As many healthcare organizations are learning, one area that can’t be neglected during a crisis is data security. And so, when the Covid-19 pandemic hit — and several initiatives were put on hold — an ad hoc task group was created to develop a Cybersecurity Tactical Crisis Response. Despite the title, however, the guide doesn’t focus solely on prevention, detection, and response, although those are critical components, according to Erik Decker, Chief Security and Privacy Officer, University of Chicago Medicine, who leads the group along with Denise Anderson, president of Health Information Sharing and Analysis Center (H-ISAC).
In fact, it’s just as much about education and outreach, as well as ensuring teams are taken care of. Think of it as a “roadmap of important things to consider when either developing or refining an incident response plan.”
Recently, healthsystemCIO spoke with Decker and Anderson about the key takeaways from the guide, the biggest challenges facing IT security leaders during a crisis, how disaster preparedness is evolving, and what they’re working on now.
Gamble: In terms of taking care of your team, what else can leaders do during a disaster scenario?
Decker: One thing we found was that, depending on the length of the crisis, it can get pretty tiresome after the first rush is over and you’ve redeployed your team to do incident response-type work. You need to give them a break after a while. Let them focus on other types of tasks or projects. For example, maybe you can give them a simple enhancement or optimization project so that they can flex their intellectual muscles a little bit and don’t just get burnt out by doing the same routine things over and over again.
Anderson: Another thing that’s important is having defined roles and responsibilities, and making sure that both employees and the organization understand them. The time not to do that is when you’re in the middle of an incident. Having those roles and responsibilities clearly defined, and communicating it, is really important.
Gamble: Very good points. Another thing we’ve heard in recent conversations is the need the rethink disaster planning and disaster recovery strategies in light of Covid-19. Do you think that we’ll start to see that soon?
Anderson: I sit on a lot of calls with other sectors as well as with our government partners, and the conversations are starting to shift to toward things like, how do you operate during a storm? For instance, hurricane season just started; we’ve already had two this year. How do you respond to that in a Covid-type environment? There are a lot of special considerations.
In the critical infrastructure space, healthcare was probably near the bottom when they were looking at lifeline sectors, with water and electricity at the top.
When Covid-19 hit, healthcare shot to the top of the list, because it effectively shut down everything. Even energy companies had to sequester employees and have them live onsite just to make sure we had electricity. It really did impact everything. I think leaders — not just in healthcare, but everywhere — are going to have to take a look at what happened and make sure they’ll be able to deliver services in a consistent way if something like this happens again. What’s critical are networks and the ability to have them up and running. Without that, we wouldn’t have been able to do a lot of what we’re doing now. And I’m not just referring to healthcare; we need network connectivity in every facet.
Gamble: As some organizations start to reopen, I imagine there’s a new set of concerns that have to be dealt with. Is that covered in the guide?
Anderson: That’s not covered in this particular guide. We are actually developing a guide on returning to work; that’s in process right now, and should be released soon.
Most hospitals, of course, didn’t stop operating, although some of their staff did transition to remote work. Even in the manufacturing and pharmaceutical spaces, many individuals kept working in labs, which comes with its own challenges. And so we’re now looking at how to bring the workforce back, and do it in a safe and effective manner.
Anderson: It gets complicated because many of these large pharmaceutical firms have global operations; even within the US, rules can vary by state. And each country has things that they’re having to navigate around, so it’s a complicated process. It’s not going to be easy.
Decker: One thing I’ll add is traditionally, healthcare as an industry has not had a lot of remote work in place. It’s not common. This pandemic has shaken things up from that perspective. We’re now having conversations like, ‘maybe we don’t need everybody to be literally onsite.’ There are a lot of jobs that can be performed at home, as long as the productivity is there.
In fact, we might not even need people within the same city or even state. Maybe we could take a page from what big tech is doing and hire people from different states and have them do fulltime, permanent remote with light, onsite actions. I think you’re going to see that as well. I think this kind of woke everybody up to realize that you don’t have to be onsite to be productive.
Gamble: I agree. The last area I wanted to touch on was the time in which this was created. How were you able to get this completed in such a short period of time?
Decker: Actually, that wasn’t the hardest part. There was no lack of willing participants. Denise and I both have a lot of connections with people who are eager to help and are really good content producers and thought producers.
I will say, this guide was 100 percent collaboratively written. There’s not one section of the guide that was done solely by one person. We edited it, of course, to make sure it had a proper voice, but everybody who participated had a hand in putting the content together. It was just a matter of getting together and spending the time and the cycles to go through it all. The actual content development phase was probably about three to four weeks, and then we put it all together. What we ultimately asked was, give us your industry thinking — don’t worry about making it pretty or making the words look good. We’ll do it after the fact. That was how we tapped in.
Gamble: Very interesting. Thanks so much to both of you for your time. I look forward to speaking when the next part comes out.
Decker: Thank you.