COVID-19: Battling Changing Healthcare CyberthreatsAndrew Mahler and Dave Bailey of CynergisTek Discuss Top Cyber Concerns
The COVID-19 pandemic has raised the ante significantly for the attack surface and the level of insider threats facing healthcare sector entities, according to Dave Bailey, vice president of security services, and attorney Andrew Mahler, vice president of privacy and compliance, of consultancy CynergisTek.
"What the pandemic did for us is change our behaviors, the way we are running our businesses - not only clinically, but how we deliver IT services, how we have to secure our environment. And this attack surface we're trying to protect has a very large emphasis and focus today with the threat," Bailey says in an interview with Information Security Media Group.
Before the pandemic, most cybersecurity issues facing healthcare meant financial pressure, such as the costs associated with a data breach or a regulatory fine, Bailey says.
"Now, what we're seeing is when you have a threat actor who can do destructive behavior to a business, it changes not only the regulatory or liability threat of a cyberattack, but it can be catastrophic to your business.
"We're starting to see hospitals and health systems, from a business perspective, be gravely impacted with days, if not weeks, of downtime due to some kind of destructive cyberattack."
In an advisory released Thursday, the Department of Health and Human Services' Office for Civil Rights urged healthcare entities to take important steps to avoid falling victim to protected health information breaches involving hacking and related incidents, including ransomware, as these incidents are on the rise.
The steps include educating staff about phishing, patching known vulnerabilities and implementing strong authentication and privileged access management, the HIPAA enforcement agency says, adding: "Cyberattacks are especially critical in the healthcare sector as attacks on electronic PHI can disrupt the provision of healthcare services to patients."
In addition to a surge in hacking incidents, the pandemic has highlighted insider threats and the critical importance of user access monitoring, says Mahler, a former investigator at HHS OCR, in the same interview.
"As people have access to sensitive data - protected health information and personally identifiable information - potentially outside their office environment, the likelihood of some of these users looking at things they shouldn’t be looking at - purposely or inadvertently - has skyrocketed," he says.
Mahler, who is a speaker at the Healthcare Information and Management Systems Society conference in Orlando, Florida on March 14-18, says: "It's incredibly important that organizations have a system and practice in place that is proactively monitoring user activity within sensitive environments."
In the video interview, Mahler and Bailey also discuss:
- The latest data privacy compliance and regulatory issues facing healthcare sector entities;
- Security controls and best practices that often do not get enough attention in healthcare;
- Other cybersecurity concerns for the healthcare sector as 2022 progresses.
Bailey leads the managed validation, professional and consulting services for the healthcare business. Prior to that, he served as the director of technology and security at Mary Washington Healthcare, where he was responsible for technology leadership and served as the HIPAA security officer.
Mahler, an attorney, leads data privacy and healthcare compliance professional, consulting and managed services. Previously, he served as the privacy and research integrity officer for the University of Arizona and before that, he investigated HIPAA privacy, security and breach notification compliance cases at HHS OCR.