Germany, offers in cooperation with its partners in the healthcare sector a solution called Managed Endpoint Security. With G DATA’s solution, there is almost no need to maintain an IT security infrastructure, and any required services are carried out by specialized partners. In case of an emergency, the relevant partner can take action via remote maintenance and fight off the threat. The security architecture grows with the company, and even heavily heterogeneous networks can be managed without problems.
Partners using Managed Endpoint Security operate a virtual management server on Microsoft Azure Deutschland for their customers. Azure Deutschland is compliant with the strict data protection laws in Germany and thus meets compliance requirements related to public cloud solutions. As a result, Managed Endpoint Security scales flexibly without delays and guarantees high availability of up to 99.99 percent. At the same time the partner does not need to maintain an infrastructure and takes advantage of predictable costs, like their customers. With Managed Endpoint security on Azure Deutschland, hospitals and other medical institutions can focus on their daily operations while taking advantage of secure IT and predictable costs. This is a profitable business model for the G DATA partner, providing solid margins, close customer ties and a reliable cashflow.
Learn more about G DATA’s comprehensive, holistic approach to IT security for the healthcare industry at www.gdata.de/azure.
Learn more about Microsoft’s Cloud for Health here.
Partners manage and update customer endpoints via the G DATA Management Server. With G DATA Managed Endpoint Security powered by Microsoft Azure, partners do not need to install this server in their own datacenters or on-premises at the customer but are using a virtual management server on the Microsoft Azure Deutschland.
