Key Needs for a Resilient Healthcare Information Security Program

August 26, 2020 - The Office of Civil Rights recently shared ways an IT asset inventory can create a more effective risk analysis to close information security gaps and support HIPAA compliance. Given the sophistication of the current threat landscape, these functions will prove crucial in supporting an overall resilient healthcare information security program. 

While cybersecurity awareness has drastically improved across the healthcare sector, Impact Advisor’s Shefali Mookencherry, Principal Advisor and Solution Leader of Information Security, Privacy, and Disaster Recovery, explained that has not translated into a more secure infrastructure. 

Currently, there are far too many cybersecurity considerations when it comes to making a more secure healthcare system, as internal users continue to be one of the biggest risks to the healthcare system and hackers are increasingly improving the sophistication of their phishing campaigns, she added. And those threats have rapidly increased amid the COVID-19 pandemic. 

In the last week alone, reports from security researchers, the FBI, the Department of Homeland Security, and others have warned of new phishing campaigns, targeted vishing attacks, and even brute-force peer-to-peer botnets targeting the SSH servers of medical centers. 

"Organizations fail to follow up on additional remediation after cybersecurity awareness and training has been completed,” Mookencherry said. “In other words, most organizations will provide cybersecurity awareness and training but the data that they collect from the training should be analyzed for compliance and further education.” 

READ MORE: COVID-19 Impact on Ransomware, Threats, Healthcare Cybersecurity

“As an example, if an organization uses an automated learning management system (LMS) for HIPAA education, then within that LMS, the organization should investigate the number of users or employees that have taken that training and compare it to the number of incidents that have occurred in the organization,” she added. 

To Mookencherry, this correlation can reveal gaps between cybersecurity awareness and employee security training, such as an employee who has not prioritized awareness training, only to later fall victim to a phishing campaign. On the other hand, organizations may even find that training increases incident reporting.  

Key performance indicators are crucial to supporting organizations with further remediation efforts. 

Key Information Security Program Elements

Mookencherry stressed that organizations must first choose a cybersecurity framework, from which they can base the key elements of their information security program. This can include NIST, HITRUST, and others. 

HHS also provided a five-volume set of cybersecurity components that can help covered entities build a more secure information security program in 2018. 

READ MORE: COVID-19 Cybersecurity: Building Resilience Beyond the Crisis

These security frameworks contain basic components able to define, address, implement, and enforce security program elements to bolster an overall enterprise cybersecurity posture both in the short term and long run. 

Those elements should include: 

• Assessment of cybersecurity financials by looking at capital and operating expenses and reviewing the cybersecurity insurance policies 
• Assessment of program components, which may include review of security policies, procedures, operational workflows, security staffing plan, communication plan, governance structure, staff interviews and technical reviews. 
• Risk management process 
• Risk analysis/Assessment process 
• Configuration management 
• Vulnerability management 
• Access management 
• Asset management 
• Audit logging and monitoring 
• Incident management and response 
• Disaster recovery and business continuity 
• Network protection 
• Endpoint protection and detection 
• Data protection tools/technology 
• Third-party assurance 
• Password management 
• Wireless protection and detection 
• Transmission protection 
• Mobile device management 
• Physical and environmental security 
• Education, training and awareness

In addition, employees will be crucial to improving an organization’s cybersecurity posture. Unfortunately, most the security department in most organizations functions with minimal employees, Mookencherry explained. There’s an overall shortage of security professionals across all sectors. 

As employees remain one of the biggest risks to an organization’s information security program, administrators will need to employ ongoing and evolving education for employees or they won’t be able to keep pace with the latest security trends and risks, Mookencherry explained. 

“It is critical for organizations to consider hiring or designating a chief information security officer,” Mookencherry said. “Many organizations focus primarily on hiring security specialists to work on threat detection and protection. The role of the CISO allows organizations to drive security through all of its business.”  

