Strained But Secure
By Troy Young
Troy Young is chief technology officer of AdvancedMD of South Jordan, UT.
Healthcare providers are pressed to the max, working to deliver ample care to the increasing volume of patients infected with COVID-19. Employees rise to the challenge and learn to get the job done in vastly different circumstances, be it on the front lines, in the back office, or remotely.
While we all try to navigate the new realities this pandemic presents, computer hackers are exploiting them: “Don’t let a crisis go to waste” is their mantra. Indeed, the novel coronavirus crisis has led to a rise in cyber scams and other security breaches as healthcare providers move quickly to redistribute workloads and manage care overflow.
Hackers are using tactics that capitalize on emotions of fear and anxiety and behaviors of internet users looking to stay on top of the situation during these uncertain times. They entice healthcare workers to open malicious files and links by:
- Creating a sense of urgency.
- Implying or stating that the e-mail comes from a person of authority.
- Offering a resolution to a difficult problem (the current virus, shortage of medical supplies, people in need, and similar) in exchange for sensitive information.
These tactics are especially effective during a time of crisis, when urgent communications from employers, friends, family, and government agencies are filling inboxes. These e-mails may include fake virus tracker maps, hand hygiene instructional sheets, or online marketplaces for high-demand items. Hackers have impersonated the World Health Organization (WHO), for example, in recent phishing emails.
As is the case with security at any other time, employees are the first line of defense against cyberattacks that are predicated by false communication. Providers should review policies with staff—whether employees are on site or working from home—and adhere to standard security plans and general workflow processes during the pandemic. Some scams are so well concealed that employees get fooled. These are best practices to keep top of mind:
- Always be suspicious of unexpected emails. Check the sender’s email address.
- Always look closely at any URLs, even those that are supposedly from people within the organization. Check the link by typing it into the browser.
- Never open a file attached to an email that was unexpected, or one that looks suspicious in any way. Take a pause to think through the purpose of the email. Don’t feel rushed or pressured to take any action.
- Never provide personal information like usernames / passwords or financial information after clicking through an e-mail link.
Even if someone falls prey to a phishing attack, organizations can mitigate risk by following these precautions:
- Require multi-factor authentication (MFA, or two-factor authentication) on as many accounts as allow them, especially banking and e-mail accounts.
- Enable automatic software and operating system updates on computers and mobile devices.
- Download anti-virus and anti-malware software on the network and personal computers as well as mobile devices. Windows and MacOS include these by default; just confirm they’re enabled and up to date.
- Back up all data.
The current crisis has highlighted organizational weaknesses in healthcare security and privacy protocols amid the urgent need to respond to government lockdown mandates, patient emergencies, and employee shortages due to illness. Employers have been rushed to establish telecommuting capabilities for staff who don’t typically work from home: when the need to expand capacity outstrips the organization’s ability to apply the security and privacy measures, risk increases exponentially. Also, as telecommuting employees increasingly use virtual meetings to communicate with each other, the National Institute of Standards and Technology (NIST) has recently published guidance on protecting virtual meetings from eavesdroppers.
VPNs are commonly used by healthcare organizations with telecommuting staff to provide secure access to technology resources. Microsoft recently warned that hackers are attacking vulnerable networks and VPNs, having particular success with a ransomware campaign known as REvil (or Sodinokibi). Organizations that use VPNs should refer to guidance from the Department of Homeland Security to secure their VPN and network infrastructures.
The COVID-19 crisis has also dramatically increased the use of telemedicine, which has emerged as an essential tool for providing contactless patient care. Regarding penalties, HHS recently notified providers that OCR has relaxed enforcement of HIPAA privacy rules during the crisis. This is great news for clinicians and patients, but providers should still be deliberate about using technology that is HIPAA-compliant and be sure to have BAAs in place with their vendor of choice.
The uncertainties of this global pandemic has many of us feeling vulnerable right now. Let’s control what we can. That includes built-in cybersecurity protocols that keep patients, employees, and organizations secure.