As many healthcare organizations are learning, one area that can’t be neglected during a crisis is data security. And so, when the Covid-19 pandemic hit — and several initiatives were put on hold — an ad hoc task group was created to develop a Cybersecurity Tactical Crisis Response. Despite the title, however, the guide doesn’t focus solely on prevention, detection, and response, although those are critical components, according to Erik Decker, Chief Security and Privacy Officer, University of Chicago Medicine, who leads the group along with Denise Anderson, president of Health Information Sharing and Analysis Center (H-ISAC).
In fact, it’s just as much about education and outreach, as well as ensuring teams are taken care of. Think of it as a “roadmap of important things to consider when either developing or refining an incident response plan.”
Recently, healthsystemCIO spoke with Decker and Anderson about the key takeaways from the guide, the biggest challenges facing IT security leaders during a crisis, how disaster preparedness is evolving, and what they’re working on now.
Gamble: Can you provide some background on how this came about?
Decker: Ultimately it came about from a few different angles. In conversations back in March with my co-lead on the government side of the Cybersecurity Act Section 405(d) Task Group, we decided to suspend some of the activity. We wanted to refocus our efforts on the pandemic and provide guidance for cyber protection and process improvements during this time. A lot of other people were on the same page, and so we proposed standing up an ad hoc task group to build out a guide in partnership with H-ISAC. At that point, Denise and I started getting a team together and putting some of the pieces in place.
Gamble: Based on what you saw early on, was there an increase in security breaches? Or have you seen different types of cyber attacks?
Decker: From my standpoint, it’s not so much an increase in volume of attack, as it is the context of the attack. Of course, phishing is a constant struggle. It’s very successful, which is one of the reasons why it’s so proliferate. The phishing attacks we were seeing were really COVID-related. Things like fake PPE companies selling supplies, or enticing emails that come with an attachment that looks like a novel contact tracing program — things that can bypass your perimeter defenses.
It’s always hard to quantify what the increases are, but we’re definitely seeing some rattling of the doorknobs; checking perimeters and looking for known vulnerability exploits. And it’s still happening.
Anderson: In the initial phases of the pandemic, we saw a lot of domain names being registered that included some version of the word ‘Covid.’ They were being used as phishing lures, and I think we’ll see that threat evolve as things progress. For example, as organizations return to work, we’re seeing emails that say things like ‘click here for the new policy.’ Threat actors always try to take advantage of those themes as they progress during an incident.
In reality, though, I don’t think it escalated any higher to what our members normally with. Basically, because healthcare has been such a prime focus, any incident that happened got a lot of attention. But really, it wasn’t anything more than the normal volume that we typically see. This is typical when an incident starts to ramp up; threat actors will take advantage.
The good news is we didn’t see a lot of incidents, for a few reasons. One is the controls that have been put into place to protect against attacks. I think a lot of healthcare practitioners don’t get the credit they deserve for that.
There was a lot of awareness about cybersecurity campaigns, and a lot of help from the community. There were a lot of threat researchers out there that did a lot of scanning and were sharing a lot of indicators of the types of tactics and techniques threat actors are using so that practitioners could put mitigation steps in place.
Gamble: There were (and still are) a lot of concerns about the spike in remote workers and the security risks that come with that. Any thoughts around that?
Decker: There’s definitely a lot of focus on the remote aspect. We look at it in three buckets. The first is the clinical workload changes that had to happen, including adding in a telemedicine component where a lot of institutions weren’t doing it yet. Securing that was one aspect.
The second is supporting work from home; getting nonessential people out of the healthcare environment to keep our workers safe. In many cases, securing endpoints was relatively straightforward. But those who hadn’t worked remotely had to enable VPNs and Citrix sessions to connect, which meant bandwidth had to scale up quickly.
In addition to that, there are devices that aren’t corporately owned; if that’s the case, you have to check to make sure you have the right controls in place to prevent that. It’s a lot of extra monitoring.
The third category was the work around bolstering cyber resiliency to deal with the threats coming in. It’s a good opportunity to sort of pivot and look at what the threats are, the techniques and practices that they use and importance of bolstering up your internal capabilities on that front.