READ MORE: 3 Key Ways to Bolster Healthcare Cybersecurity with MFA, Training

“Much of a CISO's job involves management and advocating for security within organizational leadership,” she concluded. “Also, the CISO keeps up to date on regulations and other initiatives throughout the organization so the security maturity levels can be assessed, and security posture improved.” 

COVID-19 Amplifies Vulnerabilities

In 2019, ransomware attacks on the healthcare sector doubled from the previous year, as brute-force attacks on the Remote Desktop Protocol (RDP) and SMB steadily increased throughout the year. And while providers were working to respond to these threats, COVID-19 was deemed a national emergency and the sector scrambled to employ new technologies to support remote care. 

Further, the Department of Health and Human Services waived some HIPAA liabilities for telehealth to expand the tech needed to support patient care at home. These new technologies were coupled with hackers seeking to take advantage of this newly remote landscape, which led to providers fending off cyberattacks while responding to the crisis. 

For Mookencherry, the sector's greatest vulnerabilities amid the pandemic are tied to telehealth and teleworking best practices.  

“Healthcare organizations have spent the last several months scrambling to deploy new systems to manage the security risks surrounding remote working. And with working remotely becoming much more prevalent, it seems there's still plenty of work to do,” Mookencherry explained. 

“Healthcare activities that were once conducted in protected onsite organization environments, and monitored under specific policies, have quickly transitioned to new, and potentially less secure locations,” she added. “Technical staff now have heavier workloads due to users' remote-working problems, including problems related to home-based work.” 

Simultaneously, hackers are sending a spate of malicious email campaigns, as remote healthcare staff engage in risky and potentially non-HIPAA-compliant behavior, cutting corners when it comes to security to either get the job done or “because it was easier to get away with taking shortcuts when working offsite.”

“Effective and secure telehealth requires knowledge about the platforms themselves and why, when, and how to send out credentials for everything from video consultations to remote patient monitoring.”

As noted previously by security researchers, the HHS telehealth expansion brought its own risks to both protecting massive amounts of patient data and ensuring the security of the connection between the provider and patient, she explained. 

Providers are also still attempting to determine which teleconferencing solution is most secure for their needed use. For example, the HHS waiver allowed providers to use a host of platforms not previously compliant under HIPAA, such as Zoom. However, the platform itself posed a host of security risks, including a lack of end-to-end encryption. 

“Telehealth solutions create thousands of new access points,” she said. “Both staff and patients are using apps across phones, tablets and desktops. With telehealth, the volume of data immensely increases, which likewise expands the potential exposure to a breach.” 

“All of this data requires strong protections, and this begins with limiting access to the absolute minimum number of people necessary,” Mookencherry added. "Vendors and providers must consider safeguards at every step of the data lifecycle, from creation and storage to transmission and access. This requires both secure application development and network cybersecurity tools like VPNs, firewalls, and secured wide area networks.” 

Needed Cybersecurity Focus

COVID-19 cybersecurity risks have not negated previous cybersecurity concerns. Instead, providers must be concentrating their efforts on closing as many gaps as possible. Because however fast the sector moves the needle on security, hackers are working at a far greater pace to breach those vulnerabilities. 

Namely, the expansion of telehealth has spurred the need for a more effective cybersecurity training and education program to help those with previous limited experience with these technologies get a grasp on potential risks and to support secure communication between providers and patients, Mookencherry explained. 

“Effective and secure telehealth requires knowledge about the platforms themselves and why, when, and how to send out credentials for everything from video consultations to remote patient monitoring,” she explained. 

“Since patients are now also players in their data privacy, they need to be educated about cyber-hygiene best practices and how to keep their data safe as they connect from home Wi-Fi networks,” she continued. "Telehealth service providers should create patient/provider education programs and apply security hardening techniques. Security fundamentals like strong access authentication, multi-factor authentication, permissions management, and end-to-end encryption, are all must-haves for telehealth.”