The numbers tell the story—and it’s one we all wish we could put back on the shelf. Cybercriminals are using COVID-19 to their advantage, causing an 8% rise in reported healthcare-related breaches compared to the same period in 2019. Almost 75% of those breaches involved providers, making them the most compromised segment. The largest increase of reported breaches were business associates, with a 46% increase.

There are some unpleasant plot twists as well. Various government agencies, including the National Security Agency and the FBI, report that Russian- and Chinese-backed hackers have successfully attacked healthcare firms this year. A ransomware attack by Netwalker (rumored to have Russian ties) locked down servers at a California-based school of medicine in June; a similar breach occurred at one of the largest managed healthcare companies in April.

The worldwide shortage of cybersecurity professionals might be considered an interesting subplot. Industry analysts predict there will be 3.5 million vacant cybersecurity positions by 2021.

 

Focus on the end-user

Regardless of location or organization size, healthcare IT security executives face the same situation: attacks are up, personnel is down, and the need to innovate and integrate is a constant pull against the need to secure patient data.

The way forward is focusing on the right areas and getting additional help where it’s most needed.

Numbers can help here, too. Almost half (47%) of reported breaches so far in 2020 included email attacks. That’s up from 42% in 2019, a trend expected to continue. The fact is, most organizations need more robust end-user training and awareness. Here’s some food for thought:

  1. Human error causes 90% of data breaches.
  2. Regardless of whether they’re working from home, from a coffee shop, or inside hospital walls, every employee should have the basic knowledge necessary to spot and avoid cybersecurity threats.
  3. Employees need device guidelines about downloading apps and programs while being aware that their IT department may monitor their devices (including mobiles) for dangerous activity.
  4. Provide guidelines on updating antivirus and anti-malware programs on devices used for work, and explain that those programs won’t be as effective without the updates.
  5. Train employees to be wary of file attachments from unknown senders or senders outside the organization. Notify all employees of any common phishing scams circulating in your industry.
  6. Instruct employees not to download files from unknown sites and make sure they know how to identify secure URLs, update their browser, and avoid third-party browser plugins.
  7. Ensure employees know who to contact and what actions to take if they think their device is compromised, regardless of location.

Finally, keep in mind that full awareness and guideline adherence may require a culture shift in your organization—and that means getting buy-in from top executives.

Implement best practices for remote work

It was an all-hands-on-deck effort to get as many employees working from home as possible in the spring. Now it’s time to ensure all best practices are in place, keeping in mind that some workers are returning to the office, but many will continue to work remotely through 2020 and beyond.

  1. Phishing and spear-phishing are top methods for cybercriminals, and remote work relies heavily on email. Prioritize strong email encryption and train employees to spot phishing scams.
  2. Implement a secure remote access solution for employees and train them on network security best practices, such as setting up strong passwords.
  3. Perform an access review to ensure all personnel have the minimum access necessary to do their jobs. Removing excessive permissions or stale and stagnant accounts reduces the threat surface area of your organization.
  4. Maintain network access control such that when employees work from home, they maintain the same level of access as they would if in the office.
  5. Set up multi-factor authentication to avoid dependence on passwords and reduce the chance of password guessing.
  6. Use encrypted data for all IT-related communication, especially when employees are working remotely.
  7. Consider partnering with a Managed Security Services Provider (MSSP) if your IT and cybersecurity teams are stretched to the point where they cannot be effective.

Be vigilant about monitoring both internal and external

Monitoring is the best way to spot cyber threats before they access your network. If proper monitoring is in place, spend time assessing and reducing third-party vendor risk, paying particular attention to software for connected medical devices. Don’t forget to evaluate software implemented during the pandemic that slipped through your regular third-party risk-governance program.


Vulnerability threat management and penetration testing also should be mainstays of your cybersecurity program. That means scanning, testing, and patching your network consistently while partnering with experts when necessary to ensure those activities take place.

Finally, realize that the American workplace will look different than it did before the pandemic. The modern workplace will likely remain partially remote long term, so a robust remote cybersecurity program is now a critical element of your cybersecurity program, which may require a larger IT staff or assistance from a managed IT provider.