The CyberPHIx Roundup: Industry News & Trends, 3/17/20

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this special edition episode, our host Brian Selfridge discusses updates and recommendations for healthcare security and IT teams to manage the COVID-19 / Coronavirus pandemic response. Content covered includes:

  • News updates for cancelled conferences including HIMSS and HCCA and changes to security assessment models from HITRUST and other firms
  • Trends in cyber attacks leveraging the COVID-19 notoriety
  • Recommendations for healthcare security teams for remote work security and rollout models, awareness training, telehealth models, BC/DR plans, and more

Brian Selfridge: [00:00:08] Good day and welcome to the CyberPHIx healthcare security roundup. Your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices specifically for the healthcare industry. I'm your host, Brian Selfridge. In addition to this roundup. Be sure to check out our CyberPHIx interviews with leading healthcare security, privacy, and compliance leaders at meditologyservices.com or on your favorite podcast hosting platform. Just search for CyberPHIx. 

 

Brian Selfridge: [00:00:32] OK. This week we're going to get right into it. This is all about Coronavirus, Covid-19. There's sort of no other topic that we're possibly able to talk about. Major impacts on the industry, healthcare providers in particular, but we're going to focus the conversation on what does this mean to healthcare, security, and compliance programs? How can we help? How will we be impacted? How can we make sure that the technologies that are needed to support remote work, for example, are in place? And so we'll talk about that and share with you some insights that we've been dealing with, with any of our clients and some of the tactics that they've been taking under consideration. 

 

Brian Selfridge: [00:01:11] So before we do that, we'll just give a quick update on some of the sort of immediate impacts to the industry, particularly around things like the conference cancellations. We have the major HiMSS conference, of course, being canceled as of March 5th, just a couple of weeks ago. And they're looking to do a virtual something or other. But I know a lot of folks in the security field and others were planning to get down there and share insights. It remains to be seen how that's going to play out. But we also saw HCCA cancel their annual conference and the big compliance healthcare conference. And I expect any sort of major gatherings that are on the books for the coming four to six to eight weeks will likely be canceled as well, as folks look to sort of stay hunkered down and keep the spread of the Covid-19, Coronavirus under control. 

 

Brian Selfridge: [00:02:00] Some other updates that are happening. So we saw that the High Trust Alliance this week announced that they are changing the requirements for onsite assessments associated with their certifications and validated assessments, so they won't require those to be physically on sight, so we'll have some remote capabilities there. And I know for us, for Meditology Services, Corl Technologies, the companies that we represent also are doing remote consulting, remote work, remote security assessments. While some of that work still continues and needs to continue, a lot of that can be done remotely and methods for sharing information without being onsite are being put in place, appropriately so. And we've also been seeing a number of attacks that are taking advantage of the Coronavirus. News trending item, as we see with any major news item, there's always a set of bad guys, if not all the bad guys, sort of rallying behind that. So a big increase in phishing attempts, a big increase in attacks that are using the Coronavirus, either to get that sort of clickbait type of stuff going or other ways to produce malware. Krebs, on security, if you've ever seen Krebs, released an update, where the bad guys are sort of looking at an active map and maintaining a map of the outbreak, so they can send targeted malware attacks to those regions. It's pretty, pretty horrible stuff. But we all know that this happens, and we have got to make sure we're aware of it and keep everybody informed. 

 

Brian Selfridge: [00:03:36] So the organizations we've been working with have been keeping up some activities on the security side, in particular, to try to make sure we're ready for the remote access changes and some of these other things that are coming up. So I'll share some of those with you here. And hopefully, there are some takeaways that you can look at your own organization and see if these are considerations that you need to potentially take into account as well. So the first is, of course, around remote access, and make sure to assess your remote access capabilities. Do we have the ability to scale to a larger than typical workforce, remote access deployment, which may include organization-provided computers and machines and devices, or it may include exceptions for allowing individuals to use their own devices? Of course, in emergency situations, we have to relax some of the security controls that we've worked so hard to put in place over the years. And this is certainly one of those cases. So looking for opportunities where you may want to allow personal devices. From a VPN standpoint, I'm looking at, you know, potentially having multiple remote access methods. So some organizations would use Citrix or SSL VPNs, for example, or traditional client-based VPNs. But making sure you have a couple of different options is important and that users and the workforce members are aware of those and able to connect to them if they need to in a remote capacity. Also taking a look at licensing poor things like VPNs and Citrix and making sure that you do have the ability to scale up on those and getting some contingencies in place. And I would expect to see some of the large firms like Citrix and others waiving some of those interim licensing fees, allowing folks to get through this hurdle. But I think we'll keep an eye on that. And of course, you have got to worry about network bandwidth as well, make sure that the pipelines coming in and access to the electronic health records or other applications or business applications that may be in use are able to handle the volume of attempts that are coming in. So some targeted testing might be useful. In fact, we've seen some organizations doing some piloting promote work, where they're having sections of the workforce work remotely for a day and sort of rolling that out every day. So they're not sending everybody home all at once, but maybe sort of working through that in a more stage way, until it becomes a mandatory working situation, which may happen at any moment. But easing into it kind of helps work out some of the kinks before sending everybody home from an emergency standpoint. 

 

Brian Selfridge: [00:06:14] Now, when we do send everybody home, there's definitely a need to provide security checklists and awareness training for connectivity from home. So there's a lot of good guides out there. I won't go through everything that you need to consider, but things like how do you set up your personal environment to be appropriately secure, the home Wi-Fi, making sure there are passwords on there, and making sure individuals know how to sort of maintain the balance between work and home activity. That may be risky now that we have corporate devices and sensitive information on home networks. So stuff like that, there's a bunch to consider and there's a great checklist out there. Give me an e-mail or a ring if you want to talk through this, and I can get those to you. 

