What healthcare providers should do this National Cybersecurity Awareness Month
Challenges for healthcare providers
October is National Cybersecurity Awareness Month (NCSAM) each year in the U.S. The 2020 edition is the 17th annual NCSAM, and although it continues a long tradition of attempting to boost public awareness of common threats — this year’s theme is “Do Your Part. #BeCyberSmart”* — it’s also an occasion unlike any of its predecessors, due to the ongoing COVID-19 pandemic.
The stakes for effective cybersecurity have risen dramatically as a result of the outbreak, as more day-to-day work has moved beyond traditional corporate campuses and into remote workspaces. End-users connecting to company applications from personal devices still need the robust security protections and dependable performance they got in the office, except now within the scaled-down IT environment of the home — a tricky needle to thread without solutions such as SD-WAN and secure video and audio conferencing in place.
Telework for healthcare workers
For healthcare workers in particular, the overall challenge of telework is even tougher. Applicable U.S. regulations like the Health Insurance Portability and Accountability Act (HIPAA) complicate the flow of information between remote sites. Moreover, the healthcare sector as a whole has historically been slow to take up remote work due to a combination of practical considerations related to patient care, liability considerations, and technological limitations.
However, these hurdles can be overcome with the right combination of tools and strategy.
What remote work challenges do healthcare workers face?
Hospitals, physician offices, clinics, and other healthcare providers must deliver high-quality care while keeping everyone as safe as possible. That, in turn, requires mitigating a variety of risks related to remote work, including:
As the initial pandemic grew, the U.S. Department of Health and Human Services’ Office of Civil Rights relaxed its enforcement of HIPAA noncompliance penalties* for activities such as video conferencing. Still, this was a temporary and discretionary measure. In the long term, healthcare organizations will need to balance the flexibility of remote work with the strictures of HIPAA, particularly when delivering telehealth services.
Healthcare providers must still comply with HIPAA regardless of where their workforces are actually located. In the past, organizations have been found liable for HIPAA violations related to the improper disclosure of protected health information (PHI) by remote workers, according to a Middle Tennessee State University professor interviewed by Relias Media. Avoiding these penalties requires assiduously tracking and controlling who has remote access to critical systems, which brings us to our next issue.*
More remote work means heavier utilization of virtual private network (VPN) licenses for secure access. All VPNs in use by a healthcare organization should be scaled to meet current usage, as well as properly updated and patched. Chances are that any existing VPN implementation will need to be greatly expanded and more carefully managed than in the past.
Likewise, the expansion of both remote work sites and temporary facilities (e.g., outdoor tent deployments) by healthcare providers means that their WANs must handle more traffic than ever before, and from a wider variety of locations and clients. Additional infrastructure and bandwidth may be needed, alongside a possible upgrade to an SD-WAN architecture that delivers performance and security far beyond what a conventional MPLS WAN offers. Check out more information on Video conference with security you can trust
Speaking of security, healthcare organizations have always been among the most common targets of cyberattacks, and the shift to telecommuting has only worsened this long-standing problem. The U.S. Department of Homeland Security, which sponsors NCSAM, identified the rise of advanced persistent threats* looking to harvest sensitive data from providers.
With more systems hosted in the cloud and remotely accessible via an Internet Protocol network, measures such as two-factor authentication (2FA) are pivotal. Implementing 2FA plus appropriate anti-malware and network security protections will help shield PHI from unauthorized access.
What can healthcare providers do to stay safer?
Fending off security threats while maintaining HIPAA compliance and meeting end-user needs is a complicated balancing act. But it’s not impossible. Let’s explore some concrete steps that healthcare firms can take toward safer, more scalable operations.
1) Educate and train staff
Many workers, especially in healthcare, have not routinely worked remotely in the past, meaning that they may need hands-on guidance during the transition. More specifically, it’s critical to remind everyone that regulations such HIPAA apply regardless of location and that remote work environments are prone to a unique set of cybersecurity risks.
It’s prudent to provide a detailed remote work policy with clear protocols about which video and audio conferencing services to use for telehealth and for internal communications, how to avoid common cybersecurity threats, and what to keep in mind regarding regulatory compliance (e.g., is PHI exposed on a desktop during a screen share?). Here are Best practices for clinicians using video conferencing
2) Shore up security infrastructure
While VPNs are integral to remote work security in particular, they’re not the only critical components of cybersecurity posture. Healthcare firms should also keep an eye on:
- Identity and access management (IAM): Who is authorized to access critical resources, and in which ways? Mission-critical platforms like electronic health records solutions are often accessed beyond the provider’s main network, but must be tightly secured via IAM measures for strong authentication and role-based access.
- Encryption: Data at rest and in transit should be encrypted as needed, both to prevent interception and to maintain HIPAA compliance. While encryption isn’t required by the HIPAA Security Rule, using it is often the most practical way to safely and compliantly transmit health information.
- Patch management: VPNs, security software and other applications and services must be kept up to date, in order to avoid the exploitation of any known vulnerabilities.
- SD-WAN: An SD-WAN solution can provide edge network security that connects end users to cloud applications without compromising user experience.
3) Use secure communications platforms
Video conferencing and VoIP, among other applications, play pivotal parts in enabling telehealth. Any such solution must not only provide high quality picture and sound, but also be strengthened against a variety of cybersecurity threats.
Advanced meeting controls, data encryption, and secure supporting data center infrastructure are all vital to effective remote collaboration in this context. With Webex, you can get a safe and productive experience.
Learn more by getting started with a free offer today.
Still need help?
Feb 25, 2021 — Chris Capasso, Matt Spool, Thomas Vidgar & Damien McCoy
Feb 25, 2021 — Bobby McGonigle & Enrico Conedera