By Scott Dresen, SVP & CISO, Spectrum Health
The COVID-19 pandemic changed health care dramatically almost overnight. Across the country, those health care systems hit hard early were in crisis mode, trying to manage the overwhelming influx of patients. Those not yet impacted watched with morbid anticipation of the potential impact they might realize as the pandemic spread towards them. All health care systems have made difficult decisions about which services to continue delivering versus those that need to be suspended in order to reallocate resources towards COVID-19 preparation and response. The downstream financial impact of these changes has been significant and has created an existential threat to many systems already faced with razor-thin margins. Increased pressure to protect existing revenue streams, restart suspended services and reduce unnecessary expenses amplified the focus on revenue cycle processes to ensure their stability and reliability. In addition to these risks, the transition of revenue cycle teams to a largely remote workforce has introduced a new set of cybersecurity-related risks that must be managed carefully to ensure the continuity of business operations.
Cyber attackers are looking to take advantage of the opportunity to prey on health care systems while our attention is diverted toward responding to this crisis. The need to be vigilant has never been more important. Those organizations that take the necessary measures to protect themselves will significantly reduce the likelihood of a successful attack.
Amongst all the competing priorities, five key areas of focus should be emphasized:
- Establish Clear Expectations of a Remote Workforce. The rapid transition to a remote workforce resulted in many organizations not being prepared with remote work policies and guidance for their new remote workforce. Setting clear expectations quickly with staff is essential. It’s critical to ensure that everyone understands their responsibility to conduct their work safely and securely given the sensitive nature of the systems and data they use.
- Security Technical Controls and Protections. The consequences of poor security controls for remote workers can have a significant impact. How an organization approaches security controls and device protection will depend on whether the remote workers use corporate-owned devices to conduct their work or use personally-owned devices. In either case, it’s essential that all devices connecting to your organization are patched appropriately, have current versions of anti-malware/anti-virus software installed with recent signature updates, are using a VPN to connect to your organization, and perhaps most importantly, require the use of multi-factor authentication to access organizational systems and data remotely. Also, consider the benefit of additional email protection services, which can enhance the ability to detect and prevent malicious email from being successfully delivered.
- Cyber Training and Awareness. Employees are often your first and last line of defense. Cybercriminals, like water, usually follow the path of least resistance, which is often your employees. To reduce the likelihood of this path being exploited, cybersecurity training and awareness of your employees can be one of the most effective ways to mitigate this risk. Phishing and other social engineering tactics are often the most frequently used mechanisms to compromise an organization. Why? Because they work. Consider increasing the amount and level of difficulty of phishing tests to provide employees with an improved ability to differentiate legitimate emails from a phishing message. Leverage cloud-based solutions to complement your email systems’ ability to proactively detect and address email-borne threats targeted at your users. There is a strong correlation between the quality and quantity of education and awareness with the ability to successfully detect attempts to compromise an organization using these types of social engineering tactics.
- Incident Response Preparedness. As the saying goes, you have either already been breached or you will be breached. The key to this likely inevitability is preparation for how you’ll respond. Hardening your incident response preparedness will force you to evaluate your security posture and identify weaknesses in your defenses that you need to harden. Organizations with mature incident response processes understand the layers of defense that protect them, how to monitor each layer for indicators of compromise, which might require action to investigate and respond, and how to test each layer to find weaknesses that could be exploited. Any opportunity to harden your environment will reduce the likelihood of a successful compromise by a cyber attacker.
- Workforce Management. As previously stated, your employees are often both your first and last line of defense. The health and well-being of your workforce can be a key differentiator leading to improved productivity, highly engaged employees, customer value, and mitigation of risk. The opposite can also be true. Stress, a non-productive working environment, distractions, and cultural erosion due to being disconnected can lead to lower productivity, a disengaged workforce, inefficiency, complacency, and increased risk. A remote workstyle requires different thinking about employee engagement, maintaining connectedness with peers and leadership, the physical impacts of increased screen time, as well as emotional health and wellness needs. Managed well, the benefits of a highly engaged workforce will contribute towards a reduction of cyber risk and a higher likelihood that staff will detect attempts to compromise the organization as a result of phishing or other attempted social engineering tactics. A happy, healthy workforce is a productive, more secure workforce.
Cyber attackers are looking to take advantage of the opportunity to prey on health care systems while our attention is diverted toward responding to this crisis.
The world is continuing to change around us and our ability to adapt and flex with these changes is increasingly important. The lessons we’re learning as we transition to a more remote workstyle are important because when we finally emerge from this current pandemic crisis, we will find the new normal will be far different from life pre-COVID. If fortune favors the prepared, how will you guide your organization through these emerging challenges to be best prepared for the future?