 

Brian Selfridge: [00:06:58] Also, making sure that the workforce gets tailored awareness training, not just about remote work in particular, but also around this whole series of attacks that are targeting the Coronavirus messaging and making sure they understand that social engineering attacks will happen. You may get phone calls; you may get fake emails. Just be really careful about those, as there's a lot of legitimate e-mails going around involving the Coronavirus, Covid-19, and recommendations just to be really careful that folks know that there's also some bad stuff floating around as well. 

 

Brian Selfridge: [00:07:33] Now another, I think, short-term effort that should be taken into consideration, if haven't already done this. We're seeing a lot of clients look at their workforce inventory and say, OK, are there different tiers of the workforce, different levels of the workforce that can work remotely? So particularly this might apply to healthcare providers or folks that have mission-critical personnel. So there maybe sort of an initial tier of employees that can work remotely anytime. So this might be I.T. administrators, people that work remotely all the time anyway, and that might be sort of an obvious categorization. Okay, you guys can work remotely. There might be a second tier, for example, of employees that don't usually work from home, but certainly can do so in a situation like this. So that may be administrative personnel, finance personnel, that type of thing, back-office staff, and any other sort of employees that can still get the job done over the P.C. and remotely in other ways. And then there may be yet other tiers or categorizations of employees that must come on site. So your healthcare providers, physical security personnel, things like that, that need to maintain a physical presence. So those certainly aren't the only tiers, the only categorizations, but if you haven't gone through and created a view of your workforce, understand how you're going to be able to roll out remote access to large quantities of the workforce, it's worth it to do that analysis. 

 

Brian Selfridge: [00:08:59] We also see some organizations doing remote access, technical assessments, and just reviews of their security capabilities, all the things that I mentioned earlier. But getting some help with some targeted pen testing, some targeted technical testing, just to sort of knock on the windows and doors a little bit, make sure that remote access is not always scalable but safe. And there are no major gotchas that could potentially expose the organization to security risks given a large-scale remote access deployment. 

 

Brian Selfridge: [00:09:32] We're also seeing a lot of healthcare providers ramp up their telehealth capabilities and take a look if they're able to determine if additional scaling of the telehealth capabilities is possible. There are billing considerations there, I.T. bandwidth considerations. There's processes and access control stuff. A lot of things that need to be taken into accounts. And, you know, many organizations have some telehealth capability, but it's a good time to take a look and see what would it take to scale that. Even if it's not possible to click our fingers and rollout telehealth in a big way right now, it's a really good time to figure out where the limitations are, so that if it becomes mission-critical, it will be a little easier to sort of act on a game plan associated with telehealth. 

 

Brian Selfridge: [00:10:21] From a policy and procedure standpoint, just for security compliance folks, making sure that the business continuity, disaster recovery plans, and policies are as tight as they can be. Call less action plans, especially anything related to disaster scenarios and outbreaks. If you don't have a policy specifically around outbreaks and pandemics, it's worth sort of scrambling to pull one together, there's a lot of great examples being shared around now, given that this is a shared common problem. So make sure to pool your resources, leverage your network, connect with folks like us and others that can help you get in touch with other organizations that can help you accelerate some of that work.  

 

Brian Selfridge: [00:11:00] Also reconsider any disaster recovery scenarios that might be relying on things like the purchase of I.T. equipment or hardware from parts of the world that may be experiencing workforce and production constraints from the outbreak. So, for example, China has a pretty substantial lockdown situation and may not be able to produce the sort of levels of on-demand I.T. equipment that you may consider needing in a disaster scenario. Okay, we're going to order a bunch more laptops or servers or we're going to sort of ramp things up. But you may not be able to order that, or even if those organizations are still functioning and those service providers are still functioning, the demand is really high from everybody essentially having the same great idea at once. So just make sure there are not any gotchas there and that you have a plan B and Plan C if the equipment is part of the equation or other reliance on third parties and other parts of the world. 

 

Brian Selfridge: [00:11:55] And then take a look at your incident response procedures, particularly around remote support, you know, end-user gets malware, for example. So let's say there's successful phishing attempts or a successful fake email that has a malware payload related to the Coronavirus or just a traditional attack. That may infect your remote worker's PC. Typically, you know, if that was somebody in your organization, you'd send the I.T. team down, you'd swap out the machine, you'd reload it, you'd do some remediate. It's a little easier. But if everybody's remote, now you've got an infected machine on a home network out of reach. So looking at instant response processes and make sure you have a game plan for how you're going to get equipment swapped out, or whether you have people come in to do I.T. support staff. Even if they're not, you know, mass gathering, you may still want to allow people to come in for those circumstances and think through that. And then so for those that have to be in the office and will continue to be in office, there's the sort of obvious stuff around making sure that workstations and desktops are wiped down, and you sort of go into an aggressive mode around cleaning, hand washing, all that stuff. I think you're all getting that from the sort of health of all this and CDC recommendations. But just remember, don't forget about the equipment, in addition to all these other things that we need to do on the back end to make all this work. So a lot more changes coming. And I'm sure I'm not going to be able to keep up to date with the situation as it unfolds day to day. But hopefully, some of these themes are things that you can take back to your teams, take back to your leadership, start putting some plans around and make some changes. 

 

Brian Selfridge: [00:13:39] So for that, we'll close out for now, as this has been a short update, but important, a special one for you of our CyberPHIx healthcare security roundup. Hopefully, this has been informative, and we'd love to hear from you if you have any other ideas that we haven't covered here. Just reach out to us at CyberPHIx, [email protected]. And we will keep you updated as the weeks come with our blogs, white papers, podcasts on our Resource Center on Meditologyservices.com. So stay tuned, and we'll check in with you again as soon as this thing unfolds. Stay safe. Wash your hands.