As we continue to round up our experts to get their predictions for next year we turn to security. Remote work staffs are adding to another layer of security for healthcare systems and provider facilities. Cyber attacks are in the news on a national level and should be an alert for all IT departments. HIPAA was relaxed during the pandemic but what’s in the future on the policy front?
Bill Wagner, Chief Operating Officer, KIWI-TEK, LLC
There was a large increase in non-clinical staff that were required to work from home due to COVID-19 quarantine issues. Many health systems have decided to retain the remote model going forward. In the rush to implement remote access to PHI, some HIPAA requirements may have been overlooked. To ensure HIPAA compliance and prevent a breach, healthcare providers will need to revisit HIPAA guidelines to make sure remote employees comply with all administrative, physical and technical safeguards.
The most thorough method of assuring compliance is to implement a new security risk assessment focused on remote access protocols for employees working with PHI, such as coding, CDI, ROI and PFS. The OIG guidance recommends that a new SRA be done whenever a significant change occurs in how PHI is viewed, transmitted or accessed. This will require a comprehensive, internal compliance review involving internal staff, third-party compliance contractors and all business associates. This may be an extensive effort, but after quality of patient care, PHI security is a top priority.
Based on what healthcare organizations experienced in 2020, my predictions for Health IT in 2021 focus on 3 main areas:
Making required updates to emergency operations plans (EOPs).
As the COVID-19 pandemic continues to surge and challenge day-to-day healthcare operations across the nation, we see organizations adding pandemic assessment and response planning to their disaster recovery and business continuity plans and their overall EOPs.
Managing security and compliance for new locations of protected health information.
During 2021, healthcare organizations will increase the scope of their security risk assessments (SRAs) to incorporate technology changes that occurred at record speed in 2020, such as applications for telecommuting and telehealth. Though many healthcare organizations have done an amazing job with implementing new remote technologies, would-be attackers know that vulnerabilities exist and can be exploited.
Understanding and preparing for a worldwide increase in cyber-attacks.
Healthcare organizations will conduct more testing and workforce training (e.g., Phishing tests) during 2021 in order to identify and mitigate new vulnerabilities and reduce the risk of being victims of cyber-attacks.
Aside from the obvious challenges that COVID-19 brought when it comes to healthcare cybersecurity and how it’s delivered, the pandemic also forced hospitals and health systems to look closely at their technology as they look to protect themselves and mitigate their risk of breach or attack. As much as healthcare would like to stop this year’s streak of double-digit growth in data breaches, 2021 won’t be that year. Until the industry gets serious about security, expect this unfortunate trend to continue, fueled by email and ransomware attacks.
2021 will also bring about an increase in spending on cybersecurity as the number of threats and number of access points and endpoints proliferates. The C-suite is catching on, which means budgets will likely increase. However, spending may be more focused on services and software rather than human capital. The industry should also expect to see a greater focus on verifying credentials and access as mature organizations, especially, will start to move toward tighter access security, including zero trust and cloud access security brokers (CASB) applications in an attempt to better control authorized access. The advent of tools rationalization will also continue as IT departments are finally looking around and asking fundamental questions, such as “Why do we have all this software?” The reasons for tools rationalization include identifying and eliminating security gaps, reducing expenses, and ensuring best-in-class software is being deployed.
Finally, on the staffing side, I expect that many healthcare organizations will operate a hybrid model, where some monitoring and maintenance functions are handled by managed security service providers (MSSPs) while more core functions remain in house. A hybrid model also allows organizations to bring a best-in-breed approach to cybersecurity, gaining expertise and best practices from across the MSSP’s clientele.
According to a recent CrowdStrike report, 56% of organizations fell victim to a ransomware attack this year, with cybercriminals taking advantage of increased remote work-related vulnerabilities. With the COVID-19 pandemic surging around the world, ransomware attacks are likely to continue well into 2021, with nation-state organizations increasingly targeting hospitals, state and local governments, and healthcare researchers. As IT teams build out their 2021 cybersecurity strategy, they should look most critically to network detection & response solutions (NDR), and other complementary solutions like endpoint security platforms that can detect advanced persistent threats (APT) and malware. For smaller companies, managed security services such as managed defense and response are also good options. However, a comprehensive security strategy must also include educating all employees about these threats and what to watch out for. Simple cybersecurity practices like varying and updating passwords and not clicking on suspicious links can go a long way in defending against ransomware. Perhaps most importantly, since no security plan is foolproof, companies should have a plan in the event of a ransomware attack. This is especially important since attackers might perform months of reconnaissance before actually striking. Once they have enough data, they’ll typically move laterally inside the network in search of other prized data. Many cybercrime gangs will then install ransomware and use the stolen data as a back-up plan in case the organization refuses to pay. The more rapidly you can detect a breach and identify what information was exploited, the better your changes of mitigating this type of loss. Having a plan and the forensic data to back it up will ensure your organization and its reputation are protected.