In yesterday’s blog posting, I had mentioned about the evolution of Telehealth, and how many patients here in the United States are choosing this alternative as opposed to visiting their doctor in person, or even going to the hospital.
While this can prove to be very beneficial and while it does have its advantages, there are a myriad of security threats that are posed to it as well. But it is important to keep in mind that these are not just isolated to Telehealth, rather, they have come about as a result of the Cybersecurity vulnerabilities that have taken place in the overall Healthcare sector.
Unlike most other types of industries, Healthcare is vulnerable from a number of different angles, which include the following:
*The interconnectivity of medical devices in patients;
*Many devices that are still being used without proper authorization (such as when Healthcare workers use their own devices to transmit medical data);
*Antiquated technologies that are still being used;
*The need to use more effective means of communications between Healthcare providers and their patients (and even vice-versa).
Of course, there are more, but these are the ones that come off the top of my head for right now. In the Healthcare Industry, there is one huge legislative mandate that was passed in the 1990’s. This is known as “HIPAA”. One of the main cruxes of this framework is to ensure not only ensure the security of patient information and data, but its privacy as well.
While the intention of this law has been designed to cut down the number of security breaches that have and continue to occur, it too has its fair set of disadvantages as well. One of the main areas in this regard is having the need to have written, explicit permission for anything that has to be shared.
This can be an impediment, especially in life threatening situations, where decisions by the Healthcare provider may have to be made in just a matter of a few minutes.
I will devote a blog or two sometime in the future further reviewing some of the details of HIPAA, and what some of its ramifications have been thus far. But for right now, we have to deal with what we are given. So with now doctors and nurses working remotely as well now, what are some of the top security tips that one can take, whether you are a Healthcare provider or even a patient? Here are some that you can follow:
*Training and Education:
Ok, we all have heard of the need to train employees in order to help them increase their current levels of Cyber Hygiene? Well, how about we put this the other way around and train the patient in how to maintain their own levels of Cyber Hygiene? Of course, the Healthcare industry cannot control their patients in this regard, but there is no law on the books that states that cannot at least make an effort to offer Cybersecurity Awareness Training to patients. How this can be created is up to each Healthcare organization, but it must be done, IMHO. It can pretty much follow the same format as other Security Awareness Training programs, but the patient really needs to be educated on some of these items:
*How to identify Social Engineering calls and Phishing text-based messages (also known as “Smishing”);
*The absolute need to create long and complex passwords, especially those that are used to log into medical portals (such as your Blue Cross/Blue Shield one, for example);
*How to securely make use of video conferencing platforms, especially that of Zoom.
The patients also have to be instructed that they also have a duty to protect their own Personal Identifiable Information (PII) datasets, it is not all up the Healthcare provider to do this. In this industry, both sides to make sure that the PII datasets are safe and secure as possible.
*A fundamental shift to focus on Cyber Risk:
Corporate America is now starting to understand the fundamental need to conduct a comprehensive Risk Assessment study, in order to truly determine where the most vulnerable assets are, and to protect those first. The Healthcare Industry also needs to do the same, instead of focusing on Cybersecurity itself. For example, some of the most critical assets that need to protected first included are medical equipment for testing, and the devices that are implemented into patients, such as pacemakers. Need some help in this regard? Well, there is a checklist that you can use that the FBI in conjunction with other Healthcare organizations has come up with. It can be downloaded at this link:
*The need for plans:
After the initial wake of the COVID19 pandemic hit earlier this year, CISOs have now started to realize the sheer importance of having Incident Response (IR)/Disaster Recovery (DR)/Business Continuity (BC) plans in place that will guide them through the needed processes in order to restore the mission critical operations if they have been hit. The Healthcare Industry also needs to do the same. I am for sure to what degree that it is being done here, but whatever the current level is, it needs to be done by all Healthcare organizations, no matter how small or large that they may be. On top this, these plans must be practiced on a real time basis on a regular basis, such as once a quarter.
*Have an effective backup strategy in place:
Yes, we all have heard about the importance of backups. But this is now more of an urgency than ever before. Gone are the days of having the good ‘ole tape backups on hand which were stored on premises. The new way to do this is to use a very reputable Cloud based Platform, such as that of the AWS or Microsoft Azure. Here, you can create backups in just a matter of minutes, and best of all, they will always be there if and when needed. Just as quickly as you have made your backups, you will also be able to download those backups in a restorative process if the need should ever happen. But the key here is to make your backups on a regular basis but testing them as well just to make sure that they are working the way you have intended them to.
*Securing the interconnections:
In our world today, things are started to get connected with one another, and this is only expected to grow at an unfathomable pace well into the future. This has primarily been fueled with the Internet of Things, also known as the “IoT”. In particular, as mentioned earlier in this blog, even medical devices are starting to come out this way. For example, if you have a pacemaker attached to your heart, the wireless network connections will lead to your doctor’s office where they can install the latest software patches and upgrades to it, as well as the needed firmware. But the very scary part about this is that if a Cyberattacker really wanted to, they could tap into these lines of communications, mess around with the pacemaker, and cause the patient to have a heart attack. Therefore, healthcare organizations must make doubly sure that the medical products they are procuring in this regard have all of the needed safety features installed onto them. Also, never use the default security settings that have been installed by the vendor!!! Make sure you set them to what your security requirements mandate. A great way to get started in this regard is to make use of these frameworks formulated and provided by NIST: “Security for IoT Device Manufacturers: 8259 and 8259A”. More information about them can be seen and further downloaded at this link:
My Thoughts On This:
With the Remote Workforce of today, the days of visiting your doctor in person will soon vanish, of course unless it is an emergency or you need medical treatment. Telehealth will soon start to rule, whether we like it or not.
Because of this, Cybersecurity Threat Landscape in this regard will be changing very quickly as well. So the need to keep up with what is going on out there will now become even more important.
But don’t worry about this, I will soon be launching a Cybersecurity Healthcare Microsite which will have this information posted on it. In fact, I have plans to compile an e-Book just devoted to Telehealth, so stay tuned.