How COVID-19 is Changing the Information Security Landscape
Steve Cagle, CEO of Clearwater Compliance, shares how healthcare companies can manage risk around the new cybersecurity challenges many are facing.
Healthcare companies that are already busy fighting COVID-19 have another serious problem to worry about: Cyber attacks. From February through mid-May, hospitals and healthcare systems reported 127 security breaches, a 50 percent increase from 2019.
Steve Cagle, CEO of Clearwater Compliance, is fighting to protect patient data and helping companies navigate the challenges that come with a remote workforce and the rapid implementation of new telehealth services.
In this episode of HIT Focus, brought to you by Tennessee HIMSS, Cagle talks with host Clark Buckner to share his perspective about the impact of COVID-19 on information security and on healthcare as a whole. He also offers advice to companies looking to better manage risk in these areas.
COVID-19 and the Perfect Storm for Cyber Attacks
The healthcare industry had already become a common target for cyber criminals over the past few years, but several factors surrounding COVID-19 made healthcare systems even more vulnerable.
First, many employees are working remotely for the first time, which means they may be accessing sensitive information in unsecure locations or on unsecure networks.
“Because nearly all remote access is occurring over the internet, organizations don’t really have control of the security of the external networks that are used by their telework client devices,” Cagle explained. “So those systems are subject to eavesdropping, where sensitive information could be compromised.”
Second, the onset of COVID-19 forced many healthcare providers to quickly create new telehealth services, often without taking the time to go through normal risk management procedures.
“Ordinarily, if you’re going to implement a telehealth solution, you would, in the normal course of business, have a business associate agreement, go through security questionnaires and assessments and potentially have the vendor implement additional controls or commit to certain things,” he explained. “There’s no doubt in my mind that most healthcare organizations have done everything they possibly could to do that. But in a compressed amount of time, some of those things just weren’t possible.”
On top of these environmental changes, hackers have more incentive than ever to try to breach the healthcare systems, due to the volume of valuable research around COVID-19 vaccines and treatments.
“We’re really seeing that the bad actors out there have taken this, unfortunately, as an opportunity to exploit those vulnerabilities and to attack the system when it’s really in a state of emergency,” Cagle said.
Basic Steps to Improve Security
Even during this unique situation, Cagle believes companies can improve their information security with a few basic steps.
First, he recommends businesses conduct an assessment of the types of devices their employees are using. Companies that provide devices for employees will need a different security strategy than those that allow employees to use their own devices, but either way, it’s important to make sure that all software systems and hardware are up to date and security patches are installed on all devices.
To help with this, many companies may need to update their security policies and procedures, and then use those new procedures to help employees understand how to stay secure while working remotely for the first time.
Other basic security best practices include creating tiered levels of remote access to limit who can view specific information and making sure to use passwords and waiting rooms on video call platforms.
Clearwater also works directly with clients to help them think through these issues from a risk-based perspective, Cagle explained. They developed a new program that helps clients survey their work environments and determine what security is already in place and what is still needed.
Changes that are Here to Stay
Even once the pandemic ends, Cagle believes certain changes to the healthcare industry will remain.
Though some regulations have temporarily been relaxed around telehealth services, companies will eventually need to go back and update those systems, because telehealth offerings will most likely continue after COVID-19.
Additionally, the recent cybersecurity challenges have proven that the industry needs stricter risk management requirements.
“There are going to be more enforcements in some of the existing requirements for things like risk analysis and making sure that organizations are really implementing risk management plans in a way that corresponds to the size and complexity of the organization,” Cagle said.
And though COVID-19 revealed major weaknesses and gaps in the healthcare system, Cagle remains confident the positive digital transformation that occurred will help push the industry in the right direction going forward.
“We’re extremely encouraged and have great admiration and gratitude for what our health system has been able to do in a very short amount of time to pivot and to respond in the way that they have,” he said. “Longer term, we think this continued adoption of technology and digital transformation in healthcare will continue to improve the way we deliver care, it’ll reduce costs, but of course we need to do the necessary things to ensure that we’re securing those systems and that they’re continuing to operate under stress.”
- Advancing Cyber Risk Management in our Nation’s Hospitals - November 30, 2020
- New Multi-Million Dollar Office for Civil Rights’ Settlements Re-Affirm Risk Analysis & Risk Management as HIPAA Enforcement Priorities - October 1, 2020
- How COVID-19 is Changing the Information Security Landscape - August 18, 2020