For healthcare chief information security officers reflecting on March, little would have changed regarding their approach to remote work and telehealth — if anything, they would have moved faster.
Mike Gregory, CISO of Community Health Northwest Indiana, consulted his CIO to figure out a plan of action in March. "We stopped almost every project that was mid-implementation or about to be implemented," he said on a virtual panel hosted by Proofpoint last week.
The systems "needed at the moment" took priority, he said. Community Health immediately contacted vendors to install thermal scanners at the hospital's critical entrances, which allowed it to "deploy our nursing resources out to where they were needed the most — with our patients."
COVID-19 accelerated healthcare's telemedicine ambitions like other digital transformation efforts across industries. Strategies differed for security chiefs across healthcare organizations, but the destination — established telehealth capabilities, protected end users and technologically advanced hospitals — was met faster than any previously-established deadline could anticipate.
In one week in April, 1.3 million Medicare beneficiaries received telehealth services, reported CIO Dive's sister publication Healthcare Dive. The week ending March 7, just before stay-at-home orders swept the nation, only 11,000 members received treatment via telemedicine.
While Community Health had some planning done, "we did a whole lot of scrambling" to implement a telemedicine strategy and equipment, including camera installation, integrations with EHRs and payment solutions. "The pandemic obviously pushed that project all the way to the top," Gregory said.
"I would say today we were successful, but we could have done a little bit more pre-planning, made that a bigger priority, for this day and age," Gregory said .
Like Community Health, telehealth initiatives were already underway at Hartford HealthCare, according to CISO Chris Baldwin, while speaking on the panel. "We just dramatically accelerated some of those initiatives that protect those particular areas, to close those attack surfaces."
Baldwin's focus shifted to endpoint security, using next gen solutions to enable end users to do their jobs regardless of physical location.
Gary Gooden, CISO of Seattle Children's, had been with the hospital for just over a year. The IT department was going "heavy" on its technology roadmap, implementing new technologies. About half of Seattle Children's non-emergency visits are hosted through telehealth services today.
"That being said, I wouldn't necessarily see anything that we could have done differently. It's more about the speed at which we can accelerate, to actually put the things in place that need to be put in place," Gooden said, speaking on the panel.
COVID-19 unveiled a greater perspective on people, process and technology because it overhauled how the healthcare industry will provide services to partners, employees and patients.
When the U.S. approaches more mature phases of reopening and employees return to a physical work environment, Gregory predicts organizations will be stronger as a result the infrastructure built around work-from-home orders.
Accelerating the security program
Security has the reputation of slowing down deployments of new products and initiatives. In March, businesses had to simultaneously maintain continuity without compromising security — it was a delicate balance.
"Protected health information is a major, major, major target. And we do our best to protect it. Are we being attacked? Yes, the answer is absolutely," Gooden said.
About 40% of Seattle Children's went remote and Gooden expects some staff to permanently remain remote. The VPN was an issue Gooden had to "address up front." The hospital used a Citrix VDI (virtual desktop infrastructure) environment before COVID-19 and scaled it as necessary over the past several months.
Endpoint protection for newly remote employees was a minefield for CISOs, regardless of industry. But establishing traditional VPNs, once predominantly used for only a few permanently remote employees, was not the ultimate solution because they aren't meant for a large-scale permanent workforce.
Community Health already had split tunneling, which enables remote workers to connect to their ISP. "While the VPN can connect, and you can have a direct communication back to your network, your [transmission control protocol] traffic, your internet traffic, all of that is open," he said. The only protection is what's on the endpoint, but then "you suffer from web filtering." The challenge became scaling an infrastructure suitable for coping with filtering.
But endpoint security doesn't stop at connectivity. Gooden is still tackling patch management for a remote workforce and has to navigate how employees' "home router is now your weakest link."
Gooden is in the process of securing web gateways to "adjudicate access" depending on whether data employees want access to is inside or outside of the network.
"From my perspective, the legacy implementation of VPN or Citrix VDI is just that — it's legacy. But it's something that you have and you can utilize," Gooden said. However, the solutions are limited and not "forward-thinking" models for a predominantly remote workforce.
Additionally, VDI technology is costly. Extending a VDI environment for a medium-sized business is "quite an investment," Gregory said.
For the three CISOs, everything came back to having a multi-layered security strategy, which includes an informed workforce. "It's often described as aligning multiple pieces of Swiss cheese," Baldwin said. There will always be safeguards, but when vulnerabilities seep through the holes, oftentimes the end user is the last layer of defense.
Community Health is creating personas for its remote employees to dictate data access regarding its identity and access management program. It has always restricted access to EMRs, especially for the handful of employees who were already remote, according to Gregory. Moving this large workforce off-site "really accentuated that a strong [integrated assessment model] needs to be in place no matter what."
Community Health's integrated assessment model was used mainly for internal workers, with personas based on being inside a network. Role-based access control environments pave the groundwork for a zero trust architecture. "What I'm seeing is an acceleration of work that would normally take several years of cutting in one year," Gregory said.
Monitoring the threat landscape
Organizations with robust security monitor threats every day. But COVID-19 presented "an escalation point" for threats, according to Gregory. Though all three hospitals received generalized attacks shaped around the pandemic, Baldwin's hospital was specifically targeted.
The healthcare industry has been inundated with cyberattacks long before the pandemic. Ransomware attacks increased by 131% between 2018 and 2019, and organizations aiding in response to COVID-19 have been targeted.
As the industry grapples with even more targeted attacks, threat intel gets messy. Single healthcare organizations can't process every threat alone, so determining who else can relay reliable threat intelligence is key.
"You have to know whether you're being targeted, because how do you know?" Baldwin said. His organization could be the only one targeted by a certain strain of malware, or it could one of 25 targeted organizations.
As risks can spread through companies, third-party and vendor risk management take the forefront. "A lot of what we do from a cybersecurity perspective has to do with the pathway to get from point A to point B, and back safely," Gooden said.
A never-ending issue for healthcare organizations is the sheer amount of research data and who has access to it. CISOs are balancing data entitlements, whether for employees or business partners, with an established process to manage access.
The constant threat lends itself to how and how often the security organization communicates with all employees. "The cadence at which we communicate hasn't necessarily changed, but the content of what's being communicated has changed," Gregory said.
Gregory relies on the in-house communication team to regularly share information with non-technical employees. The result is an ultimate risk-averse workforce — so much so employees are reporting false alarms. "They're much more aware and I'm very grateful," he said.