When the COVID-19 pandemic hit the U.S back in March, healthcare IT organizations were caught off guard as much as anyone. In the days following shelter-in-place orders and social distancing restrictions, IT departments scrambled to set up new, or bolster existing, telehealth solutions with the priority of keeping doctors and patients healthy overriding all other concerns.
Six months down the line, however, the world is adjusting to life under coronavirus, and IT departments can no longer afford to sideline cybersecurity. COVID has been a boon for cyber criminals, who are using increasingly sophisticated attacks to compromise individuals and organizations when they are at their most vulnerable. The threats are not limited to video calling tools being susceptible to hacks. With many employees still teleworking, and many patients foregoing in-person visits for telehealth, the attack surface for health care organizations has increased massively. It is nevertheless IT’s job to secure this surface, and they cannot and should not rely on leniency from regulators to last forever.
The good news is over the past six months the security community has learned a lot—probably more than we ever expected—about securing organizational infrastructure during a pandemic. And what we have learned is there are several straightforward steps healthcare providers can take that go a long way to securing their systems and maintaining compliance with regulations like HIPAA. To help healthcare providers better understand the security requirements of today’s complex work environments, we have shared below five of our top best practices for healthcare IT departments to help keep patient data secure during COVID-19.
1. Encrypt Employee Hard Drives
With many family doctors, psychiatrists, therapists and other health care providers, not to mention large populations of administrative staff, still working remotely all or part of the time, there is an increased risk of sensitive data falling into nefarious hands via theft of work devices. The top thing IT departments can do to avoid device theft from becoming a HIPAA reportable breach is to encrypt the hard drives of work-issued laptops or other mobile devices, and insist users turn off those devices when not in use. Encrypting the hard drive of each and every employee device ensures that even if criminals gain access to the computer they are unable to access any patient data that might be contained on that device.
2. Leverage Two-Factor Authentication (2FA)
Another issue that arises in work-from-home arrangements is authenticating users, i.e., confirming users are who they say they are. In an office setting, IT at least has the advantage of physical security to deter criminals from gaining access to work devices. But when log-ins to cloud software and mobile devices are coming in remotely, IT has no way of really knowing who is trying to access a device. In the post-COVID healthcare environment, a single password it is insufficient to confirm user identity. This is where one-time access codes sent to the user’s mobile device or fob can make a huge difference. Studies show that requiring second factors like these make it exponentially more difficult for hackers to gain access to employee accounts. The good news is most software and services that healthcare providers use already have 2FA features built in; all IT needs to do is enable and administer them.
3. Enable Video Call Security Features
Video calls are the area of telehealth that has garnered the most attention in terms of cybersecurity. And while criminals gaining access to Zoom telehealth calls and the like is still a relatively rare occurrence, the worry on the part of patients is real and comes from a place of vulnerability. After all, video calls are where patients reveal often-private information that could be embarrassing or even damaging to their careers or livelihood. That is why healthcare organizations must be vigilant about enforcing universal use of available security features like unique meeting IDs and passwords as well as waiting rooms among its physicians and other individuals providing care to patients. Even better than that is customizing your video communications tool to mandate usage of these features by default. In short, IT organizations should take the time to review and audit the security features of their telehealth platforms to confirm that they are providing their patients maximal security.
4. Establish Robust Telework Security Controls
The best way to ensure employees do not accidentally expose sensitive information or compromise company systems while working from home is to install software controls on the device that make doing that as difficult as possible. Users, who had previously been safely ensconced behind the corporate firewall, are now on a home network protected form the Internet by an ISP modem. But firewall is only one element in a robust endpoint security posture. Other key (endpoint) security controls that health care organizations will want to implement include antivirus and anti-malware software, automatic threat detection for files downloaded from the internet, and a virtual private network (VPN) through which all traffic to the server must go. Together, these controls limit the amount of damage any user can do even if they let their guard down.
5. Mandate WPA WiFi Security Use
When employees work from home, employees’ home wireless becomes key loci of weakness in your organization’s security posture. The issue is many individuals use the default router given to them by their ISP, which may or may not have proper security controls installed, or are using older routers. Many older routers use WEP or WPA1 encryption, which make use of notoriously weak algorithms, to secure access. It should go without saying that WEP and WPA1 are unacceptable risks, when all hackers need to do to steal data is drive around looking for weak WiFi networks. The minimum standard for WiFi network security in 2020 is WPA2. To ensure weak WiFi networks are not putting a hole in your organization’s whole cybersecurity apparatus, healthcare organizations might consider making having proper WiFi security enabled a condition of working from home. In any case, IT organizations should be willing to take the time to work with providers and administrative staff working from home to help them enable strong security at home.
Ensure Your Organization’s Telehealth Services Are Secure
The value of information security is often only recognized after a breach or incident has impacted a business and its bottom line. Lacking specific regulatory guidance, healthcare providers are increasingly unsure of the risk mitigation measures that are appropriate to combat threats spurred on by the COVID-19 pandemic.