To quote New Zealand-born novelist and playwright Anthony McCarten, “We’re living in extraordinary times.” To which I’ll personally add, “that call for extraordinary security measures.”
In March, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued COVID-19 HIPAA waivers to promote data sharing and telehealth, relaxing laws over the good faith use and disclosures of protected health information (PHI). The explosion of COVID-19 demonstrates that providers need fast access to tools that identify, collect, track and exchange data on the flux of infected patients.
Protecting the privacy and security of patient data is the health IT industry’s fundamental civic duty during a nationwide public health crisis. While a hospital’s core competency has never been and will never be information technology (IT), taking care of patients is.
Here are five strategies to help you protect and secure your organization’s patient data and network from cyber attacks:
Make sure your escalation procedures are sound
A healthcare worker who spots a questionable issue must be free to report their concern so it can be addressed swiftly. Most every IT department has in place a reporting process, either a formal ticketing system or an on-call employee who accepts personnel’s phone calls. Once the IT staffer quickly escalates the issue to the appropriate leader or medical professional, the healthcare worker can resume their day job. Whether the issues are coronavirus-related or basic security breaches, e.g., an email phishing attack from an unfamiliar source, all team members, even those on the clinical side, should be empowered to bring up potential dangers to the appropriate parties.
Instruct your IT team to be extra diligent investigating unknown emails, links and websites
Cyberattacks targeting hospitals, practices and healthcare organizations are on the rise dramatically, a rise that can at least partially be attributed to the exploitation of the coronavirus.
Unfortunately, remote workers are also being singled out. A recent McAfee report uncovered a correlation between the increased use of cloud services and collaboration tools during the COVID-19 pandemic, along with an increase in cyberattacks targeting the cloud. External attacks on cloud accounts grew 630 percent from January to April. Cisco WebEx, Zoom, Microsoft Teams and Slack saw an increase of up to 600 percent in usage over the same period.
Healthcare staff members working remotely are more vulnerable and understandably distracted supporting COVID-19 patient care ─ which could make them easy prey for cybercriminals. The pandemic represents a huge opportunity for bad actors to compromise your systems with things like phishing emails that include faulty links and websites, ransomware attacks, and intrusions on sensitive data. Regularly remind your remote workforce to report suspicious activities by following your organization’s security protocols.
Review your intrusion detection strategy (IDS) or continue to monitor if you already have one
An IDS is a network security technology originally built for detecting vulnerability exploits against a target application or computer. Intrusion Prevention Systems(IPS) add the ability to block threats in addition to detecting them and have become the dominant deployment option for IDS technologies. More broadly, think of intrusion protection as personal computer security, but in a format that can look between different servers and flag suspicious activity. You should be reviewing and updating your technology and strategy regularly to ensure you’ve kept up with all applicable best practices.
Ensure your remote employees have corporate VPN and two-factor authentication services
This telework protocol should already be part of your business continuity plan. It should be reviewed and updated periodically to ensure traffic is handled securely.
Home internet networks simply are not as secure as your office network. VPN and two-factor authentication services are recommended for remote connection to support the goal of making remote work as seamless as possible. Be aware that, short of completing mission-critical projects, at-home internet outages will not necessarily cause a security issue. A larger issue is whether the remote worker has the right modem installed to handle many different in-home users.
Last point: Encourage employees to use corporate laptops with encrypted hard drives that are not shared with family members.
Keep doing all of the good things you were doing before the pandemic
Everything in your systems security plan is still valid with some possible changes for critical business continuity that should be maintained and exercised. HIPAA compliance might be relaxed, but security protocols remain doubly important in our current health crisis.