Strategies for Hospitals to Stay ‘Cybersafe’ During a Pandemic
Health systems and hospitals are not immune to the threat of hackers during the COVID-19 pandemic.
- During a pandemic, it’s important more than ever for hospitals to make sure their networks are secure to ensure patient safety.
- Risk assessment and risk analysis are key in keeping hospitals and health systems remain cyber secure, says one cyber security expert.
A cyberattack on the U.S. Department of Health and Human Services (HHS) earlier this month could serve as a wake-up call to health system and hospital leaders that no organization is immune to the threat of computer hackers, even during a pandemic like COVID-19. Cyberattacks can affect critical aspects of health systems and hospitals that are dependent on an organization’s computer network, such as access to patient data and electronic health records.
It seems that increased cybersecurity is more important than ever at hospitals and health systems, as “the number of malicious reports related to Coronavirus has increased” more than 475% so far in the month of March, as compared to February, with healthcare being among the most targeted sectors, according to Bitdefender.
HealthLeaders spoke with Jorge Rey, chief information security officer and cybersecurity and compliance principal for Kaufman Rossin about strategies he suggests hospitals should follow to ensure that they stay “cybersafe” during a pandemic. Rey heads the cybersecurity consultant division, which includes cybersecurity training, cyber security risk assessment, and HIPAA compliance for healthcare providers and business associates.
This transcript has been edited for clarity and brevity.
HealthLeaders: Due to the COVID-19 pandemic, do health systems and hospitals have to be more vigilant than ever in keeping their networks safe?
Jorge Rey: The answer’s yes. We definitely have seen an increase of phishing-related scams as related to the coronavirus, and they’ve been targeted into the health systems. In the past two to three weeks, there’s been a spike on these types of attacks.
HL: What steps can healthcare executives take to ensure their organizations’ networks are secure during a pandemic?
Rey: Ultimately, your best channel is to improve your communication and make sure that people are fully aware of what the risks are and the best practices to follow. Following the [policies] that have been designed and implemented is key in making sure that our hospitals are not taking shortcuts without recognizing the risks that that brings.
HL: What general guidelines can hospitals and health systems follow to stay safe and strengthen their cyber health during a pandemic?
Rey: Ultimately, I think it goes on a case-by-case basis. Right now, a lot of companies, including hospitals, [are] faced with specific challenges just because of the nature of the situation.
We’re all under what’s called a disaster recovery situation. A lot of companies are doing a business continuity plan, meaning working remotely. And so, by doing that, we create a little bit of a different risk landscape for the hospitals.
Ideally, what all hospitals should be doing from a security perspective is reviewing the risk assessment and validating whether working remotely or telecommuting would increase their risk and make sure that they have the current security in place. [They should] make sure that can be managed going forward.
HL: What is the biggest risk? Do you think working remotely or utilizing telehealth services are creating a higher cybersecurity risk? If hospitals are running on outdated software, does that increase risk?
Rey: I do believe that with the current coronavirus situation [there’s] increased risk and there’s different reasons why that is.
One, you have targeted phishing scams trying to get people to do something using the coronavirus as your trigger. You have changed your existing operations to be working remotely so, by design, that is changing the risk.
I don’t think that having an older software increases the risk, as long as that has been identified in a prior risk assessment, and the hospitals have identified complementary controls. Sometimes, in these situations, we have system limitations that don’t allow us to upgrade to a better software or more updated software. But that doesn’t mean that the system by design is more insecure. We just need to make sure that it’s been assessed and secured accordingly. Like, for example, with a firewall.
I do agree that the current situation has changed the risk and it has changed the threat landscape. If before you were not working remotely and you [are now], do you have access to print personal health information from your house, and do you have the proper methods to destroy that information? Is the computer you’re using to connect to the hospital network secure?
HL: Do you have anything else you’d like to add?
Rey: At the end of the day, we’re in a challenging situation, and we just need to make sure that we adapt to that situation. If hospitals have not done risk assessment [and] risk analysis, I think they’re creating risk for themselves.
We don’t know when this [pandemic] is going to end, but we all know that it’s going to end. So hopefully when that happens, there are some lessons learned from it that actually can be incorporated into their security culture going forward.
“… What all hospitals should be doing from a security perspective is reviewing the risk assessment.”
—Jorge Rey, Chief Information Security Officer, Cybersecurity and Compliance Principal, Kaufman Rossin
Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.