Nov 16, 2020
Cybersecurity recommendations for hospitals on the front lines of COVID-19

The COVID-19 pandemic continues to place unprecedented demands on the healthcare system. Many hospitals have had to reconfigure their facilities, from expanding remote monitoring and telemedicine to adding dedicated COVID-19 units. During Cybersecurity Awareness Month in October, we invited two industry leaders representing healthcare providers—and BD customers—to share insights with our associates regarding how COVID-19 has impacted cybersecurity at hospitals. Erik Decker, Chief Information Security and Chief Privacy Officer for the University of Chicago Medicine, and Mitch Parker, Chief Information Security Officer for Indiana University Health, spoke about cybersecurity challenges that have come with the pandemic and what hospitals, as well as medical device manufacturers, can do to protect patient safety and privacy. Here are three of the best practices that helped their hospital systems maintain cybersecurity resilience while also coping with surges in coronavirus patients:

Factor cybersecurity risk management into your emergency response

Hospitals are required by law to maintain emergency management processes, and those tried-and-true processes serve as a guide during extreme circumstances—like reconfiguring a hospital to set up temporary COVID-19 units. “When you’re turning up new units,” said Decker, “you're quickly putting new technology in place, and that may include leveraging potential policy exceptions and risk management waivers in order to get the system up and operational to safely treat isolated patients.” Even when temporary, those adjustments are made in alignment with emergency management processes and the Hospital Incident Command System (HICS).

“That’s ultimately where cybersecurity programs tie in with regular emergency management protocols, to make sure we have everything accounted for,” Decker added. “It's very much a visibility exercise and an abbreviated risk assessment, with the goal of understanding of how to protect hospital cybersecurity while meeting the challenges of the declared emergency.”

Enable remote monitoring, telehealth and outpatient services

For many hospitals across the U.S., preserving limited personal protective equipment (PPE) was essential to keeping staff safe while treating patients—and that meant accelerating remote monitoring capabilities. “IU Health deployed cameras and iPads® in our COVID units to preserve scarce PPE and reduce the number of times nurses needed to enter the rooms,” Parker said.

To reduce the risk of community spread, many hospitals also increased telehealth and outpatient services. "It’s not just telemedicine that has grown. We’ve seen a rapid move to outpatient services, as well,” Parker said, noting that revenue from outpatient services has eclipsed inpatient care. "COVID-19 moved this up by three to five years,” he said. "At IU Health, we measure the increase in telemedicine services by thousands of percentage points compared to 2019."

Think like threat actors

Cybercriminals look for opportunities to capitalize on events like the pandemic. They know that hospital networks’ attack surfaces have expanded to allow for remote monitoring and telehealth, and they also know that providers on the front lines are stretched to their maximum capacity. To stay alert, Decker recommends thinking like a threat actor.

“Ask yourself what they’re trying to do and what kind of impact they’re trying to make,” he advised. “Most threat actors are looking for financial gain through data theft, extortion of your environment, or other means.”

Yet, cybercriminals have also attempted to disrupt the development of COVID-19 diagnostics, therapies and vaccines. “We’re all racing for a vaccine right now,” Decker said, “and there are absolutely threat actors who want information and data related to that effort.”

To increase protections against those types of targeted attacks, Decker’s team stood up an extra deployment within their security operations center. The initiative, “allowed us to focus on identifying attack methods, looking for common attack vectors and standing up new visibility and prevention capabilities,” Decker said. “In a sense, that was its own emergency management process, where you reorganize and redeploy the team to focus on this moment at hand.”

As COVID-19 cases continue to rise, more hospitals around the world are facing these same concerns. As Parker described, “It takes a community working together to improve the quality of life for everyone.” That’s why it’s so important for healthcare providers and medical device manufacturers to work closely together to improve cybersecurity and enable patient care, safety and privacy throughout this global health crisis.


Subscribe to receive BD blog alerts

* Required Fields