To say that things moved fast during the height of the Covid-19 pandemic is an understatement. Spaces were converted into triage areas and testing grounds, and applications were selected and implemented in record time. And although the reason for the accelerated pace — enabling providers to care for patients — was certainly justified, it created a unique set of challenges for IT security leaders, the ramifications of which are still being felt.
“There are so many things that could’ve gone wrong,” said Shefali Mookencherry, CISO and System Director of Information Security, Edward-Elmhurst Health. “It was spur-of-the-moment, everybody on deck, let’s do what it takes to get through this.” And unlike a typical disaster scenario, which may last for a few days or weeks, Covid has been marathon.
As a result, healthcare organizations are rethinking their business continuity and disaster recovery plans, noted Mookencherry, during a recent webinar along with Brian Cayer, CISO at Wellforce, and Jonathan Langer, Co-Founder and CEO of Medigate. As part of that, it’s critical leaders are willing to take a close look at what went wrong (and right), and incorporate those lessons learned into the new strategy.
And although there were myriad takeaways, two seemed to stand out most: having a solid command center, and ensuring stakeholders from different departments are working together to identify priorities and work toward solutions, the panelists noted.
“There were compromises”
One of the biggest challenges early on was in how quickly digital platforms were put into place, leaving little, if any, time for security teams to evaluate them. “There were so many new applications coming in, and so it was really hard to use existing processes for risk assessment,” said Langer. “Everyone wanted things to be in place because patients needed support. There were definitely compromises.”
Mookencherry concurred, adding that several exceptions had to be made to allow clinicians and support staff to do their jobs, whether that meant granting remote access to vendors, enabling remote printing, or quickly “greenlighting” virtual care platforms. “There were a lot of things we had to get expedited,” particularly when physicians began using their personal devices to connect with patients.
As security teams quickly transitioned into triage mode, the need became clear to understand what tools were being used, when and by whom, and try to “gain control over the environment” in order to prevent a disaster on top of a disaster, Mookencherry noted.
The first step in doing that, according to the panelists, is to stand up a command center from which information would flow based on input from a number of stakeholders, including security. “We wanted to make sure we were all informed, and that there weren’t any stops because security wasn’t engaged in the conversation,” Mookencherry stated.
At Wellforce, the command center was staffed by leaders from security and engineering, as well as desktop, network, and service support. “Everyone was there, and so when a problem came up, we had all the people there to say, ‘here’s the process, and here’s how we do it,’” Cayer said. “When you have a built-in process where you have the right resources together up-front, you’re able to plan most effectively.”
Having a command center in place can help organizations mobilize quickly, which is essential when it comes to performing risk assessments. At Edward-Elmhurst, the security team has long been a proponent of doing its own risk assessments for applications. However, like many organizations, they struggled to keep up with the demand during Covid, and were forced to tweak their strategy.
“We’ve learned that we have to be flexible,” said Mookencherry. And that has meant performing risk assessments on applications that have already been purchased and operationalized, rather than putting that on hold, which could potentially compromise patient care. “We didn’t stop doing them; we decided to work on them in tandem.” Finding that balance, she noted, was a game-changer for her team.
Langer commended the approach, emphasizing that for CISOs and other leaders, risk management “is an ongoing exercise” that requires a willingness to adapt. What’s also important, he noted, is being able to prioritize new devices and applications in terms of risk.
“It’s all about clinical context. You need to look at the probability of an incident, and the potential impact,” particularly as it pertains to patient safety. “Ultimately, you need to look at the attack surface of the device at the level of associated vulnerabilities, and prioritize that system by system.” Otherwise, “you’ll never be able to get to where you need to be in a short period of time.”
The panelists offered more takeaways based on their own experiences that can help leaders improve their cybersecurity contingency plans going forward.
- Make MFA mandatory. At Edward-Elmhurst, multi-factor authentication was 100 percent mandatory. “We don’t give remote access to anyone unless they have it,” said Mookencherry. They did, however, receive “a lot of pushback” at first, and so her team focused heavily on education—not just on how to use it, but why it’s necessary. “We went through a bit of a rocky road in the beginning, but people got used to it, especially once we helped them understand the risks.”
- Communicate, communicate, communicate. For Cayer, one of the keys in being able to respond to the changing needs brought on by Covid was in communication. “We presented to our board and executive leaders about the cyber risks we were seeing to make sure they had an understanding of what was happening. “We’re taking on additional risks,” whether it pertained to the remote workforce, third-party contractors, or the increase in operational services. “We walked through all of it.”
- Revisit business continuity. What’s also critical, Cayer noted, is ensuring that the business continuity plan is updated to incorporate some of the many lessons organizations have learned during the past year or so. “What worked, what didn’t work and how can we improve? We need to takes those exercises and build that in as we go forward,” he said. “We need to identify other areas of risk that we wouldn’t have known about before the pandemic, and include that as part of our due diligence moving forward.”
- Planning is everything. Langer found that the biggest factor in an organization’s ability to recover from a disaster is how well they had prepared. “The one thing that can turn a sticky situation to something much more successful is planning, planning, planning,” he noted. “Organizations that had a contingency plan and did exercises around it beforehand were able to turn around very quickly.” On the other hand, for those that didn’t have those steps in place, it was more of a struggle, especially for end users. “There were basic things that couldn’t be done from an operational standpoint.”
- Don’t act alone. As part of any disaster recovery strategy, it’s essential that emergency management and response, cybersecurity, and business continuity are closely aligned, according to Mookencherry. “Those four are so intertwined in a situation like Covid, and you need all four working together like parts of a bicycle wheel,” she said. “They’re the spokes that need to work together to move the machine forward.”
And it can’t stop when the pandemic recedes; departments that may have once operated in silos need to continue to collaborate as organizations move past Covid, noted Langer. “Many of the risk assessment exercises and the mitigating controls required stakeholders outside of information security, clinical engineering, network security, etc.,” he said. “Those command centers, if they continue to exist in a little bit of a different cadence and different forum after the height of Covid, can work together really well. And they can get better resolutions and better insight into the clinical context of the threat of the risk.”
To view the archive of this webinar – Remediating Telehealth Security Risks Introduced During the Covid Fight (Sponsored by Medigate) – please click here.