3 Healthcare Security Wake Up Calls…in a COVID19 World
by Stephen Trout
Never let a good crisis go to waste.
Whoever said it first (maybe Churchill, though it’s debated) understood a deeper truth about life, often missed in easier times: storms of crisis and suffering tend to shake us out of complacency, spurring us to seek change.
Case in point: it goes without saying that COVID-19 has been the titanic struggle of the year (over 50 million cases globally, and counting) for individuals, families, and organizations. Yet while the losses have been great, the crisis has challenged many to see their faith renewed, families brought closer, and their courage to “help others into the lifeboats” (think nurses and other first responders especially) pushed to beautiful new heights.
In the business of healthcare technology and cybersecurity, the same holds true: violent storms and invisible icebergs (viruses, cyberattacks) may indeed rock our boat, but they also motivate us to do more than grab a life jacket and bail out. We begin to think how to “secure the ship” in new ways.
One reason we’ve had to do this is that the storm of COVID-19 has seen opportunists — unscrupulous actors seeking to exploit the “fear and uncertainty caused by the unstable social and economic situation” as INTERPOL reported. COVID-19 themed phishing emails and fraudulent domains sprang up early on, spreading as fast as the virus. Meanwhile, Ransomware and other kinds of attacks from nefarious sources showed no signs of slowing.
As a result, data handling experts like Microsoft (following Google and other CSPs like HIPAA Vault) appear to be doubling down on security:
Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace: that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies and, especially, enabling multi-factor authentication (MFA). Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks. — Microsoft’s 2020 Digital Defense Report
So the question is a good one: what are you learning in the wake of COVID-19?
Here’s 3 areas we’ve seen — from a healthcare security perspective — where the pandemic storm has indeed rocked the boat, but also spurred positive change:
1. Organizations are Taking Email Phishing more Seriously
Microsoft’s Digital Defense Report notes that over the past year especially, cybercriminals have become more savvy (as noted) — even willing to capitalize on email phishing with COVID-19 themes early in the pandemic. This was a clear indicator of how agile and evolving (and yes, heartless) the attackers are.
Interestingly, the report details a general shift for these cybercriminals, changing their primary means of attack from malware to email phishing. As such, they’re utilizing increasingly sophisticated methods to attempt to sway recipients and harvest their credentials.
A popular but effective approach you’ve probably seen is to imitate top brands — including Amazon and Apple — to lure consumers. Clicking on links in the email opens the door for them to deliver their harmful payload, compromise your system, and even breach your data.
What Can be Done?
For healthcare organizations, the use of secure,encrypted email requiring authentication is one way to recognize valid emails, filter out phishing schemes, and so protect sensitive data.
Cybersecurity training — such as that offered by HIPAA Academy — can also help an organization’s employees (a key component of a strong defense) recognize potential attacks in the high volume of emails companies typically receive. This is a strategic way that companies can forge a strong defense, while eliminating potential weak links that might cripple their network.
2. Taking Remote Telehealth Security Seriously
We’ve seen how new technologies such as IoT and 5G are supporting remote healthcare efforts, bringing much needed remedies to entire, unserved populations. Because of COVID-19, these efforts have been dramatically expanded. Most of the general population now relies on virtual visits with their physicians, to help ‘flatten the curve’. Healthcare is even realizing how effective this has been in helping to streamline costs, as business-as-usual operations have significantly changed.
Yet with more devices and connections being made remotely, there’s also an increase in potential targets and security risks. You need to ensure a safe environment for your medical data and personal information.
What Can be Done?
Using secure connections and data encryption through a trusted application and HIPAA hosting provider is indispensable for protecting personal information during your telehealth sessions. In addition, the following practices should be observed:
- Visit only secure websites (look for the “lock” icon in your browser’s address bar)
- Use strong passwords (a mix of lowercase, caps, numbers, and symbols) for all wireless connections
- Install an antivirus program on devices
3. Taking IoT Device Security Seriously
As COVID-19 continues, we’re seeing how an increasing proliferation of IoT devices (already in process, but spiking) is widening the attack surface. As the Microsoft Report notes, there’s been an approximate 35% increase in total IoT attack volume in the first half of 2020, as compared to the latter half of 2019.
2017’s devastating WannaCry ransomware attack certainly provided a global wakeup call in this regard. The attack highlighted how numerous devices across England and Scotland were infected due to an unpatched Windows 7 operating system.
What Can be Done?
Getting a handle on the kinds of devices currently in use in the healthcare marketplace (many without patching capabilities) will require a concerted effort, but it must be done. Using devices on segmented networks will also be key, as will requiring more sophisticated, patchable devices going forward.
There are many more “wake-up calls” concerning healthcare and security that we might list; these are just a start. Times like these call for deeper reflection, even a willingness to change our own personal status quo. Protecting patients is a holistic enterprise; we contribute to their well-being when we recognize how they can be damaged not just from an invisible virus, but also from those who would exploit their identity and personal data.
HIPAA Vault is the leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to providing secure infrastructure and compliance for health companies, HIPAA Vault provides a full array of HIPAA compliant cloud solutions, including secure email, HIPAA compliant WordPress, secure file sharing, and more.