Hospitals need optimal cyber security now more than ever. The rise of telehealth and the shift in healthcare employees working off-premises during COVID-19 have ushered in a vicious surge of cybercrime targeting hospitals and healthcare systems.
The industry recently experienced what could be the biggest medical breach in U.S. history when Universal Health Services, which has over 400 locations, had to move its network offline after an attack. Computer systems across the organization’s network began to fail, forcing some of its hospitals to resort to pen and paper for filing patient information.
But this incident is only a splash in the wave of cybercrime that’s rocked 2020. Earlier this year, a CrowdStrike cybersecurity report shows the number of healthcare cyber attacks doubled from the fourth quarter of 2019 to the first quarter of 2020 alone. Many of these attacks started with phishing campaigns that lured in users with fake COVID-19 health guidelines and updates. Another report from Barracuda corroborates this trend, citing a staggering 667 percent increase in malicious phishing emails from January to March 2020.
The bitter truth is that hackers are capitalizing on the pandemic. They know that healthcare systems have undergone profound organizational changes that have created holes in their security. With the lens fixed on providing quality care amid COVID-19, healthcare systems were blind to their own need for protection.
Hospitals Spread Thin
These attacks can be devastating for hospitals, their staff, and the patients they serve. The impact is especially detrimental in a time when healthcare systems have never been asked to do so much with so little, serving on the frontlines against a pandemic that has ravaged the U.S. more than any other country thus far.
Healthcare systems have had to navigate unprecedented circumstances: vast shortages in equipment and medications, healthcare reimbursement and regulatory overhauls, and severe profit losses from low patient volumes during the temporary delay in non-urgent procedures and patients’ reluctance to go to medical facilities during the pandemic.
New Challenges in Data Security
Hospitals and healthcare systems have had to adapt by moving some of their operations off-premises. There’s been a massive expansion in telehealth services. An estimated 60 to 90% of physicians are now using telehealth to care for patients, according to Meg Barron, the American Medical Association’s vice president of digital innovation. For comparison, only 28% of physician respondents reported using telehealth technologies in 2019.
That means at least half of physicians using telehealth now weren’t using it even a year ago. These digital novices could pose security risks, as they may be more likely to use an unsecured network or device working from home or in public places.
Other major shifts among healthcare systems have been setting up temporary facilities and testing triages, as well as allowing employees to work remotely. In the rush to implement these changes, hospitals understandably put the health and safety of their patients and staff first.
But the need to fortify cybersecurity measures became an afterthought. Any delay in routine network patches and ongoing security upgrades created vulnerabilities that could compromise sensitive data. In a network that’s extended into the homes of employees and patients and across more communications technologies, every transfer is a risk.
Mounting Regulatory Pressures
Now, yet another data security challenge is underway with increasing regulatory pressures. The Centers for Medicare and Medicaid Services (CMS) issued their interim final rule requiring facilities to submit extensive reports on a daily basis.
Facilities must provide answers to the eight-page questionnaire, which asks for information like the number of COVID and flu patients they’re treating every day, equipment and drug inventory, and whether or not they anticipate critical staffing shortages, and for which specialties. The information the CMS is asking for is complex and time-consuming to collect with data that spans across various departments.
Even without having to mitigate a pandemic and the imminent flu season, the feat is near impossible. But the CMS states that failure to comply with these measures could lead to termination from the Medicare and Medicaid programs. Carrie Williams of the Texas Hospital Association says of the new rule, “The constantly changing goal posts are going to be a real challenge for hospitals. We want to be in compliance, we want to make sure that we’re providing the federal government with whatever they need for planning and resources. It’s just—another change is a challenge in the middle of a pandemic.”
This change in particular poses a dubious goal. Slightly less than 24% of hospitals were able to report all the required elements every day for the week of September 14, as shown in an internal CDC presentation. Though the CMS hasn’t penalized hospitals yet, the grace period for noncompliance ends November 18, when the first round of enforcement letters go out.
Major Incentive to Cut Corners
Sadly, a hospital’s determination to comply with the CMS could be the very thing that dooms them. The threat of losing Medicare and Medicaid funding creates a huge incentive to cut corners on security or anything else that slows down their ability to comply. The accelerated processes will create gaps that hackers can exploit on a network that has already become more porous in the shift to remote work.
In the legitimate likelihood a healthcare system experiences a breach, it could ruin their compliance efforts. As we saw with Universal Health Services, an attack could force a healthcare system to take its network offline and make its hospitals resort to pen and paper. Each day offline poses severe consequences for the hospitals and their patients who rely on the network.
Best Practices to Safeguard Your Network
For hospitals, what was already a daunting task reporting to the CMS daily will be downright impossible with the network offline. That’s why healthcare systems need data protection that won’t force them to compromise security for speed. Here are the steps you can take to fortify your network without disrupting operations.
Identify Vulnerabilities with Security Testing
The first step in your cybersecurity plan is to identify any vulnerabilities or Indicators of Compromise (IOC) in your network. Your IT administrators should conduct DarkNet Security testing, as well as External and Internal Penetration Testing. These analyses will reveal any flaws in your infrastructure that are susceptible to hackers.
Implement Employee Security Awareness Program
You also want to ensure your employees are following good human firewall security practices with social engineering testing. With a remote workforce, your employees’ role in your data security is more crucial than ever. So they need to remain vigilant against phishing and vishing schemes. Routine social engineering tests should be an integral part of your employee security awareness program.
Beyond that, your program should also incorporate a cyber hygiene checklist that requires employees to:
- Install the latest operating system patches to all work devices.
- Ensure home networks are protected with strong and regularly updated passwords.
- Use anti-virus software on work devices and enable these programs to update automatically.
- Enable two-factor authentication for all work applications and devices.
Choose Secure Software and Collaboration Tools
Some platforms and tools are safer than others, so empower your staff with the right ones. For example, many healthcare systems have turned to Zoom for telehealth video conferencing, despite its saga of security and privacy issues. If your organization is among them, consider other HIPAA-compliant alternatives that offer better security and control, such as Microsoft Teams, Doxy.me, or GoToMeeting.
The software and tools you use for file sharing and emails also need to be secure and eliminate risky behaviors, like downloading attachments and clicking unknown links. If you don’t already, you may want to use a virtual private network (VPN) that enables your employees to securely access your network from any device. Contact us for more information on choosing the right VPN for your organization.
Devise a Disaster Recovery Plan
When it comes to data breaches, the question is not if they will occur—but when. Taking the necessary precautions to reduce the likelihood is only half the solution. You also need to have a strategy in place for when a breach does occur.
In the event of an unexpected crisis, you need to ensure that all of your employees’ work is backed up and can be restored quickly. Using a cloud-based backup that can regularly send data to devices across your network is a viable solution. You may also want to consider investing in a failover connection or emergency mobile hotspot, so that your employees can still access the data center even if the network connection goes offline.
Another option is to outsource your recovery plan by turning to a Disaster Recovery as a Service (DRaaS) expert. A DRaaS provider will evaluate all the software and tools your organization is using and devise a customized strategy for operational resilience. If your IT administrators are already overwhelmed, this is the safest solution to ensure your organization can bounce back quickly from any threat that arises.
Secure Your Future with Connection
The pandemic has put healthcare systems at a disadvantage in so many ways. It’s understandable that cybersecurity has fallen to the wayside, as hospitals struggle to stay afloat. However, the last thing you need right now is to compromise sensitive data that puts you and your patients at risk.
Our team of experts understands the organizational challenges you face and is here to help. Get the support you need from a trusted leader in healthcare technology. Call us at 1.800.800.0014 today to safeguard your network from cyber attacks.