October is Cybersecurity Awareness Month, follow the conversation and do your part #BeCyberSmart.
Follow us this month as we engage our health IT community in cybersecurity awareness as we are all trying to meet the new challenges of working from home and through the pandemic.
This is week 2 and the theme is Securing Devices at Home and Work. We have engaged Fortified Health Security to share insights on this week’s theme.
By Dan L. Dodson, CEO, Fortified Health Security
Twitter: @FortifiedHITSec
The value of working from home was finally demonstrated on a global scale in 2020. The ability to adapt to a remote model has been key to employee health during the COVID-19 pandemic. However, dispersed workplaces have also presented new cybersecurity challenges within the healthcare industry.
As healthcare organizations respond to the sudden shift to work from home, many have been forced to reevaluate the scope and scale of their infrastructure. What many IT departments are quickly realizing is that the quick response to meet these remote working demands may have created an increased attack surface for cybercriminals to exploit. In 2019 over 60% of reported breaches were caused by malicious attacks, which have been the leading cause of breaches since 2017. This tendency is expected to continue – even in a post-pandemic world – as bad actors capitalize on the disruption that COVID-19 has inflicted on organizations worldwide.
Email: a top target
Over 47% of reported breaches in 2020 included email attacks, which is up from the 2019 year-long total of 42%. This is a trend that is expected to continue throughout the pandemic and well into 2021. The statistics are a stark reminder that critical components of any strong cybersecurity program are end-user training and awareness. A strong cybersecurity program often leads to a culture shift and requires buy-in from executive leadership within organizations. For many IT departments, getting organizational buy-in can have the single greatest impact on reducing overall cybersecurity risk.
Keeping an “eye on the ball”
As the world adjusts to the “new normal,” it’s crucial for healthcare cybersecurity leaders not to lose sight of cybersecurity fundamentals. Many organizations find themselves so overwhelmed with the pandemic and looming financial uncertainty that their cybersecurity program’s day-to-day execution suffers. Healthcare organizations must continue to take a risk-based approach to manage their cybersecurity program through this pandemic because our adversaries are ramping up their efforts. Some critical questions organizations should be asking themselves include:
- How has COVID-19 impacted our email security program?
- Have we conducted a gap assessment to determine whether (and/or how) our program needs to be adjusted?
- Are we executing an adequate cybersecurity training and awareness program?
Transitioning to a Post COVID-19 Model
When the COVID-19 threat became a pandemic, organizations were required to adapt quickly and without much warning. For those who could, this meant one thing – transitioning to a work-from-home model. According to April data by Gallup, the number of individuals who had worked remotely at any point increased from 31% to 62%. This rapid change impacted the scope and scale of cybersecurity programs for these organizations. Identifying the priorities that will remain the same and become part of the next normal, organizations should make several changes to safeguard their network and data. The healthcare industry can prevent malicious actors from taking advantage of vulnerabilities during this transition by taking several proactive steps, including:
- Partnering with cybersecurity experts who have excellent resources for assessing the state of your cybersecurity program and making adjustments accordingly. The right firm can help assess the pandemic’s true impact on your cybersecurity program and assist with a corrective action plan to minimize the real risks.
- Providing thorough training and awareness on an ongoing basis, especially when transitioning to an office-remote hybrid model. An organization’s employees are on the front lines of cybersecurity, which is why they must have the basic knowledge necessary to spot and avoid cybersecurity threats. Training might include best practices for email security, sensitive patient information management, and cyber emergency preparedness.
- Testing frequently and knowing your threat surface. It’s essential to scan, test, know, and patch your network consistently. Monitoring is the best way to spot cyber threats before they access your systems. Also, having visibility to all external access points within your organization is key to securing the organization from threat actors’ increased presence.
- Continuing to maintain and improve your remote security program. Cybersecurity measures for remote employees will remain a top priority, even as some employees return to the office. The modern workplace will likely remain partially remote long term, so keeping a strong remote security program is vital. Keep in mind that this might require a larger IT staff or additional assistance from a managed IT or cybersecurity provider.
- Knowing your third-party software: The COVID-19 pandemic demonstrated how essential third-party software is to the healthcare industry. Remote communication software like Zoom and Microsoft Teams, as well as file transfer platforms, are just some of the ways that third parties support the delivery of patient care and support your employees. Organizations need to understand in great detail the configurations and content of the protocols in use for software within their environments and update as necessary. It’s especially important to assess any new software you may have implemented during the pandemic that might have slipped through your regular third-party risk governance program.
While remote work looks different for every healthcare organization, cybersecurity should be a priority across the board. It’s essential to communicate closely with employees, ensure that your security program remains a priority, and execute plans to safeguard your company’s boundaries. By maintaining cybersecurity awareness and best practices, organizations can stay ahead of cyber threats while employees continue to work remotely, even after the pandemic.