The spread of the COVID-19 pandemic has presented challenging issues for healthcare providers around the world like never before. There has been a huge increase in the number of critical patients, a change to supporting existing patients ‘virtually’ in order to limit the spread of the pandemic, and temporary requirements to report to different government institutions. These changes present challenges to protect patient data that security and privacy professionals have never seen before – at least not to this vast extent and with this amount of urgency.
Healthcare organisations are bound by several stringent regulatory requirements (including HIPAA) to protect patient data privacy. However, these may not be stringent enough to protect the most vulnerable in these unprecedented times. Most mature organisations do have processes and controls in place to manage and monitor access to patient data. However, with the sudden shift to remote visits and sudden changes in reporting requirements, healthcare institutions are facing a variety of unique challenges. With this in mind, there are several steps that healthcare institutions can take in order to increase their cybersecurity, comply to various longstanding and temporary regulations, and protect patient personal health information.
- Remote Access Setup: In order to comply with shelter in place guidelines and slow the spread of the pandemic among their employees and patients, healthcare organisations are suddenly faced with the need to grant remote access to large portions of their workforce. This presents many challenges from logistical (e.g., having enough IT staff to support a massive volume of requests) to security (e.g., having multi-factor authentication in place to comply with existing regulations).
- Training: A workforce that is not accustomed to the unique challenges of working remotely is more likely to use poor security hygiene, such as using insecure internet connections or weak passwords. Therefore, healthcare institutions should look to deliver consistent training services to their staff in order to prioritise the importance of maintaining a security conscious workforce and limit the possibility of a critical data breach despite precarious times.
- Critical App Exposure: Critical applications with EMR data are typically not exposed to the internet without strong security controls. This norm is being challenged by today’s remote work setup at the expense of security. The applications that are most critical are often targeted the most frequently by cybercriminals. This is because they store a treasure trove of personal information that is incredibly valuable on the dark web. Also, these systems may be targeted by ransomware operators, as in many cases, hospitals and healthcare institutions have no choice but to pay the ransom in order to continue offering a service. By limiting the exposure of critical applications, enterprises can mitigate the risk of a serious data breach.
- Use of Personal Devices: Not every employee has a corporate issued mobile device (including laptops or smart phones), especially in the working from home environment. This is forcing organisations to allow employees to use personal devices to access critical systems, raising additional security concerns. However, devices that have not been vetted by trusted security teams pose dangerous attack vectors. Decision-makers should be sure to supply workers with secured devices, or VPNs to ensure efficient and secure business operation.
- User Monitoring: Employee activity patterns and prospective attack vectors have changed radically. Monitoring and detection controls need to be able to adapt quickly to new patterns in order to detect attacks. This will allow security teams to monitor for unexpected or unauthorised access to sensitive data, and provide actionable insight, allowing them to shut down access to any device that may be showing malicious tendencies.
These many issues can be rectified by utilising the right data privacy monitoring partnership. Enterprises seeking to bolster their security posture and regulatory compliance frameworks should look to focus on two key aspects of security: the employees accessing the record and the patient whose records have been accessed. Monitoring this activity involves analysing and correlating events across the IT infrastructure in order to detect any suspicious patterns.
These suspicious patterns can help to reduce the numerous insecurities from internal threat such as unauthorised access to patient data by employees, patient data snooping from family or co-workers, or ransomware anomalies. Furthermore, the right patient data protection system will isolate unusual record access from unexpected locations or multi-location access that may lead to compromised records. Additionally, these services can be used to prevent unusual VIP record access such as failed logins from high-ranking employees or download spikes from unexpected locations. This means that any worker who leaves the company should have their account terminated and deprovisioned. This is especially true for users with privileged access to sensitive data, and even dormant user accounts should be considered dangerous if they still have access to any form of patient data. Finally, the correct security protocol will have the ability to limit access to discharged or deceased patient records while complying to a multitude of privacy regulations, both specific to the healthcare vertical such as HIPAA or HITRUST, or more general frameworks such as GDPR.
By leveraging cutting edge machine learning and the affordances of artificial intelligence to identify threats to patient data, healthcare institutions can look to quickly and accurately predict and prevent cybercriminals who are taking advantage of these uncertain times to make a profit at the expense of those that work the hardest to protect the vulnerable.
By Nitin Agale, VP or product and strategy at Securonix