While hospitals scramble to adapt to the COVID-19 crisis, they’re taking steps that are applicable well beyond the healthcare vertical. Similar to businesses ramping up digital capabilities, hospitals are rolling out telehealth platforms on an accelerated timeline, foregoing typical security and risk assessment processes along the way. Others are leaning on trusted vendors for fast rollouts of new solutions, and still others are finding innovative ways to bolster thin resources. These lessons learned can be applied across all information security teams as they work to support operations in this new era.
Hospitals have moved quickly to prepare for a spike in COVID-19 patients, asking patients who can stay home to do so. In response, they’re deploying telehealth platforms at a large scale to care for other patients remotely. Telehealth isn’t new, but few hospitals have been using it at scale. Now, hospitals are accelerating the rollout to the point of being willing to accept heighted cybersecurity risk to provide patient care.
Hospitals are different from typical businesses. When they say customers are their top priority -- in this case patients -- they really mean it. They can’t sacrifice patient safety.
But this reaction to the COVID-19 crisis isn’t all that different from what most businesses are doing. Organizations are rolling out new technology platforms, adding licenses to existing software and putting customer-facing solutions into place before they’ve had time to test them adequately. With this in mind, here are some lessons from the healthcare sector that apply to other businesses.
Hospital CISOs are trying to strike a balance between acknowledging they are addressing urgent organizational requirements as they deploy telehealth platforms, and recognizing there’s a certain amount of risk they need to take to respond to the COVID-19 situation.
Not all businesses need to change their core business models – large financial services firms and e-commerce stores, for example – but the vast majority of organizations are rapidly scaling new digital services for either internal or customer-facing use.
Rethinking risk tolerance within a business continuity context cannot be done in isolation. Effective continuity planning requires cross-disciplinary collaboration, with the effort usually led by a chief risk officer or general counsel. Steps to take to ensure collaboration include:
- Create a risk committee: Mature hospitals have them to balance clinical and administrative risk priorities, and they pay off. The committee should include (at least) representatives from security, human resources (HR), legal, finance and, in healthcare, clinicians to provide a broad viewpoint for risk assessment. It should report to decision-makers. In large organizations, these committees often operate at the board level.
- Consider all elements of risk, including the human, technical and operational elements of continuity decisions. Issues that particularly demand collaboration between departments include employee welfare, critical dependencies reliant on individual executives and supply chain resiliency.
Lesson 2: Streamline Technology Rollouts
To continue business, healthcare CISOs are standing up telemedicine platforms to take care of patients and limit the risk of exposure to COVID-19 – but without going through the usual security vetting, testing and sign-off, i.e., the normal onboarding processes for technology platforms. Healthcare CISOs get the risks. They know that taking shortcuts to get a platform out likely introduces vulnerabilities. But in a crisis, the health and operational risk of taking a slow approach on telehealth outweighs the technical risk of a rushed rollout.
This is the kind of decision all businesses are going to be making for the foreseeable future, and information security leaders must be prepared to support rapid product deployments for both internal and customer-facing solutions. To support an accelerated release process, CISOs should:
- Employ old-fashioned security awareness training and hand-holding. Users (especially customers) are going to be running unfamiliar tech and need to be informed of basic security best practices, including:
- Putting resources into onboarding processes so all users can securely configure their end of the platform.
- Prioritizing training, especially for user bases that aren’t as comfortable using digital technologies. For example, hospitals are bringing in retired doctors and nurses who aren’t necessarily aware of current phishing threats or security best practices. Identify the most prominent risks for these types of user groups based on the tech they’ll be using and focus your training accordingly.
- Use multifactor authentication (MFA) to eliminate the potential for user error and to automatically enforce secure operations.
- Lean on trusted, established vendors rather than taking risks on emerging solutions. As you assess these vendors:
- Create a simple benchmark for quality infrastructure vs. weak infrastructure that you can use to quickly assess a vendor’s back-end capabilities. When developing benchmarks for cloud technologies, your baseline for resiliency should include mature security controls, a well-organized maintenance program, demonstration of interoperability and component standardization.
- Focus assessments on data transfer within the platform -- preventing data tampering or interception is the priority.
- Look for vendors willing to provide transparency into how their technology works and their own security practices.
- Prioritize reputable providers that have passed regulatory tests in the past. Regulatory bodies will likely reduce red tape in the crisis – the FDA is doing so when it comes to medical devices – making the trustworthiness of the vendor especially critical.
- Build your team’s communication skills. How you collaborate with project stakeholders and train customers is especially vital when trying to work at an accelerated pace.
Lesson 3: Resource are Tight, Get Help
In a crisis, we tend to have under-resourcing, and those resources are not typically senior or executive-level positions. They’re more technical and operational.
While hospitals have increased investments in digital technologies, they just haven’t put enough resources onto information security teams. A midsize hospital with 500-700 beds may have one dedicated security staffer. That doesn’t hold up as hospitals become more dependent on digital technologies, especially in this crisis.
Information security teams across industries are scrambling to keep up with escalating demands. To get support:
- Bring your trusted, critical vendors to the table. Information security often has close, positive relationships with vendors they can use to get an in with business leaders. Getting them involved in the risk conversations around continuity plans gives you an extra voice to influence other teams.
For example, hospitals often have close relationships with medical device manufacturers that have ramped up security maturity and sophistication in recent years, making them natural partners for security leaders looking for solutions. These vendors are so trusted by the rest of the business that they have sway over decision-makers outside of security.
- Get stakeholders in the room. The technology risk component of continuity planning usually gets shoved in the network or clinical engineering corner. Get out of the silo and build relationships to develop the influence needed to get resources you need during risk decision-making.
The healthcare industry’s move to accelerate telehealth deployments shows the increased risk tolerance of organizations trying to respond to the COVID-19 crisis. Getting out of the security bubble and partnering with business leaders on risk management is necessary to build the relationships and gain the influence needed to execute continuity strategies while keeping new threats and vulnerabilities in check.
COVID-19: Address the Next Black Swan in Your BCP, April 6, 2020
Business Continuity and the Coronavirus: Know Where to Focus, March 2, 2020
Poll: Defending Healthcare from Cyberattack During COVID-19, March 24, 2020
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.