When Covid-19 cases first spiked, and thousands of workers transitioned rapidly to a remote environment, IT and security leaders were forced to something that goes against everything they’ve ever learned.
“There was an avenue of trust,” said Chris Frenz, CISO and AVP of IT Security, Mount Sinai South Nassau, during a recent panel discussion.
Although the organization for which he worked when the pandemic hit (Interfaith Medical Center) already had the infrastructure in place to enable remote work, the team still struggled to manage such a drastic uptick. “It was a challenge,” he said — not just in terms of volume, but in dealing with the myriad variables that come with home networks.
Similarly, Franciscan Health was “well positioned” when lockdowns went into place, having already begun standing up an expanded VPN service and a secure perimeter for its firewall, noted Chuck Christian, VP of Technology and CTO at Franciscan Health. But obstacles still arose, from shared computers to unsecure wireless connections.
It brought up a lot of questions — even for organizations that had dipped their toes into telecommuting, said Chris Feeney, Healthcare Workflow Specialist, IGEL Technology. “We had a lot of people asking, do we send devices home? Can we find devices? And if not, are we going to allow the end user’s computer, which don’t know, to come onto our VPN and access our networks? It was a big shift.”
For CISOs, CIOs, CTOs and others, it meant devising a new strategy for dealing with an old problem: balancing usability with security. During the webinar, Frenz, Christian and Feeney shared perspectives on how they handled the initial hurdles and what needs to happen going forward.
Putting up walls
To Christian, who has a few decades of CIO experience under his belt, the biggest challenge upfront was the speed in which major tasks had to be done. “We needed to make sure endpoints were secure, and we needed to do it quickly,” he said, which is no easy task when dealing with individuals’ personal networks. “Even though they were our assets being used, the first part of the network wasn’t secured, and so we had to do that once they connected back to us.”
One of the keys in being able to do that was the “great working relationship with our security team,” said Christian, adding that daily huddles helped keep leaders from different departments on the same page. “That was a big piece for us.”
For Frenz’s team, a critical step was implementing a strict policy regarding personal devices. “If users want to remote in from home or use any type of owned device, they have to connect to a virtual desktop infrastructure (VDI) to access the network,” he noted. “It provides a layer of segmentation.”
At Franciscan, users are blocked from accessing personal email accounts from the corporate network — even if they’re using a personal device that’s connected to the VPN. “You can’t get to it,” Christian said. “It’s no different in my home than it is when I’m in the office.” In doing so, his team is able to control and secure the environment.
What often happens, however, is that as more security provisions are implemented, more steps are added to the process, which can negatively affect the user experience.
“At the end of the day, regardless of what you’re connected into, if the user experience is poor, they will reject the solution and they’ll either turn to shadow IT, which don’t want, or go find another place to work,” said Feeney. It’s a situation IGEL hopes to avoid by enabling users to configure workflows wherever possible. “A lot of those workflows are driven from a VDI or a Windows-based experience,” he noted. “We need to think about what the user wants to do, without having to worry about whether a machine is operatable.”
The reality is that even the most sophisticated machines can have some lag time when connected to the cloud; not an ideal situation in a hectic care environment where microseconds matter. That, according to Christian, is where the tricky balance comes into play. “Clinicians just want to do their jobs. They want to get to the information.” And although they’re aware of security measures, “it’s not something they think about.”
It’s a mindset that needs to change — and fast. “Security is everyone’s job, just like patient safety,” he said. “You can’t relegate it to a small group of folks in one department. Everyone has to be worried about safety.” One way his team hopes to drive that philosophy is by drafting agreements for all remote workers providing clear guidelines on what can, and cannot, be done. Only those who read and sign the contract have the green light to work from home.
And while that policy might work well for IT teams, providers are a different entity, according to Frenz. The key, he believes, is in “finding commonality between what IT security wants and what the physician wants, which, at the end of the day, is the same: keeping patients safe,” he noted. Partnering with clinicians and explaining why security measures exist can decrease resistance.
“If you begin to speak the language of physicians and wrap clinical context around what you’re doing, why, and how it can protect patients, that helps eliminate some of the barriers,” Frenz added. “The more you can show that your goals are aligned, the easier it is to have these conversations,” which in turn helps safeguard the systems that are key to hospital operations.
It is, clearly, an extremely complex endeavor. But if leaders are willing to go the extra mile, securing the expanded attack surface is within reach, according to the panelists, who shared a few more useful tips:
- Approach training from multiple angles. Frenz’s team employs a multifaceted strategy that includes concentration training, which focuses on those who click on test phishing links, and basic training through instructional videos. They also send out weekly awareness messages and hold contests where participants can win prizes for demonstrating cyber-hygiene.
- Make it invisible. The quickest way to lose support for security measures is by requiring clinicians to take extra steps, noted Feeney. “Security has to be invisible,” he said, which means eliminating any unnecessary prompts that can break a provider’s train of thought. “These are things that need to be thought through, whether they’re remote or inside the hospital. You want to give them an experience that allows them to do what they’re trained to do.”
- Invest in infrastructure. Although the pandemic was challenging for all organizations, those that had invested heavily in IT security had a distinct edge by being able to scale quickly and safely, according to Frenz. On the other hand, those with a less robust infrastructure struggled through the transition to remote work. “The pandemic really showed how useful it is to invest in IT,” he noted.
- Fight the good fight. Asking for more money to reduce technical debt isn’t always an easy conversation, however, particularly when leaders are competing with departments that generate significant revenue. “Those are interesting capital conversations when you’re trying to secure several million dollars for the wireless infrastructure while the hospital wants a new CT scanner,” said Christian. But having that foundation in place isn’t negotiable, and leaders must be willing to fight for it.
- Never assume. The importance of regular testing can’t be overstated, said Frenz, noting that it’s not enough simply to deploy controls. He strongly recommends testing and validating security systems as often as possible. “When you put security controls to the test, you’ll be surprised how often they fail,” he noted. “I think organizations need to be a little more proactive.”
Feeney concurred, adding that CISOs and others can never let their guard down, especially in the current climate. “You can put solutions out there, but maintain that vigilance,” he said. “You can never let your guard down.”
To view the archive of this webinar — Securing the Expanded Attack Surface Created by a Remote Workforce (Sponsored by IGEL) — please click here.