H-ISAC, the Ormond Beach, Florida-based Health Information Sharing and Analysis Center, “a trusted community of critical infrastructure owners and operators within the Health Care and Public Health sector,” has been as busy as ever lately, with the complex security challenges arising out of the COVID-19 pandemic. That is particularly so given that the vast majority of patient care organizations in the U.S. have had to very rapidly shift as much patient care delivery to remote connections, even before being able to fully securitize their telehealth-based operations.
Recently, Steve Hunter, H-ISAC’s vice president of marketing, spoke with Healthcare Innovation Editor-in-Chief Mark Hagland regarding the swirl of intensified activities in which the folks at H-ISAC have been involved, with their members. Below are excerpts from that interview.
What’s going on right now with the COVID-19 pandemic, related to cybersecurity and data and IT security, and how do all of you at H-ISAC see the current situation? The vast majority of patient care organizations, in the past two months, have shifted so much patient care delivery and other operations so quickly to remote operations, that they’re only now beginning to look at securitizing everything.
I am not a technical person, to be clear. But I’ve been here six years, and have seen various threats emerge. Not-Petya, in the summer of 2017, was the biggest threat until now. We do keep statistics on our level of amber list participation—let’s just call it a blog—where members identify threats and quickly and collaboratively share mitigation defenses.
Month to month, we have not seen this high a level since three years ago, and the level of participation tells you that this is unprecedented; nobody was ready for this. All of a sudden, your ER admitting staff is working remote, checking people in.
So among the things we’re dealing with: telemedicine, telehealth, tele-wellness—you have patients who need care. I have a 99-year-old mother-in-law living with us. And yesterday, she was on a wellness check via Zoom, with one of her physicians, just asking her basic questions, and with my wife sitting there. And that was just done through Zoom. We weren’t using any particular security for that.
And so for our members, it’s forced them to develop unique SOPs, standard operating procedures, and it’s very difficult to do that on the fly. One of the issues that came up—physicians are in a unique position—they’re not security professionals, they’re obviously healers. And very quickly, they were defaulting to Face-Timing on their iPhones. And we had a big discussion on our amber list that Apple is not a covered entity under HIPAA. So what do you do?
What are your members saying they’re going to need to do in the next several months?
One huge issue is a spike in phishing emails. Everyone thinks that a phishing email is only intended to take you to Nigeria to the lottery. That’s not what it’s about; you click on a link and the dark web can spoof your credentials. One was a supposed help desk for clinicians to seek additional PPE. And if you go there, they’ve taken your credentials. It’s so sick.
So identity is one thing; and also, trying to get to a situation where they’re operating securely with emails, and with DMARC [the Domain-based Message Authentication, Reporting & Conformance email authentication, policy, and reporting protocol]. And DMARC was just public knowledge.
What are you trying to alert healthcare security professionals to be doing right now?
I just think the easiest thing is to find other peers who are working on this. And you’ve talked to Errol Weiss, Sara Hall, and Salwa Rafee. We’ve increased our ability to help our members with additional analytics and expertise. At the end of the day, our members are the experts. And they’re coming to us and asking whether we can host a webinar weekly, and we’ll talk about it as a team. So we’ve created a happy-hour COVID-19 challenge weekly, and more than 300 join us every Friday. Errol tries to pick a hospital CISO, an insurance company, a medical device manufacturer, and a pharmaceutical representative, for his panels. And these are all issues that affect everybody, not just the hospitals. There’s a ripple effect throughout the healthcare operating environment.
What will your organization be doing around all of this, in the next year?
We’ll probably be developing working groups; we already have 26 working groups just for normal healthcare; but I imagine we’ll spin off two or three more. We just created a whitepaper around identity, prior to this. And it tends to be member-driven; it’s the members who populate the working groups. And in the next year or two, it will affect our ability to have the members meet physically, and it’s pushing us to virtual summits, well beyond the typical webinar. People are thirsty for information, and they can’t fly, so they’ll meet virtually. And the small silver lining in this—my prime function is helping to keep building our membership roster. And the increased attacks across healthcare and elsewhere—we’ve discovered that the supply chain is so important, and the risks associated with a spotty or insecure supply chain are high. And we as an organization are perfectly positioned to build off those needs in the marketplace.
H-ISAC continues to be a valued partner in our Healthcare Innovation Summits, including in our Cybersecurity Forums. For more information on our events, please consult this page.