As the world faces the medical concerns associated with COVID-19 and moves home to work, healthcare workers not on the front line — those in administration and information technology (IT) — feel a different pressure. While this does not have the same gravity as saving lives, it is the challenge of keeping the business running and the strain of a remote workforce. Administrative and IT healthcare workers must adapt to a constantly changing landscape with factors ranging from emerging security threats to managing a remote workforce and the associated security for remote connections.
Attacks have skyrocketed during the COVID-19 pandemic outbreak, as nefarious parties attempt to capitalize by preying on fears and curiosity and targeting those trying to help. Providing tighter information security is key to adequately defending healthcare organizations during this time in which a second type of pandemic is occurring — one aimed at compromising sensitive data and healthcare organizations’ most prized networks and applications.
On April 8, 2020, the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert reflecting a surge of “COVID-19 related themes by malicious cyber actors.” This surge comes while healthcare providers are changing multiple aspects of their environments to enable what is the new norm, which includes deploying new telehealth platforms and external facing websites, adding new VPN connections so administrative personnel can work from home, placing workforce members on temporary furloughs, and making changes to electronic health records (EHR) to enable better identification, diagnosis, orders, and tracking of COVID-19 patients. The balancing act of needing to move quickly to address the community’s biggest needs while protecting the privacy and security of sensitive information is very difficult, and it is one that attackers know is likely to lead to vulnerabilities that they can capitalize on.
While this increase comes as no great surprise to the information security community (attackers always love a good crisis), the solution is also no major surprise. It all boils down to good information security hygiene practices. Vulnerability management, identity and access management with multifactor authentication, and education and security awareness for the workforce are all critical factors of a strong information security program.
As the organization rolls out changes, steps should be taken to run vulnerability assessments to determine whether any holes have been created that need to be addressed. Having a process to perform this in short sprints can help create a focused and clear path to address these potential weaknesses. Don’t forgo penetration testing efforts completely; instead, consider reviews that are focused on these new or changed environments to see whether they can be compromised, and address them accordingly.
Where possible, consider deploying controls over remote access environments. For example:
- Perform vulnerability scans of remote devices to identify vulnerabilities and, if possible, patch the devices and update anti-malware products.
- Review firewall rules and look for additional opportunities to restrict access.
- Disable all removable devices to disallow the use of USB drives or printers to protect against internal bad actors trying to exfiltrate large amounts of data.
- Implement controls to prohibit users from downloading or storing ePHI on devices.
- Ensure that VPN traffic is being logged and alerts or reviews are performed to identify irregular VPN usage patterns.
- Monitor the news daily for new vulnerabilities in telehealth technologies.
Identity and Access Management
As the number of individuals within each healthcare organization’s remote workforce increases, IT must evaluate the security of remote connections. In March, the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) issued a bulletin addressing cybersecurity risks during COVID-19, which focused on maintaining the “principle of least privilege,” establishing remote worker procedures and implementing protective technologies. The following configuration and control considerations should be evaluated:
- If possible, enable multifactor authentication for users accessing the organization’s trusted network and applications from remote locations. Specific consideration should be provided to users with elevated or administrator-level accounts.
- Increase password complexity and length requirements. Organizations using simple eight-character passwords can easily be hacked, typically by simple password guessing attempts.
- Review “lockout” policies to determine whether users can infinitely guess passwords or allow a “brute-force” attack.
- Review and reduce user access to maintain the principle of least privilege, realizing that the organization may be granting elevated access roles to clinical users who are now allowed to work at a higher level based on relaxed regulations. Make sure mechanisms are in place to track those access changes so they can be reviewed and potentially revoked once those regulations are reinstated.
- Restrict access to the internal network for authorized devices only.
- Consider deactivating accounts for furloughed workers. Furloughed employees who feel the furlough was rolled out unfairly, or even those experiencing boredom, may be at higher risk of abusing that access. Finally, plan for how best to reestablish these accounts, possibly en masse, once the furloughs end.
Creating and disseminating security awareness notifications to all healthcare workers should be the first step in the prevention of malicious attacks. The following steps can go a long way to educate workers on what types of communication hold the highest risk of causing harm to the organization:
- Communicate the information from the joint alert (in easy-to-digest and understand bullets) to the workforce. Create awareness and consider requiring employees to forward all external emails that use the subject line “COVID-19” to IT staff without opening them. Additionally, consider requesting that staff never use “COVID-19” in the subject line of internal emails in the event a scam email is sent using an individual’s compromised credentials.
- Provide examples of phishing emails and instructions on how to identify a “fake.” Additionally, if there is access to an internal phishing tool, consider testing these new guidance rules by using a “COVID-19” phishing email to test compliance.
- Send security awareness reminders not to open unexpected attachments or those coming from untrusted sources.
- Share relevant key security issues, whether those are about a potential database of compromised accounts or issues with specific technologies that users should know.
Another technical consideration might be to add identifiers to data loss prevention (DLP) tools to identify messages coming from outside the organization with “COVID-19” in the subject line and immediately tag them as possible spam to provide users with another indicator of a potential threat. While the world is focused on healthcare workers valiantly fighting for the health of their patients, reducing information security risks throughout the entire system will ensure that they have the needed resources to save more lives. Minimizing security risk will add stability to support healthcare workers to ensure consistent system functionality and reduce disruptions.