Coronavirus Implications for Healthcare Security Programs
Published On March 9, 2020
Blog Post by Brian Selfridge, Partner at Meditology Services
On March 5th, HIMSS announced the cancellation of their flagship national healthcare conference just days before the event was set to take place in Orlando, Florida. Just a few days earlier, the state of Florida had declared a state of emergency surrounding the global outbreak of the COVID-19 Coronavirus which has prompted cascading economic and business operational impacts for healthcare entities.
The HITRUST Alliance also announced temporary changes on March 5th to their requirements for on-site assessments associated with Validated Assessments. This move helps to reduce the mandatory travel associated with HITRUST certification assessments and audits that could contribute to the spread of the deadly virus.
Healthcare entities across the spectrum of providers, payers, and business associates are beginning to evaluate plans for adjusting work environments to prevent and contain the spread of the Coronavirus. This is prompting information security leaders and teams to plan for increases in remote access for the workforce and shore up related remote access security capabilities and monitoring processes.
Our own firm, Meditology Services, is working with clients to reduce onsite assessment and audit activities on a temporary basis and will be relying on increased audio and video conferencing capabilities to perform our advisory services.
Meditology has been working with our clients to identify additional measures to prepare and respond to the Coronavirus outbreak. Here are some recommended activities for healthcare security and IT teams to consider as this situation unfolds:
- Evaluate current remote access capabilities and identify models for scaling remote access to larger segments of the workforce; consider multiple options including emergency VPN models and permitting personal device connectivity under emergency circumstances
- Require a subset of the workforce to work from home on a designated day to “pilot” large scale remote access and work out any kinks for users that do not traditionally work from home
- Create checklists with security and connectivity guidelines for remote workers
- Tailor and deliver end user awareness and education around security behaviors for remote working and systems including safe web browsing and IT acceptable use practices, and phishing and social engineering awareness (related to attacks that might target Coronavirus messaging)
- Establish “tiers” of workforce members and designate which job roles are permitted to work remotely. A simplistic model for demonstration purposes might look something like this:
- Tier 1 – Employees that can work remotely any time (e.g. IT admins)
- Tier 2 – Employees that can work remotely under emergency circumstances (e.g. administrative and finance personnel)
- Tier 3 - Employees that must come on site even during emergencies (e.g. healthcare providers)
- Evaluate telehealth capabilities and determine if additional scale or application of telehealth capabilities can be deployed to limit the need for patients to be seen on site
- Review existing policies and procedures for business continuity and disaster scenarios including outbreaks and update processes and related documentation accordingly
- Reconsider any disaster recovery scenarios that rely on purchase or acquisition of IT equipment or hardware from parts of the world that may be experiencing workforce and production constraints from the outbreak situation (e.g. China)
We will continue to review and update these recommendations as this situation unfolds. Regardless of the impact to your particular organization for the Coronavirus outbreak, it is never a bad time to review disaster recovery and business continuity plans.