How healthcare CISOs can balance security and accessibility without compromising care

In this Help Net Security interview, Sunil Seshadri, EVP and CSO at HealthEquity, talks about the growing risks to healthcare data and what organizations can do to stay ahead. He shares insights on vendor management, zero trust, and securing the software supply chain, along with practical steps to tackle legacy system vulnerabilities. His advice helps organizations strengthen security without disrupting patient care.

Given the rise in supply chain attacks, how should healthcare organizations approach vendor risk management to prevent breaches?

Ensuring robust cybersecurity for protected health information and other personally identifiable information is crucial for healthcare and benefits providers.

And while HealthEquity is a Health Savings Account (HSA) custodian and administrator of other consumer-directed benefits not a healthcare provider, to mitigate the risk of supply chain attacks, organizations sensitive member data must adopt a technical, risk-driven approach to vendor risk management, integrating security controls across the vendor lifecycle and plan for ongoing vendor due diligence (pre contract vetting, verifying ongoing compliance with contractual obligations, incident response planning, etc.).

The approach should include aspects of vendor segmentation, access controls, deployment of zero trust and network segmentation, secure software supply chain and SBOM compliance (Software Bill of Materials), contractual security controls, and continuous compliance. Additionally, key vendors should have to take part in cyber drills for incident response readiness. 

How do you recommend healthcare CISOs balance security with accessibility, ensuring that data is protected without disrupting patient care?

Balancing security with accessibility in any organization—healthcare or otherwise, is an important challenge for security teams. A key aspect is to implement a risk-based, member-centric approach that ensures robust security measures without impeding workflows.

As an HSA custodian and administrator of other consumer-directed benefits we can achieve this by tailoring workflows using a zero-trust model and adaptive authentication, such as risk-based MFA, to minimize friction while enforcing stronger security for high-risk activities.

Furthermore, controls such as context-aware access, role-based access, real-time DLP to check and protect PHI, and tokenization mechanisms can help employees safely access sensitive data without exposing raw sensitive records.

Many healthcare providers struggle with legacy systems that cannot be easily patched. How can security teams mitigate risks associated with outdated infrastructure?

While patching is super important, taking a practical, layered approach to securing outdated infrastructure can help mitigate risks to an extent. My recommendation is to find ways to isolate legacy systems from internet-facing services and other modern applications using layers of security and software-defined perimeter.

Web application firewalls, when configured well, can block known exploits targeting legacy systems. EDR solutions and AI-driven behavioral analytics can provide an added layer of protection. However, while segmenting, hardening, and monitoring legacy systems can buy time, it is critical to migrate off legacy environments to a modernized stack. 

Healthcare mergers and acquisitions introduce significant security risks. What cybersecurity due diligence steps should be mandatory before an acquisition?

M&A transactions can introduce significant cybersecurity risks, including data breaches, compliance issues, and integration challenges.

A structured cybersecurity due diligence process should be mandatory as one of the early steps during pre-acquisition protocols. This should involve a thorough assessment of the company’s policies, controls, and practices to manage security risks and the rigor of the governance practices.

A technical assessment should confirm the reflections of the practices in place to ensure a healthy security posture. Post-acquisition, a practice that is being more adopted by security practitioners to fortify systems and environments is to “assume breach,” i.e., rebuild the security controls of the acquired entity to an acceptable state before integrating it with the parent company. 

What’s one underrated but highly effective security measure that more healthcare organizations should be implementing?

One underrated but highly effective security measure that any organization should implement is to devalue data. It is data that matters the most in companies—whether it is PHI, financial data, or more broadly consumer non-public information that companies need to protect.

If one believes in the paradigm that security controls are never perfect in any company, one needs to consider how to make the data unusable to unauthorized parties, when there is a successful breach. An effective way to do this is by applying strategies such as tokenizing the data or encrypting the data with the right key management practices. By implementing these measures, we can ensure the impact of a data breach is minimized by making the data unusable to an attacker.