Clearwater COVID-19 Cybersecurity Advisory: Analyzing and Responding to Risks Resulting from Work- from-Home Environments

Clearwater Customers can perform risk assessment using their existing IRM|Analysis® software and can leverage free assistance from Clearwater

In the wake of the COVID-19 pandemic, many healthcare organizations, as well as their key vendors, have transitioned a substantial part of their workforces to perform duties from home. While many organizations are accustomed to some of their employees working from home at times, the significant increase in the number of employees teleworking, introduction of new devices and networks, existence of non-authorized people at home (e.g. family members), and upsurge in remote interactions with company information systems substantially increases the attack surface.Potential to Increase Risk of Cyberattack
The new paradigm introduces new vulnerabilities and risks of a breach or ransomware attack that may further hinder the organization’s ability to fulfill its mission at a time when it is already operating from a compromised position. Healthcare organizations and their vendors who are creating, transmitting, receiving, or storing electronic protected health information (ePHI) in work-from-home settings, must update their risk analysis immediately to assess their risks as a result of this change in their business operations and information technology environment.Healthcare Cyberattacks Have Increased with the Spread of COVID-19
Cyberattacks, particularly in the form of social engineering, have surged during the COVID-19 crisis and are expected to continue to increase. The US Department of Homeland Security issued an alert this month warning that the pandemic has increased threats and that “cyber actors may send e-mails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information.” Bad actors are taking full advantage of the reduced security posture of healthcare organizations and their vendors that results from having millions of employees now working from home. Compliance with the HIPAA Security Rule Requirement
The Office for Civil Rights (OCR) has issued strict guidance on updating an organization’s security risk analysis (as required by the HIPAA Security Rule) when significant changes to the environment have been made. As stated in OCR’s Guidance on Risk Analysis Requirements under the HIPAA Security Rule “…risk analysis and management process is performed as new technologies and business operations are planned…potential risk should be analyzed to ensure the ePHI is reasonably and appropriately protected. If it is determined that existing security measures are not sufficient to protect against the risks associated with the evolving threats or vulnerabilities, a changing business environment, or the introduction of new technology, then the entity must determine if additional security measures are needed.”

Organizations that complete or update a risk analysis meet this obligation and reduce risk of regulatory action, fines, or damages from litigation in the event of a security breach, as they have demonstrated compliance and have acted reasonably and appropriately in taking measures to protect the confidentiality, integrity, and availability of ePHI.Clearwater Customers Can Leverage IRM|Analysis® to Assess Risk Immediately
Clearwater’s IRM|Analysis® software provides the means to assess risk scenarios presented in a work- from-home environment. Using the software, healthcare organizations can re-evaluate the controls that are in place to mitigate the likelihood of a threat exploiting a vulnerability that may exist within information system components that are now in use by remote workers.

Consider these factors in the risk analysis:

  • New systems that were previously not accessed from home now are included in scope of work-at-home environments
  • New system components introduced in a work-at-home environment, including BYOD devices, unsecured Internet connections, and new employees who have not previously worked from home
  • New vulnerability-threat (risk) scenarios that are now applicable, or more relevant, based on the above
  • The degree to which existing controls are relevant in the work-at-home environment, as well as any new controls the organization may have introduced as it shifted to the work-at-home environment
  • Whether controls, which may have been previously effective in a traditional work environment, are as effective in the work-at-home environment
  • The likelihood of a security incident occurring based on the above
  • The impact of a breach or loss of system availability as result of a security incident not only from a privacy perspective but also with regard to its ability to continue business operations
  • Any updates to the risk level based on changes to the likelihood and impact

Review these Information Security Controls in IRM|Analysis®:

  • Automatic Alerting for Adverse Events – Will appropriate staff be promptly notified by monitoring systems if business critical systems or networks fail or don’t perform as expected?
  • Contingency Plans – If you don’t have a Disaster Recovery Plan covering a pandemic, now may be the time to create one. If you do, it may prove useful to update it.
  • Information Systems Security Policies and Procedures – Like your Contingency Plans, do your current IS Security Policies and Procedures cover current circumstances or do they require updating?
  • Remote Administrative Access – Do critical systems allow network and system administrators to monitor and administer them remotely?
  • Remote Access Controls – Do your remote access controls allow staff to successfully work from home? Are they sufficient to handle an increased demand on your networks? Are they secure against potential “sniffing,” “man-in-the-middle,” and other related attacks?
  • Security/Privacy Awareness and Training – Malicious parties have been increasing their attacks on vulnerable systems and staff during these tumultuous times. Your staff may benefit from a refresher on malware and phishing attacks.
  • Social Engineering Testing – It may be beneficial to determine if your security training was effective, especially against phishing attacks, by performing some Social Engineering tests organization-wide, before staff are subjected to the real thing.

Review these Risk Scenarios in IRM|Analysis®:

  • The Inability to Adequately Respond to Disaster – Lack of Contingency Planning Risk Scenario for the Security and Governance Component.
  • The Improper Disclosure or Use of Sensitive Data – Insufficient Personnel Training Risk Scenario for all Internal and External User Components.
  • All Scenarios related to any device furnished by the organization to its staff for use at home, such as laptops and cellphones.
  • All Scenarios pertaining to whatever External Network Component is used by the organization to provide remote access to internal organizational systems.
  • All Scenarios for any Application or Software-as-a-Service Component used by the organization for email, to store or exchange files remotely (e.g. DropBox, Google Drive, Microsoft OneDrive, etc.), exchange text messages (e.g. Skype, Microsoft Teams, Facebook Messenger, etc.), or conduct remote meetings (e.g. Zoom, GoToMeeting, Webex, etc.).

Respond to Risks
Upon identifying risks, organizations should prioritize any risks above their risk threshold and determine whether to accept, transfer, avoid, or mitigate the risk. In cases where organizations decide to implement additional security measures to reduce risk, they must thoughtfully consider available options that can be implemented both quickly and in the context of a work-at-home environment. The above should be documented appropriately in IRM|Analysis® using the software’s Risk Response function. Verify Whether Vendors Have Assessed Risk
Healthcare providers or business associates who rely on subcontractors should contact their key vendors who may have transitioned to a work-from-home environment and determine the extent to which they have updated their risk analysis. Free Assistance for Clearwater Customers
Clearwater understands the toll that the COVID-19 outbreak is taking on healthcare organizations and security teams. As a valued partner, in addition to its unlimited IRM|Analysis® training and support, Clearwater stands ready to provide Security Consultant assistance at no charge, based on availability, to any of its Customers who need guidance or assistance in updating their risk analysis. Contact our Customer Success team at 1-800-704-3394 or customersuccess@clearwatercompliance.com to arrange a consultation with one of our expert consultants.

Newsletter

Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.


Related Blogs

Connect
With Us