Four Tasks that Might Save You from Cybersecurity Landmines In The “New-Normal”

The optimist in me wanted to believe the stories I read a few weeks ago: several hacker organizations had pledged to lay off healthcare after the pandemic started, but the pessimist cyber-guy in me was extremely doubtful, it turned out, for good reason.

When I look at the Health & Human Services “Wall of Shame” – it’s pretty easy to see why the pessimist-me was right. If you draw the line on or about March 15th, there’s been a LOT of new additions to the wall under the category of “Hacking/IT Incident”.

Conversations with CISOs at health systems tell me the same thing – they’re being pounded right now. The bad guys have some amazing scams associated with COVID. Thankfully cyber leaders are working hard to hold the fort.

But I do worry about what’s next given what’s just happened. The COVID-19 emergency caused us to change business/clinical practices almost over-night.  We rolled out work-from-home (WFH) for employees, drove exponential increases in telehealth visits, and urgently acquired and installed (sometimes non-standard) equipment (including IoT/IoMT or other gear not following normal procurement processes). We extended capacity by quickly on-boarding previously retired clinicians, and temporary employees; added new locations for drive-thru testing, and connected to new suppliers in an effort to shore up the supply chain.

We did a lot a hurry. Which means we might have bypassed some of our best-practices for cyber hygiene in the name of mission support. And we did it with the best intentions – telling ourselves we’d go back and clean up the cyber issues later.

But what happens if later never comes?

Every discussion I’ve had with healthcare execs in the past 45 days suggests telehealth, WFH, and connections to new suppliers (including staffing, supply chain, and business/clinical relationships) will continue into the future. Healthcare operations may very well have a “new-normal”.

During this emergency, we laid a few landmines for ourselves. With hacker dwell-time – the time the bad guys are in the network before they’re discovered — being measure in months, I wonder how many cyber-thugs may have already breached our networks/applications via well-written phishing emails; or via one of the new third-parties we’ve rushed through the security-vetting process.

Are those hackers quietly exploring for our network’s data-crown-jewels, flying under the radar? It’s nice to imagine they’re “ethical” enough to hold off on springing ransomware in the heat of the pandemic. But even if they are, we know from experience their ethics will eventually give way to greed.

And if many of the new clinical/business practices we fielded during crisis are the new-normal for healthcare, then we’ve definitely increased our level of cybersecurity risk. Here’s at least a few things I think health systems should be doing right now:

  • Put your Security Operations Center (SOC) into overdrive. Make sure you’re on top of the team’s monitoring and detection efforts. If you assume you’ve been breached all the time, you create a culture that’s driven to detect and respond quickly to attacks, limiting the damage, and quickly returning operations to normal.  If you don’t have a SOC monitoring your network 24/7/365 – find a vendor partner immediately who can fill this gap. Part-time, internal best-efforts are admirable, but sometimes give organizations a false sense of protection.
  • Practice good cyber-hygiene. If you had a good cybersecurity program in place prior to the pandemic emergency but got a bit sidetracked in the heat of the battle, return to your governance and risk rules for equipment/staff/vendors/applications ASAP. Sure, it feels like red tape (you should constantly work to improve throughput on your cyber processes), but security and privacy discipline lowers your risk for a cyber incident. If you absolutely have to shortcut processes, be sure to record all non-compliant activities in detail, then remediate them.
  • Add a project manager (PM) to the security team. Most health systems have paused major projects, and those now idle PMs are great additions to a security team already juggling more than their fair share of work. PMs can serve as “air traffic control,” tracking variances (those “shortcuts” you may have taken in an emergency) and nagging the team to stay focused on remediation. They are also great at working with business/clinical partners routinely, driving user education, reviewing new requests, and even acting as administrators for some applications. They are, at their core, PROCESS people who understand discipline, and that’s a trait we’ll need more than ever in the new-normal.
  • Communicate, communicate, communicate.
    • Continue to take the opportunity to coach and teach end-users about dealing with the tidal wave of very tempting phishing emails they see daily.
    • Help your remote teammates with work-from-home best practices including changing network passwords, not using personal computing equipment for work activities, and making sure all software is updated and patched.
    • Make sure you have double-check processes in place in the CFO and Treasurer’s office (actually anyone dealing with financial information) when account transfers of any kind are requested.
    • Do a daily huddle with IT Leadership, Cybersecurity team, Clinical Engineering, and Facilities. Everything is a computer now, and everything is tied to the network: buildings, testing-tents, ventilators, electronic health records – even the badge reader that opens the office door.  Don’t let any of your teammates unintentionally plant a security landmine.
    • And just in case, get phone numbers of law-enforcement and FBI cyber contacts now. Build those relationships before you need them.

Bottom line: With many healthcare organizations running on razor-thin margins, and burning through their available days-cash-on-hand, the last thing we need is any sort of cyber disruption.

The “good old days” are long-gone and “new-normal” will require more cybersecurity vigilance than ever before.

About Drex DeFord

Drex is CI Security’s Chief Healthcare Strategist, and President of Drexio Innovation Network.  He has a long career as a healthcare executive, serving at Steward Healthcare, Seattle Children’s Health System and Research Institute, and Scripps Health in San Diego.  Prior to that, he spent 20 years in the US Air Force, where he served as a regional CIO, a medical center CIO, and Chief Technology Officer for the USAF Health System’s World-Wide Operations.

A Past-Chair of both the College of Healthcare Information Management Executives (CHIME) and the CHIME Foundation, Drex has also held state HIMSS leadership positions in both Virginia and Washington, and served on the HIMSS National Board. He’s also a Fellow in the American College of Healthcare Executives, CHIME, and HIMSS.

As a Recovering-CIO, Drex spends most of his time bringing together trusted health systems, payers, associations, vendors, and investors to solve healthcare’s toughest problems as President of his own healthcare consulting practice, Drexio Innovation Network (Drexio, LLC).