The spread of a COVID-19 pandemic has overwhelmed healthcare providers around the world like never before. There has been an unprecedented increase in the number of critical patients, a switch to supporting existing patients ‘virtually’, to limit the spread of a deadly disease, and temporary requirements to report to multiple government organisations. These changes present challenges that security and privacy professionals have never seen before – at least not to this extent and with this amount of urgency, writes Nitin Agale, VP or product and strategy at Securonix, the security operations and analytics platform.
Healthcare organisations are bound by stringent regulatory requirements (including HIPAA in the United States) to protect patient data privacy. Most mature organisations already have strong processes and controls in place to manage and monitor access to patient data. However, with the sudden move to remote visits and changes in reporting requirements, healthcare institutions are facing a variety of unique challenges. There are several steps that organisations can take in order to increase cybersecurity posture, comply to various longstanding and temporary regulations, and protect patient personal health information.
Remote Access Setup: To comply with shelter in place guidelines and slow the spread of the pandemic among their employees and patients, healthcare organisations are suddenly faced with the need to grant remote access to large portions of their workforce. This presents many challenges from logistical (e.g., having enough IT staff to support a massive volume of requests) to security (e.g., having multi-factor authentication in place to comply with existing regulations).
Training: A workforce that is not accustomed to the unique challenges of working remotely is more likely to use poor security hygiene, such as using insecure internet connections or weak passwords. Therefore, healthcare institutions should look to deliver consistent training services to their staff in order to prioritise the importance of maintaining a security conscious workforce and limit the possibility of a critical data breach despite precarious times.
Critical App Exposure: Critical applications with EMR data are typically not exposed to the internet without strong security controls. This norm is being challenged by today’s remote work setup at the expense of security. The applications that are most critical are often targeted the most frequently by cybercriminals. This is because they store a treasure trove of personal information that is incredibly valuable on the dark web. Also, these systems may be targeted by ransomware operators, as in many cases, hospitals and healthcare institutions have no choice but to pay the ransom to continue offering a service. By limiting the exposure of critical applications, enterprises can mitigate the risk of a serious data breach.
Use of Personal Devices: Not every employee has a corporate issued mobile device (including laptops or smart phones), especially in the working from home environment. This is forcing organisations to allow employees to use personal devices to access critical systems, raising additional security concerns. However, devices that have not been vetted by trusted security teams pose dangerous attack vectors. Decision-makers should be sure to supply workers with secured devices, or VPNs to ensure efficient and secure business operation.
User Monitoring: Employee activity patterns and prospective attack vectors have changed radically. Monitoring and detection controls need to be able to adapt quickly to new patterns in order to detect attacks. This will allow security teams to monitor for unexpected or unauthorised access to sensitive data, and provide actionable insight, allowing them to shut down access to any device that may be showing malicious tendencies.
These many problems can be solved by the right data privacy monitoring partnership. Enterprises seeking to increase their security posture and regulatory compliance frameworks should look to focus on two key entities: the employees accessing the record and the patient whose record is accessed. Monitoring activity involves analysing and correlating events across the IT infrastructure in order to detect any suspicious patterns.
These suspicious patterns can help to limit the numerous insecurities from internal threat such as unauthorised access to patient data by employees, patient data snooping from family or co-workers, or ransomware anomalies. Furthermore, the right patient data protection system will isolate unusual record access from unexpected locations or multi-location access that may lead to compromised records. Additionally, these services can be used to prevent unusual VIP record access such as failed logins from high-ranking employees or download spikes from unexpected locations. This means that any worker who leaves the company should have their account terminated and deprovisioned. This is especially true for users with privileged access to sensitive data, and even dormant user accounts should be considered dangerous if they still have access to any form of patient data. Finally, the correct security protocol will have the ability to limit access to discharged or deceased patient records while complying to a multitude of privacy regulations, both specific to the healthcare vertical such as HIPAA or HITRUST, or more general frameworks such as GDPR in Europe.
By leveraging machine learning and artificial intelligence to identify threats to patient data, enterprises can look to quickly and accurately predict and prevent malicious individuals that are seeking to prey on the current climate of fear and confusion for their own benefits.
