Virtual Panel on Healthcare Cybersecurity in the COVID Era: ‘The Devices Are Always Listening’

In a recent HITRUST virtual panel co-sponsored by eFax Corporate, “Effectively Managing Cybersecurity Vulnerabilities in a Turbulent Healthcare Ecosystem,” HITRUST’s Michael Parisi shared an insightful anecdote.

A friend of Michael’s, working from home during the lockdown, had a phone call with a customer to discuss highly sensitive information—while his patio door was wide open. Afterward, the man’s wife came in from outside and told him she heard everything he’d said to the customer. Oh, and so did the couple’s next-door neighbor.

What makes Michael’s point relevant to this conversation about healthcare cybersecurity during COVID is that we’re all running our businesses and performing our jobs under new circumstances, which means we’re all facing new risks and threats.

Now, imagine that call was between a physician and a patient—and think of the neighbor as an Alexa or Siri in the doctor’s home, with a cybercriminal hacking the device to listen in for sensitive data. As Michael pointed out, “The devices are always listening.”

A panel with diverse healthcare-industry expertise

That was just one of many lockdown-era cybersecurity threats discussed by the expert panel, which included:

The legal perspective:
Matthew Fisher, who heads the healthcare regulatory team for the New England law firm Mirick O’Connell
The third-party certification perspective:
Michael Parisi, VP of Assurance Strategy and Community Development for HITRUST
The accreditation perspective:
Lee Barrett, CEO of the Electronic Healthcare Network Accreditation Commission (EHNAC)
The healthcare cloud-service provider perspective:
Jeffrey Sullivan, CTO of eFax Corporate’s parent company j2 Cloud Services

COVID challenges for healthcare security professionals

Among the other quarantine-era risks the panel discussed included:

Too much change, too quickly.

Healthcare organizations have had to adjust so much of their operations to address work-from-home arrangements—policies, controls, assessments, tools, technologies—that many IT teams have had to shift their focus away from security, privacy, and regulatory compliance.

Newly generated data is attracting hackers.

With the medical industry working to develop both a COVID vaccine and new treatments, hackers see increased value in going after these companies’ networks and systems to steal this intellectual property. This is why cyberattacks against biopharma companies have skyrocketed since the early days of the pandemic.

Stressful times lead to poor cybersecurity judgment.

Many healthcare-industry professionals are working from home, often for the first time, while also dealing with the stress of the pandemic. These disruptions in our professional and personal lives can leave us more distracted and vulnerable to poor decisions—such as falling for phishing attacks.

EHNAC’s Lee Barrett cited one incredible example. The HHS issued a warning that hospitals’ security and privacy officers were receiving postcards, supposedly from the “Secretary of HIPAA Compliance,” asking them to visit a URL for a risk assessment. The problem: There is so such position as Secretary of HIPAA Compliance. This is a new phishing attack, designed to take advantage of everyone’s confusion during COVID. And many of these healthcare security professionals are falling for it.

Understandably, healthcare orgs’ priority is always on saving lives and is even more important now

Another challenge the panel discussed was that the healthcare industry has only finite resources and budget—and right now, the priority for these organizations is protecting people’s health during COVID. In other words, many organizations are having to weigh competing objectives and de-emphasize everything other than the challenges of treating COVID patients and saving lives. Unfortunately, “everything” can also include cybersecurity and data-privacy initiatives.

What healthcare IT teams should do now

The panelists offered a number of suggestions for health organizations to better protect their sensitive data. j2’s Jeffrey Sullivan, for example, suggested a couple of best practices for healthcare IT teams during what he described as our current “once-in-a-lifetime level of distraction.”

1. Make sure your automated solutions are in place

First, Jeffrey suggested, review your cybersecurity infrastructure across your newly distributed organization. Make sure all of the automated tools and processes are doing their jobs, meaning:

All of employees’ company-issued devices are encrypted
Your team has remote monitoring in place for these devices
You’ve implemented fraud protection, malware detection, and intrusion detection

2. Make sure your cloud service providers are prepared as well

Jeffrey also recommended contacting the third parties whose apps, platforms, and other cloud tools your employees use. Ask them what specific steps they’ve taken to protect their systems—and your company’s sensitive data—during this period of heightened risk from cybercriminals.

Lee Barrett of EHNAC—who called j2’s level of cybersecurity preparedness “a model for the industry”—offered another valuable recommendation:

3. Get a third-party risk assessment

Lee noted that the best way to make sure your organization is meeting all of its cybersecurity and regulatory standards is to have your infrastructure and processes audited and tested by a third-party expert.

Now more than ever, your internal IT security teams have too much on their plate to make sure you’re addressing—or even seeing—all of the new potential threats to your organization’s data security.

For HIPAA-compliant, HITRUST-certified, and COVID-secure cloud faxing, learn what eFax Corporate can do for your organization.

Watch the HITRUST virtual panel:
Effectively Managing Cybersecurity Vulnerabilities
in a Turbulent Healthcare Ecosystem