As countless facets of healthcare delivery continue to change, so have the basics of cybersecurity education.
The shift requires a deep review of internal safety protocols as well as educational outreach so staff and patients can spot (and avoid) new signs of trouble that could suggest a damaging breach.
On the business side, “it’s about making sure that we have a very resilient, robust infrastructure for our providers to use and leverage” as teams work from different locations, says Andrea Daugherty, director of enterprise IT security and resiliency for the University of Texas at Austin Dell Medical School and UT Health Austin.
“You also had overnight adoption of all of these different technologies that providers were a little bit more apprehensive to use pre-COVID.”
On top of that, the challenges of remote work and scores of patients now accessing virtual care from their own devices are revealing new data privacy risks that weren’t applicable or as prominent before the pandemic — underscoring the urgent need for health IT teams to reassess and communicate their cybersecurity plans.
Daugherty spoke with HealthTech about her team’s recent pivots and best practices.
HEALTHTECH: What are the biggest security challenges IT teams face right now?
DAUGHERTY: We have a very interesting workforce population here composed of faculty and staff — and then, of course, our providers that work in other facilities. It about making sure everyone can connect to the resources they need in the most secure way possible.
We are putting a lot of different policies and procedures in place to ensure the users connecting to our network and our resources are, in fact, supposed to be doing so.
We’ve had to roll out multifactor authentication, putting it in front of applications and resources that we didn’t previously have it in front of. We are requiring that applications that are not onsite or connected to the UT network to have an elevated e-ID — electronic identification, such as digital identity card — which is what we use to authenticate into our network.
HEALTHTECH: How can remote work arrangements be risky?
DAUGHERTY: You can look at it like this: The only thing a threat actor needs is one small opening.
Let’s say, for instance, if we had someone from our workforce that was working from home and maybe they weren’t connected to a VPN. Maybe their home network wasn’t necessarily secure, and an attacker got access to their home network and then they could move laterally through and make it to our network.
It’s about looking at those types of things and those scenarios we really didn’t have to take into account or take as seriously before.
HEALTHTECH: How has the pandemic heightened these concerns?
DAUGHERTY: There’s been an insane uptake in phishing and “vishing” (fraudulent phone messages). Cybercriminals are looking for credentials and sending all of these emails that may be related to a COVID vaccine or contact tracing or things that are going to pique the identified user’s interests — so they’ll be more liable to click on it or open it up.
Threat actors are getting creative, and they’re really good at creating these email templates that look authentic. I’ve seen a few recent ones that claim to be from Google. Senders create these templates as though a Google account has been created for the recipient and shared with them for some purpose that actually isn’t relevant, but it looks appealing.
That’s where workforce education and training really come into play. Make sure your workforce is aware of the different types of cyberattack methods and how to respond should they receive something that seems suspicious to them.
HEALTHTECH: Speaking of education, what’s your philosophy? How do you get people to care?
DAUGHERTY: I kind of joke and call myself a “security evangelist.” When I’m talking to providers and their support staff, I think it’s always important to tie it back to what cybersecurity means to them. Typically, that’s the patient.
We don’t want an instance where we are the subject of a cybersecurity attack and then our patient information is exposed or a patient, even worse, is impacted by that. If a hacker has access to our network, then they have access to medical devices and can control pain pumps and X-ray machines and things that, in some cases, may keep our patients alive.
When I put it in that perspective, it definitely hits home. Nobody wants to be a headline on the 6 o’clock news for something that was 100 percent preventable.
HEALTHTECH: Are you educating patients about these security risks as well?
DAUGHERTY: Yes, absolutely. We worked with our marketing and communications team to create a document that’s kind of an FAQ list for our patients as we rolled out telehealth explaining how you access and schedule virtual care.
It hits the highlights: only open links from your providers that you know, don’t let anybody else that isn’t authorized be in the meeting with you and other basic but good-to-know tips. It seems to be well-received, and it’s especially helpful for those who are a little less tech savvy.
Most of the communication we share with our patients is specific to keeping their data secure and safe.
HEALTHTECH: What other concerns will you monitor in the months ahead?
DAUGHERTY: Obviously, the recent ransomware attack on Universal Health Services sent a buzz through the healthcare community. I’d say endpoint protection is something that is always at the forefront of our minds, making sure all of our endpoints are up to date and making sure that we are actively scanning our network for any open ports and things of that sort.
Honestly, it’s just being more hypervigilant than we were pre-pandemic. I don’t anticipate this is going to go away; threat actors are still out there and they’re going to look for every opportunity to take advantage of us — especially healthcare providers who are focused on patients and that, in some cases, may not be as prepared to protect themselves.