Getty Images
Must-Have Telehealth, Remote Work Privacy and Security for COVID-19
COVID-19 has drastically increased the threat landscape for healthcare with the spike in telehealth and remote work; here are the must-have privacy and security needs during the pandemic.
The COVID-19 pandemic has rapidly expanded the use of telehealth, telemedicine, remote work, and bring-your-own-device, both on-site and remote in the healthcare sector. But while some outlets have reported hackers have vowed not to target providers during the crisis, healthcare leaders should not be lulled into a false sense of security.
On March 18, the Office for Civil Rights announced it would not impose penalties for HIPAA noncompliance against providers leveraging telehealth platforms that may not comply with the privacy regulation during the pandemic.
The move allowed providers to tap into popular teleconferencing apps, such as Zoom, Skype, and others, as long as the communications are not public-facing like with Facebook Live or TikTok.
While expanding telehealth has allowed for safer care of patients during the crisis, it does raise several privacy concerns. For example, researchers have found hackers targeting Zoom domains for malicious activity in light of the app’s popularity.
Further, Europol, the Department of Health and Human Services’ Office of the Inspector General, the FBI, Microsoft have all warned about the increase in Coronavirus-related fraud schemes, supply chain attacks, and targeting of unpatched remote code execution flaws in Windows.
Remote work is also expanding healthcare’s attack service, with virtual private network (VPN) usage expanding by 124 percent in the US in the last two weeks alone, according to Atlas VPN.
VPNs are one of the most common, secure methods for connecting remotely to an enterprise network. However, organizations have been failing to patch core vulnerabilities found in some of the most popular VPNs, despite repeat warnings and available patches.
Pulse Secure’s CMO Scott Gordon told HealthITSecurity.com that there has been a significant influx of these technologies in the healthcare space. But the risk is also tied to the expanded list of employees and contractors accessing the network, which potentially opens the doors for more security risks and compliance exposures.
“The issue is… cybersecurity takes a back seat to patient care,” a WALLIX spokesperson told HealthITSecurity.com. “A hospital’s number one job is to manage patient care, and cybercriminals know this. The security concerns come from third-party contractors, insurance companies, billing companies and other admin types that can work from home, but still need access to the network.”
“Endpoint security and privilege elevation and delegation management are holes in the security posture of a lot of networks, not just in the healthcare sector,” they added. “With new shelter-in-place policies, network admins are now working from home in addition to the usual third-party contractors and maintaining critical equipment in this high-stakes time, so access control and endpoint management becomes more important.”
Industry stakeholders have stressed the expanded use of these technologies have added significant benefit to the healthcare sector at this time. But it will be critical for healthcare providers to ensure they are keeping patient privacy and their infrastructure secure by safely and properly deploying the tech.
"[Providers] essentially broadened the attack surface. Every end user accessing information and resources are now part of their attack surface."
Identity Authentication
From an institution standpoint, the use of continuous identity authentication will be critical during the crisis. Gordon explained this can be accomplished in several ways, but the most common is multi-factor authentication. Microsoft has shown MFA use blocks 99.9 percent of all automated cyberattacks.
According to NIST, “MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account.”
“Most MFA approaches will remember a device. So if you come back using the same phone or computer, the site remembers your device as the second factor,” NIST explains. “Between device recognition and analytics, the bank is likely performing — such as whether you’re logging in 20 minutes later from halfway around the world — most of the time the only ones that have to do any extra work are those trying to break into your account.”
The goal should be to go beyond usernames and passwords with a security question and another factor, such as verification with a key code after the initial login request. MFA use can reduce the possibility of an unauthorized user posing as an authorized individual to gain access to sensitive resources and applications.
In a recently released NIST advisory around remote work, organizations should be planning telework-related security policies and controls “based on the assumption that external environments contain hostile threats.” MFA is the preferable authentications method for strong authentication recommended by NIST.
WALLIX added that organizations should also prioritize access control, including identifying the user, their activities, and the permissions they have. A privileged access management solution is designed for this activity, but organizations should also being monitoring user traffic on their infrastructure from both inside and outside the enterprise network.
Lastly, the Principle of Least Privilege is key.
“Users should only have access to the bare minimum of resources for the least amount of time necessary in order to minimize risk and maximize security,” a WALLIX spokespersons said. “Privilege elevation and delegation management gives organizations more granular control over elevating specific users that may need a higher privilege.”
Continuous Endpoint Posture Checking
“With employees going remote, their endpoints are no longer protected by the corporate network’s perimeter security,” a WALLIX spokesperson said. “Endpoint privilege management enables organizations to control the administrative and access capabilities of users no matter where they’re located.”
“The Principle of Least Privilege is key,” they added. “Users should only have access to the bare minimum of resources for the least amount of time necessary in order to minimize risk and maximize security. Privilege elevation and delegation management gives organizations more granular control over elevating specific users that may need a higher privilege.”
For Gordon, organizations heavily leaning on applications in the cloud and data center should be implementing continuous endpoint posture checking. The use is especially important for those rapidly deploying telemedicine support and engaging with patients both on- and off-premise.
“Users should only have access to the bare minimum of resources for the least amount of time necessary in order to minimize risk and maximize security.
The tool allows organizations to not only authenticate the user, but also the device their using and its security posture. Organizations need to craft the minimum security requirements for the device and communication methods, which will allow the nurse, doctor, contractor, or administrator to access and application or resource no matter where it exists.
