Critical VPN Security for Telehealth, Remote Access Amid COVID-19

April 10, 2020 - The week COVID-19 was declared a national emergency, several media outlets reported some hacking groups vowed to stop targeting the healthcare sector during the pandemic. At the same time, the majority of businesses shifted employees into more remote work, as the Office for Civil Rights expanded its definition for acceptable telehealth tech during the crisis.

In the past month, there have been numerous reports of ransomware attacks, an increase in phishing campaigns tied to COVID-19, and repeated alerts of targeted attacks on healthcare providers. The FBI also warned the pandemic has sparked an increase in attempted hijacking attacks on Zoom and other videoconferencing platforms.

Enter Virtual Private Networks (VPNs): typically used in healthcare for secure remote access to internal networks, as well as providing secure, remote data sharing. While considered to be a secure access point, not all VPNs are created equal. There are also well-known vulnerabilities in some of the most popular platforms that thousands of organizations have failed to patch.

To get a better sense of VPN security and what providers need to ensure when employing telehealth on non-HIPAA compliant platforms, HealthITSecurity.com invited CynergisTek’s CEO and President Caleb Barlow for a conversation around remote access, telehealth, and all things VPN security on our recent Healthcare Strategies podcast.

“If I can give chief information security officers out there a little bit of homework to do over the next couple of days, is to really spend some time understanding how your VPN is connected,” Barlow said. “And make sure it's configured right because you have to remember many of the institutions that are now about to use a VPN probably weren't using one, at least not at this kind of scale in the past.”

VPNs are seen as a secure access point, but providers shouldn’t be lulled into a false sense of security. While providers may lean on other technologies to support the extra traffic increases, healthcare organizations also need to consider access security, such as multi-factor authentication.

For example, only implementing a user ID and password for logging into a VPN is not enough. It's easy to find nearly any user's prior credentials from past breaches, which is problematic given many individuals reuse credentials across their accounts, Barlow explained.

But for Barlow, when considering remote security, technologists need to understand where the VPN terminates based on the two predominant types of VPNs on the market: the cloud and point-to-point VPN.

“You know all of the data you're going to enter from your laptop, through your home WiFi, or WiFi at a coffee shop, or wherever you happen to be working,” Barlow said. “All of that is going to be encrypted traffic so that a man in the middle can't intercept it.”

“But now once that traffic terminates, in that VPN cloud, it then opens up and is open out on the internet, like any other traffic,” he added. “If most of your traffic terminates in the cloud somewhere, your predominant issue is securing that last mile of connectivity into the home.”

IT and security teams should be prepared for a continued stream of attacks during the pandemic. Not only can the sector expected the normal amount of organized crime, but also nation states will increasingly leverage ransomware to get around current sanctions.

Further, if providers are banking on fewer hacking attempts to protect their infrastructure, Barlow explained it’s “a prayer, not a plan.”

“What we really need to be doing is putting in place robust plans, deploying infrastructure to lock this stuff down and protect it, while allowing our providers to continue treating patients,” Barlow said.

That should include crisis planning, including everything from communications to how they handle a breach. For example, the average ransomware victim faces up to 10 days of downtime, which during a pandemic, could spell disaster.