As the leaders of hospitals and health systems have had to move forward very quickly to shift both care delivery and operations to remote formats as much as possible due to the COVID-19 pandemic, they’ve often had to cut corners around cybersecurity. These issues have led healthcare security experts to believe that cyberattacks should only increase during the pandemic.
But new research from Seattle-based consulting firm CI Security reveals surprising findings in this area, particularly that the number of breach reports is down more than 10 percent compared to the second half of 2019. What’s more, the number of breached records is down nearly 83 percent in the first half of 2020, based on information that healthcare organizations are required to submit to the Department of Health & Human Services (HHS) within 60 days of the discovery of any breach affecting more than 500 individual records.
What could explain these findings in the height of a global health crisis when organizations are more vulnerable than ever? Drex DeFord, former health system CIO and current strategic healthcare executive for CI Security, offers his perspectives in this interview.
What were your key takeaways from the report’s findings?
We were surprised with the numbers coming out, and then that led us to be a little worried. Two of the big takeaways were the number of breach reports to HHS’ Wall of Shame [breaches affecting more than 500 records] and also the amount of records breached. These [figures] are huge drop-offs for a six-month period compared to the previous six-month period.
There are several [possible] explanations, with one being that healthcare organizations have upped their cybersecurity game. And we hope that’s the case, but we still do believe there is a big division between haves and have-nots when it comes to health systems versus smaller organizations. We think healthcare organizations could possibly have misunderstood HHS’ exceptions during the pandemic, so maybe they didn’t think they had to report [publicly], or that they had more than 60 days to do so. Maybe they were just too busy to report due to the [pandemic]. It may also be that healthcare organizations don’t know they’re breached yet, and that’s why we think the second half of the year could be really bad. We know there’s often dwell time once a breach has happened, sometimes lasting a few hundred days.
Were you particularly surprised at these findings considering the vulnerable positions organizations are in due to the pandemic?
The reality didn’t match the expectation. In the early stages of the pandemic, and even now in certain [hotspot] areas, there were a lot of exceptions made to the rules of good cyber hygiene. I have talked to dozens of big health systems who said they [previously] had an “absolutely no way you can work from home policy,” and then they woke up the next day and sent thousands of people to work from home. That creates its own issues, such as sending computers for people to bring home with them or allowing them to use their own personal machines for work.
We are also seeing that previously retired and temporary employed clinicians are being brought on board to help the clinical staff during the pandemic. There’s also been a big increase in telemedicine, and that comes with its own set of risks. A lot of organizations have set up new locations in their EHRs, have new drive-thru testing, or have made decisions to completely isolate either a facility or clinic as its COVID facility. When you do these things in a hurry inside an EHR, you can make mistakes and create openings for exposure.
Further, there has been a lot of new equipment added, whether it’s ventilator machines or new scanning devices, and maybe all those [security] procedures weren’t necessarily followed. Also, since there was a big rush to try to fix the PPE challenges, there was a lot of bidding going on and connecting to new suppliers. All of these things come with their own flavors of potential exposure.
What have been some emerging cybersecurity threats during the crisis?
One thing we continue to see are well-built phishing emails that look like they come from legit [places] such as county health departments. But once that front-line employee clicks the link it lets the cyber criminals in, and once they’re in they are past the wall you built. So the only way to catch them at that point is by monitoring the network, catching the bad guys, kicking them out, and then repairing any damage quickly. One of my peers says it’s “keeping the fire in the skillet instead of setting the whole house on fire.”
CISOs and CIOs need to broaden their scope since everything is a computer now. You need to make sure you’re connected to the supply chain guys, the biomedical equipment, clinical engineering teams, and facilities management. You don’t want anyone else setting a cybersecurity landmine that the organization will step on later. You want to double down on your security operation center [SOC] monitoring efforts, and make sure you’re monitoring the heck out of your network 24/7 so anything odd happening can be picked up on every quickly. And if you can’t do that yourself, find a partner.
As the pandemic continues to evolve, and healthcare system employees are both working remotely as well as on-site, what do security leaders need to be doing right now?
I think [security leaders] went into this thinking [the pandemic] would be a temporary emergency that they’d have to deal with, and then on the back end of it, they would be able to clean it all up. But it’s starting to look like temporary is turning to permanent. Organizations that had [previously] practiced disaster preparedness and that have done system outage practices have [fared] better.
CISOs and CIOs need to broaden their scope since everything is a computer now. You need to make sure you’re connected to the supply chain guys, the biomedical equipment, clinical engineering teams, and facilities management. You don’t want anyone else setting a cybersecurity landmine that the organization will step on later. You want to double down on your security operation center [SOC] monitoring efforts, and make sure you’re monitoring the heck out of your network 24/7 so anything odd happening can be picked up on every quickly. And if you can’t do that yourself, find a partner.