These policies should include the requirement of running antivirus software, employing a personal firewall, and running anti-phishing software. It’s also crucial to monitor potential healthcare-specific applications that must be installed on that device.
“Many progressive healthcare organizations have certain applications that could install on devices, to ensure the device remains complaint,” Gordon said. “So, if the user or someone tampers with that app or configuration or is using a device that doesn’t have the required things, it would be flagged a potential at-risk device, which could introduce viruses or privacy compliance exposure for institution.”
“Organizations must enforce endpoint compliance and then communicate those items to staff,” he added. “It’s pretty significant when you open the door to more users, as well as accessing personal and corporate devices, whether on- or off-premise.”
NIST recommended organizations can protect against the risk of eavesdropping, interception, or modification of communications on external networks by using encryption technologies to protect these communications and authenticating endpoints to each other to verify their identities.
Mobile Device Management Tools
Organizations can securely embrace a broader BYOD strategy during the pandemic with the use of mobile device management tools that can enable the segregation of personal devices and applications from healthcare apps and data.
“By doing so, providers can radically reduce the risk of data leaks and the risks of potentially vulnerable, stolen, or lost devices,” Gordon explained. “It also makes it more convenient to bring up telemedicine and remote access capabilities faster than if providers were to distribute corporate devices to get the access they need.”
According to NIST, it’s imperative organizations develop telework security policies that defines telework, remote access, and BYOD requirements. Best practice polices include the forms of remote access permitted by the organization, devices able to be used for remote access, the type of access granted to the teleworker, and administration and patching or remote access servers.
Further, providers should make “risk-based decisions” based on the levels they’ll permit to the different types of client devices. To NIST, this would include a tiered approach for remote access that allows “the most controlled devices [e.g. organization-owned laptops] to have the most access and the least controlled devices [e.g. BYOD mobile devices] to have minimal access.”
User Experience
As noted in dozens of security reports, users and insiders are healthcare’s biggest weakness. Especially in an emergency and with telemedicine use, Gordon stressed that organizations need to make sure these platforms are designed for the practitioners – as well as being secure.
Enterprise VPNs are the mainstay for protected communications for about 95 percent of organizations, including those in the healthcare sector, as a best practice for remote access security and compliance.
"Organizations must enforce endpoint compliance and then communicate those items to staff."
For Gordon, several VPN platforms can provide both MFA and endpoint compliance, while ensuring protected connectivity “where you’re encrypting communication session between the device and the data between the practitioner’s devices and application.”
From a compliance perspective, VPNs are imperative as it ensures data is encrypted and not being sent to the wrong person. The use can also prevent man-in-the-middle attacks, while ensuring sensitive and corporate data is going through corporate resources before being sent through an internet-hosted application.
“Modern VPN solutions have capabilities to ensure user experience, such as always on or per application VPN tunneling,” Gordon explained. “This way, without any user intervention, the communication session remains secure and data remains complaint.”
“Modern VPNs have two things. One, configuration lockdown, which negates the possibility of a user inadvertently changing a configuration that would make the devices vulnerable,” he added. “They also typically offer automated remediation capabilities.”
For example, if a user is running a device with older antivirus or a deactivated personal firewall, a modern VPN would give a user ways to self-help or update something that needs to be compliant – before use.
While VPN use is typically the most secure method, there is not silver bullet for security. Just last year, several alerts were given around vulnerabilities found in some of the most common platforms. But as of January 2020, thousands of organizations still had not updated the flaws with the latest patches.
For Gordon, the risk of unpatched VPNs has been heightened during the pandemic.
“Since you are now expanding VPN use to more sets of employees contracts and affiliates you should for sure that the VPN software is up to date and current to eliminate the potential VPN vulnerabilities,” Gordon.
“They’ve essentially broadened the attack surface. Every end user accessing information and resources are now part of their attack surface, and they want to do everything they can now that they've added greater accessibility,” he added.
DHS has also provided best practice VPN guidance, as hackers have continued to exploit unpatched VPN servers with cyberattacks.
Load-Balancing Tech
For Gordon, load-balancing technology does not get enough attention when considering the need for expanding coverage and ensuring secure delivery of healthcare information between systems and practitioners. The tech can improve application performance and delivery.
The organizations can assign certain priorities for what or where the practitioner is using the application, based on the platform being used and where. The software application sits in front of where the healthcare app resides and provides the health organization with the ability to prioritize the amount of communication going to specific applications.
That information can allow an organization to write policies based on users, devices or location, or the application to say how much capability is allowed for that user, as well as determining the priority and capability on applications for certain types of users and devices due to location or the user/type.
It’s ideal for varying types of remote healthcare providers, or end users communicating into hospitals and submitting requests for COVID-19. Gordon explained that an organization can determine the application and location of the user and give a higher response, “essentially expanding the bandwidth capacity for higher communities, or higher priorities than users checking on the hospital status.
On the other hand, it can also give high priority to the percentage of hospital administrators and practitioners working from home to ensure they can connect faster.
“For example, certain applications are more prime for diagnosing potential COVID-19s patients versus general inquiries about a hospital or health system,” Gordon said. “With intelligent load-balancing, it allows health organizations to have better and faster communication for servicing applications, over other triaging applications.”
“On a high level, it’s important for institutions to consider [load-balancing] tech, especially if they’re hosting data in the cloud or using an application delivery controller that allows for dynamic load balancing of application performance,” he added.