Health Care, Cybersecurity and COVID-19

In the span of a few weeks, COVID-19 has upended the healthcare system. The whole sector is being challenged to step up and deliver more than its capacity and to live up to the expectations of hundreds of thousands of patients at high risk. Unfortunately, healthcare firms, medical suppliers, and hospitals also face some of the highest incidence of cybercrime, and there’s no reason to expect that threat to diminish now.

Last month, the U.S. Health and Human Services Department suffered a cyber-attack on its computer system, primarily to disrupt normal operations. Globally, all major healthcare organizations, including the World Health Organization (WHO) have been hit and/or will continue to be affected by various malicious attacks. To cybercriminals, COVID-19 is a lucrative opportunity to exploit fear and create disorder.

With healthcare already overburdened, any denial of service could be catastrophic to the lives of the COVID-19 patients, and given that this virus is likely to affect everybody directly or indirectly, all of us fall under the “patient” category. In addition to the risk posed by attacks to patient safety, interconnected medical systems and weak IoT devices can further increase the attack surface.

If you are a CISO or a decision-maker working in the healthcare space, there are a few areas of cybersecurity that should be addressed immediately so that your organization has a coordinated approach to cybersecurity in these challenging times.

1. Strengthen your “Remote Work” Situation

Whether we like it or not working from home is an inevitable scenario in the current landscape. Remote work presents unique issues for numerous industries, especially during these interesting times. To read on how other industries may be affected, please refer to an earlier blog. On the healthcare front, some areas like payer services, IT and other back-office operations are facing new challenges in regards to remote work as they need to ensure both continuity and agility. The use of the cloud and the internet has exponentially increased, therefore we need security measures that are stronger and more modern.

In the realm of cybersecurity, dependency creates vulnerabilities as well as new attack vectors that need to be explored and mitigated. Some key steps to making “work from home” more secure and sustainable at the scale required now include:

• Create remote work models depending on the type of taskforce. (e.g. increase the scrutiny for roles that have access to patient data, apply the principle of least privilege)

• Include a security Do’s and Don'ts checklist for home devices; mitigate the gaps in security hardening of home-placed computers

• Generate awareness and workarounds for remote work tool vulnerabilities (e.g. the recent zoom privacy issue)

2. Enhance Resiliency

Availability and integrity of data is by far the most crucial element for smooth operations in the healthcare sector. Imagine if you get hacked and you have no capacity to treat anyone! Richard Staynings, Chief Security Strategist with Security Associates and a HIMSS Cybersecurity Committee member, agreed that the new battle lines are over availability, resiliency to withstand an attack, and the integrity of health data. Key steps here include:

• Ensuring that the incident response plan and disaster recovery strategy are in place, well documented, and communicated. Having baseline solutions ready for detecting, monitoring and responding to adverse events

• Conducting controls assessments for areas like Data Loss Prevention (DLP), Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Patch Management, Data Backups, Encryption, Remote access, etc. and look for operational deficiencies. Design solutions to mitigate those control gaps

• Ensuring that you have a “Crisis Plan” ready in case everything else fails. This may include things like war room for 24/7 response plan, vendor support for all mission-critical applications, steering committee for quick high-risk mitigation support, etc.

3. Promote a more communicative culture for driving security awareness

Our employees are always the first line of defense. We need to capitalize upon and strengthen our defense mechanisms by promoting a culture of openness and sharing. The more we train and make them threat-aware, the better off we are fighting this growing cyber-war. So

• Conduct weekly webinars and virtual security forums that provide regular coaching to your workforce

• Have CEOs and senior leadership address employees on the importance of security; send a signal about what a high priority it is.

Cybersecurity leaders from all around the world are coming together and forming an alliance (the C5 Alliance) to protect the healthcare sector. Many security organizations and experts are providing free guidance, training, and tools checklists to help the healthcare sector maintain basic security hygiene, which proves that cybersecurity has a vital role to play. As we have seen over and over again, the same solution hardly ever works for all. It is key to tailor the program to your business needs and security environment.

infoedge is helping its healthcare customers navigate these times and we can also assist you with a preliminary security screening that provides a pragmatic start and then scales the solution with incremental improvements. We offer free advisory sessions to go over the current security posture and provide necessary next steps and recommendations for a more resilient cybersecurity. Your patients’ safety and confidence is critical, particularly now. Take the time to build trust with them and competence within your team.