Anderson: We’ve seen so many organizations move to a remote workforce and a digital virtual patient interaction experience in such a short time. In many cases, hospitals or providers weren’t doing any telehealth; or if they were, it was maybe 500 calls per week, or 10 percent of the patient interaction volume. That went to almost 100 percent overnight.
The amazing thing was is that it worked really well. Organizations have been able to offer a great patient experience. There were challenges to work through, but surprisingly, security wasn’t necessarily the top issue. It was things like allocating cameras for physicians, teaching both physician and patients how to use the platform, and dealing with bandwidth issues.
Those were some of the more practical issues we encountered. But really, when you look at how quickly they were able to pivot and do it in a successful way is just amazing.
Gamble: It’s been incredible to see that unfold. Let’s talk about the guide — what are the key areas of focus? What did you want to focus on most?
Decker: The guide is broken into four sections focused on core recommendations. The first two we focused on are prevention techniques, and detection and response, which talks about how leaders can make sure your teams can identify attacks and react accordingly. That’s standard cybersecurity practice.
Another area of focus was around education and outreach.
As organizations dealt with the pandemic, we had to shift very quickly in some cases, and accept risks we wouldn’t have normally accepted, and of course, track those risks and keep a good registry.
We understood what the policies were, and were aligned the emergency management protocols within HICS.
And of course, there’s the targeted communication that’s needed for each of your constituents. It’s not just a single email blast you can send to your entire institution and then assume that everybody’s going to understand what the new procedures are. You have to target that between the various levels of leadership and clinical practice.
The final piece looks at how to take care of the team that’s actually responsible for all of this. And it’s not just in reference to the pandemic; we designed this guide to be independent of that. It could be any type of crisis that occurs. And it may be short, or it may be more like what we’re dealing with no. It’s about setting the cadence for the team to monitor for burnout, make sure schedules are appropriate so that no one is overburdened — things like that.
Anderson: I think it’s important to add that the guide made certain assumptions. For organizations that were experienced and had plans in place, it gave them a virtual checklist where they can say, ‘Okay, we’re doing this.’ But it was really designed for smaller organizations that maybe hadn’t put a robust plan in place. And in fairness, I think a lot of the success that happened, especially in the larger organizations, was because they had practices in place and were able to pivot very quickly. It shows the importance of making sure organizations have a great plan; a checklist is a tool for that. That was our thought process behind this.
Gamble: That’s a great point; large and small organizations have very different needs, and resources.
Anderson: It also speaks to the community. It really is a community effort; the more we can share with each other, work together with each other, and learn from each other, the better off the whole ecosystem will be — and the safer patients will be.
Gamble: Because of the unique nature of Covid-19 and how quickly everything happened, did you have concerns that cybersecurity would be put on the back burner?
Decker: There’s always a balance between how to make sure clinical practices are operating at the level that they need to, and monitoring security and the controls associated with that. For the larger institutions where cybersecurity is part of the culture, you’re at the table. You’re part of the emergency management function, which is part of the leadership team. You’re there to help guide and direct as needed. If you need to pump the brakes a little bit because you’re moving too fast in one direction and it’s not safe, you can do that.
Smaller institutions might not have that level of engagement at the leadership level, and so they might struggle with that.
Gamble: I’d like to talk a little more about that last bucket, which is taking care of the team — what type of guidance do you have for leaders?
Decker: There were a few suggestions there. One is setting up a cadence of communication with your team. In today’s world where most of us are remote, it’s important to maintain the dynamic with the team that you had in the face-to-face capacity. It can be something as simple as standing up daily huddles or standups for five minutes at the beginning of the day. Even if you don’t have much to talk about, it’s important to keep the dialogue flowing.
Another is making sure you have a good messaging platform in place so people can communicate outside of emails, and making sure the team has the right equipment at their house. They might have a laptop that works for a short period of time, but after a while it has issues, and they might not be as productive.
And, as I mentioned earlier, it’s looking at schedules and making sure people aren’t working 12-hour days consistently for weeks on end. That might happen initially, but once you’ve gotten over the hump, you have to be cognizant of how much time your people are actually spending on this, and give them a break.
Part 2 Coming Soon…