While healthcare professionals are putting themselves on the frontline to protect and serve patients throughout the COVID-19 pandemic, bad actors are taking advantage of the current events to ramp up their efforts to cause harm.
At the same time, organizations have shifted their operations to a remote model, moving quickly to implementations of new hardware, software, and procedures. But with no established playbook to follow, providers were left to figure things out largely on their own. Even still, the healthcare industry must maintain an on-site presence. So how can they feel confident that their systems and processes remain secure?
Table of contents
The COVID-19 pandemic has required leaders from all areas of the healthcare industry to rethink how their organizations operate and deliver care.
In the cybersecurity sector, stakeholders have had to rapidly adjust to a remote model as well as increased threats from bad actors mostly on their own.
A recent HealthITSecurity webcast panel by Rapid7 highlighted ways for healthcare organizations to stay safe and maintain the security of their systems and processes as well as discuss how the industry is likely to change and shift moving forward to reflect the modifications made during the pandemic.
Taking necessary precautions to get ahead of security threats
With COVID-19 spreading across the country, healthcare organizations have found themselves in an, especially delicate situation. This uncharted, vulnerable environment has opened the door for attackers to exploit sensitive information.
To stay safe and avoid security attacks during the pandemic, providers should focus on investing in tools that can help them identify and respond to any abnormalities that may occur.
According to panelist Stephon Goldberg, Medigate’s VP of systems engineering, the creation, and enforcement of policies around medical devices are preventive measures that will pay dividends in the long run, but the present requires a focus on detection and response for organizations to continue to operate and deliver quality patient care.
“The advice we’re giving to healthcare customers is first and foremost to keep the lights on. No amount of data is worth someone losing their life. We all know that. So, if you have to modify or reduce or even turn off some controls, as long as you’ve considered all the options and are making an informed decision, by all means, keep the lights on,” said Michael Cole, principal advisory services consultant at Rapid7.
After working to address more immediate threats, they should make reviewing their security practices a top priority once the dust has begun to settle.
“But the flip side is that once the boat isn’t rocking as much, it is critical to go back and perform analysis and assessment to understand the weaknesses that are inherent in this kind of work model—the changes you’re making, and the impact of those decisions to prioritize business processes at the expense of security controls. You’ve got the lights on, but you’ve got to go back and address that residual risk.”
Evaluating the longevity of new security practices
To get through this uncertain time, most hospitals and health systems have implemented new security practices that may or may not stay in place after the pandemic has subsided.
“Some organizations are going to look back and realize that some things that they thought were important or critical really weren’t. I hope organizations learn from that and try not to rely on paper policies that aren’t tested and proven given the importance of identifying critical business processes. Regardless of how good your other plans and contingencies are, if you can’t address those fundamental things, you’re going to struggle,” Cole said.
“To that end, I expect to see some security teams rethink what matters in terms of processes and policies. I think we’re going to see a shift back towards function over form, in terms of allowing businesses access to the tools and resources that they need when they need them. That’s what I would like to see come out of this long term—a better focus on communication and a focus on what really matters.”
Joseph Agnew, Rapid7’s senior manager of sales engineering, added that some adopted practices will likely stay in place once life has returned closer to normal.
“For those organizations that did emergency hardware buys, they’re not going to un-buy the hardware when this is done. They will enjoy the enhanced capabilities of the extra firewalls on their edges and their secure VPN concentrators that are out there. They will probably be happy they made those purchases, especially depending on whether organizations actually stay remote,” he said.
“There’s going to be some enhanced remote work when this is all done, whether it’s one day per week or a percentage of the workforce that stays remote. And being able to plan and be prepared for that is important.”
Long-lasting changes for the cybersecurity industry
Going forward, it is clear that the outbreak will have an unprecedented impact on systems and ways of doing things. In the cybersecurity realm, this could lead to more streamlined processes, Cole noted.
“Our new normal is going to be a shift to the expectation of being a lot more dynamic and ready to serve. Instead of going through a whole project management process with lots of overhead, lots of moving pieces, I think organizations understand that there is a lot of overhead that may not need to be there,” he said.
“Governance is still important, it will always be important, but going forward people will expect those changes to be facilitated faster, more dynamically, with the expectation of quantifying and mitigating risk to be done much more quickly and effectively.”
The COVID-19 pandemic has shed light on the things healthcare needs to modify, but it has also highlighted the industry’s capacity for change.
“What organizations, particularly hospitals, have learned from this is that we actually can move fast. And we can accept risk in ways that do not end the world. Our job in cybersecurity is going to be to make sure that those changes don’t cause major problems,” Agnew stated.