COVID-19 and health care cybersecurity: How to protect practices and patient data

The health care sector has long been a target of cybercriminals. But most recently, as all eyes focused on the coronavirus pandemic spanning the globe, other insidious threats were lying in wait to take advantage of the overwhelmed health care system. These threats were of the cybersecurity variety, targeting the technologies so heavily relied upon by health care systems and providers.

In just the first half of 2020, the Department of Health and Human Services saw a nearly 50% increase in the number of health care-related cybersecurity breaches, with 132 reported incidents that targeted network servers, desktop and laptop computers, email and electronic medical record (EMR) systems. Piling on, the rapid adoption and onboarding of telehealth vendors led to a significantly increased digital footprint and attack surface, leaving both provider and patient data at risk. It’s critical to understand the current threats facing the health care environment so you can protect your organization.

Health care cybersecurity threats before COVID 19

Pre-COVID, phishing and spear-phishing tactics were vastly used to deliver malicious emails, attachments and links that infected servers, while malware and ransomware continued to take advantages of weaknesses. In the last quarter of 2019 alone, there was a 350% year-over-year increase in ransomware attacks on health care entities. These attacks disrupted business at hospitals, health systems and other health care-related organizations, and impacted IT vendors that served a myriad of medical facilitates, such as dental offices and nursing homes.

Human factors have also been an element in cybersecurity weaknesses, from employees accidentally opening their companies up to threats to targeted attacks by insiders. In fact, many breaches occur for reasons that could ultimately be avoided, such as employees losing assets, not securing devices that provide access to sensitive medical data, not following security standards or inadvertently sending protected health information (PHI) to the wrong end-user. More difficult to detect and mitigate are the intentional insider threats, which could include disgruntled staff or individuals who were coerced, recruited or bribed to steal on behalf of cyber criminals.

Lack of investment in the appropriate technology, or regular upgrades, has also left the health care sector exposed. According to one estimate, health systems put only 4% to 7% of their budgets toward cybersecurity – which is 2x to 3x less compared to other sectors that also handle highly personal data.

Crimes of Opportunity Increasing During COVID-19 Pandemic

COVID-19 has ramped up existing security threats and created new ones that have caught many health care entities off guard. Attackers have expanded phishing and social engineering efforts, preying on the anxiety caused by or fear of the coronavirus, or seeking donations for COVID-related causes, and disguising their attacks to look like trusted entities. Other cyber-enabled financial crimes have escalated, including business email compromise, personally identifiable information theft, ransomware and account takeovers. And while our health care providers have been serving on the front lines caring for COVID patients, often busy and distracted, they have been disproportionately targeted by cyber attackers.

The bigger issue, though, centers around the industry’s overnight pivot at the start of COVID-19 to expanded remote care modalities. These technologies enabled providers to more safely attend to patients’ routine needs and address the increasing demand related to the pandemic. To facilitate more telehealth offerings and meet physician needs, HIPAA regulations were relaxed, allowing for use of new technology platforms -- including some that presented higher security risks. Additionally, with offices closed and the public being urged to stay at home to prevent the spread of COVID-19, more providers were teleworking. The use of unsecured WiFi and lack of enterprise virtual private networks (VPNs) opened the opportunity for increased cybercrime against the health care sector. Plus, using devices outside the secure office location further extended the risks.

Protecting Your Health care Organization Against Cyberthreats

With threats coming in from seemingly every angle, there is a real need and opportunity to shore up security so irreparable harm is not done. Regardless of your practice size or access to key resources, there are ways to begin safeguarding your practice almost immediately.

Proactively secure your systems - Ensure your software, EMR, practice management solutions, apps and servers are updated and the latest patches are applied in a timely manner. If you're using cloud-based solutions, such as Office 365 or Google Apps, leverage multifactor authentication. Also work to protect your systems with commercial, reputable antivirus software, and set it to update automatically.

Protect teleconferencing solutions - With the rise of telehealth, many practices shifted to commercial teleconferencing platforms for video appointments during the pandemic. But because practices handle sensitive patient data over these platforms, security should be a top priority. Consider adopting HIPAA-compliant telehealth solutions that fit into your already established practice workflow, such as through your current EHR vendor, to ensure that extra layer of security and protection.

Establish policies for working remotely - If your staff continues to work from home, develop clear policies that set out expectations and requirements for remote work security. Also consider requiring staff to work only on equipment supplied by the practice, setting up a VPN to ensure a secure connection to practice and patient records, locking work computers when not in use, and requiring reauthentication after a brief time of inactivity.

• Educate your staff – Educate your staff on how to avoid cyber threats, especially as it relates to threats designed to steal passwords, access personal data and profit from the pandemic. Proper organization-wide education and training enables teams to be proactive in safeguarding the practice from cybercriminals and hackers.
• Seek out health IT experts – Cyberattacks on health care systems are not disappearing anytime soon. Consider seeking out a health IT advisor for additional support. Security consultants and trusted vendors can help evaluate your practice’s security risk and make recommendations on how bolster your defenses.

COVID-19 will continue to place excessive demands on the health care system, requiring practices to rely more heavily on technology to treat patients and more efficiently manage and maintain their businesses. Cybersecurity is no different. Overlooking these threats can leave you vulnerable to attacks, but with the right technology and protocols, you can safeguard your practice today, putting your team and your patient’s private health care data in safe hands.

About the Author

As chief information and security officer, Brian Bobo leads Greenway Health’s IT organization, overseeing the security of the hosted environments of thousands of customers. Passionate about building teams and fostering collaboration, Brian brings his experience from the aviation, retail, manufacturing and logistics industries, as well as the military, to create long-term cyber strategies.