The Show Must Go On | Maintaining Continuity for InfoSec in a Crisis
Published On April 16, 2020
Blog Post by Brian Selfridge, Partner at Meditology Services
Take a deep breath, this is not your typical COVID-19 blog entry. We are going to talk about everything else we need to manage in Information Security during the crisis to keep the wheels on the bus as we make sharp turns at high speeds in response to the pandemic.
Healthcare Information Security, risk management, and compliance teams have been appropriately redirected in the early stages of the pandemic to support an “all-hands-on-deck” model for getting remote work scaled up, telehealth rolled out, and much more. However, the bad guys are not letting up their attacks and patients, customers, and partners still expect security programs to be operating effectively to protect their sensitive information. Regulators are offering some targeted laxity in the near term but not going away altogether.
This blog entry provides recommendations for maintaining continuity of Information Security and risk management programs for healthcare entities during a crisis.
Leverage Your Managed Services
Managed security services providers are designed to operate in remote capacities and large-scale ecosystems. The COVID-19 situation has not impacted their operations nearly as much as it has for brick and mortar businesses including healthcare providers and payers.
Many managed services organizations are experiencing temporary reductions in demand from healthcare customers that have been diverted to address the crisis. At the same time, some managed services companies are retaining FTEs and headcount with the help of small business loans from the federal government stimulus package. This means that some managed services firms may have a temporary increase in bandwidth and bench strength that you can use to your advantage in the coming months.
Vendor security and third-party risk management programs, for example, typically have a substantive backlog of vendors and applications that require assessment. If you leverage a vendor security risk managed services capability like Meditology’s sister company CORL Technologies, now is a good time to put those assessors to work to catch up on vendor assessments. Vendors are working remotely and have been responsive to audits during the crisis.
In addition to your planned third party risk assessment workload, it may also be a good idea to evaluate top-tier vendors for business continuity, remote access controls, and other risks that may have been introduced as a result of changes to operations caused by COVID-19. Vendor security managed services firms can also help to quickly evaluate telehealth platforms and applications that were fast-tracked for implementation.
Cyber attackers are taking advantage of the crisis and sparking an uptick in ransomware, phishing, malware, social engineering, and other attacks. Stay close with your security operations and network monitoring (SOC/NOC) managed services providers to make sure they are paying close attention to your organization’s attack surface and advising you of emerging trends that you can use to educate your workforce.
Don’t Lose Sight of Enterprise Risk Assessments
The Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) has relaxed some HIPAA requirements related to telehealth and sharing of COVID-related patient information for public health purposes. However, the OCR has yet to issue any relaxations of core HIPAA requirements including the HIPAA Security Rule requirement to conduct routine risk analysis (i.e. an enterprise security risk analysis). Healthcare organizations are also still expected to implement and track remediation of assessment findings from prior years.
Approaching the OCR with “the COVID ate my homework” excuses are not likely to carry weight later into 2020 and 2021 when enforcement resumes. Make sure to keep close tabs on critical- and high-risk findings from prior enterprise risk assessments and chip away at remediation where possible before the year gets away from you.
Security risk assessments are required for much more than HIPAA compliance. A fundamental tenant of risk analysis is to routinely and actively review any major changes to the organization that could introduce security exposures to breaches or other adverse cyber events.
The COVID-19 situation is introducing transformational changes in the way healthcare is delivered and supported through remote and telehealth capabilities. Many healthcare entities are also permitting large-scale exceptions to standard security policies including password resets, remote access, access reviews, and more. This combination of factors is likely to introduce new risks that your team needs to have on their radar to balance remediation investments against the laundry list of prior risks identified through risk analysis processes.
Look to leveraging third parties to conduct your 2020 enterprise security risk analysis and be open to creative ways to conduct assessments without a physical onsite presence. The vast majority of enterprise risk analysis processes can be conducted remotely.
Sharpen Your Incident Response Capabilities
As mentioned earlier, the bad guys are not taking their foot off the gas pedal during the crisis. Do you have a good handle on how well your organization would handle a ransomware event in the coming months now that much of the workforce is diverted to COVID-related support? A short Incident Response Tabletop exercise could be worth its weight in gold for lessons in preparation for the inevitable cyber attacks that are facing healthcare entities for the remainder of the year.
Invest in Your Team
The cybersecurity and compliance talent market has been red hot and caused record turnover for information security teams in recent years. COVID-19 has created a temporary increase in retention and a turnover hiatus that may be beneficial in the short term but could create major headaches in coming months if the shelter-in-place quarantine requirements subside. The increased stress of quarantine, remote work, high change cycles means that your team members could reach breaking points later in the year that may lead to increased turnover if not proactively managed.
Provide forums, support, activities, and educational resources to help your team manage stress and their well-being during the crisis. Identify avenues to listen to concerns from the team and be transparent about issues and changes you are grappling with during this difficult time. The investments you make now in your team will help them manage through the crisis and position them to stay focused and productive when adjusting back to more traditional work cycles in the months to come.
Mind the Certifications
Your business partners and customers expect you to maintain the safety and security of their sensitive information and systems; a crisis is no exception. SOC 2 and HITRUST certifications and attestations require annual maintenance and remediation and should remain front of mind as a priority in the coming months. Contractual requirements for security certifications remain in place and could put critical business relationships at risk if not maintained.
Get Strategic Support
Getting temporary strategic support from external resources can be a lifesaver if your teams are caught up in tactical COVID-related tasks or other priorities. Staff augmentation support and temporary contractors can help move remediation and other security program initiatives forward to allow your team to focus on firefighting in the near term.
Look for initiatives that can be moved forward without interfacing with overburdened resources like IT and networking teams. Projects like cloud security program buildouts and vendor security risk assessments for example are well-suited to remote work scenarios.
The show must go on for information security, risk, and compliance programs during crisis periods. The war on COVID-19 is being fought on many fronts, but we must also be sure to maintain the battle on the risk management home front to protect the business from both traditional and emerging threats.
Leveraging managed services and staff augmentation support, maintaining risk assessment and certification progress, sharpening incident response capabilities, and investing in the team will be essential to protecting healthcare organizations for both the short and long term.
For a high-level overview of this blog post, take a look at our The Show Must Go On: Maintaining Continuity for Infosec in a Crisis infographic for an overview of priority areas to maintain focus on for continuity of your infosec program during this crisis.