7 minute read 30 Mar 2020
Nurse using computer at desk in hospital

Eight issues that health systems overlook while fighting COVID-19

By Nicole L Mendolera

EY Americas Cybersecurity & Business Resiliency Manager

Cybersecurity and business resiliency guru. Foster parent to at-risk teens with special needs. Enjoys traveling, hiking and volunteering. Grew up in Buffalo, New York and still loves the snow.

Contributors
7 minute read 30 Mar 2020

As healthcare workers fight COVID-19 on the frontline, health systems must fight off opportunistic cyber attackers.

H
ealth systems around the world are in a race against time to secure medical equipment, locate extra beds for intensive care and expand their clinical workforce by calling up retired healthcare practitioners. Healthcare clinicians are isolating and treating COVID-19 patients, finding creative solutions to medical device shortages and continuing their care of other critically ill patients – all while trying to fend off an increase in cybersecurity attacks and incidents.

With patient safety and care taking top priority, health systems want to ensure that critical issues are not overlooked as they respond to the surge in COVID-19 cases. To deliver the best outcomes for patients, clinicians must have access to secure, real-time and accurate data when creating treatment plans. With more connected medical devices, such as automated IV pumps, that stream real-time patient data to the treating clinicians, securing technology is more critical now than ever before.

Security enables patient safety and care by preserving the accuracy of the patient data, while still protecting patient confidentiality and privacy. A cyber attack that makes patient data inaccessible to clinicians, or disables medical devices, could be just as damaging to the COVID-19 efforts, as a shortage of doctors.

Through teaming with health organizations that are fighting COVID-19, we have identified eight issues that are commonly overlooked as they respond to the pressures of the pandemic. Below, EY shares advice on immediate steps healthcare leaders can take to address areas that may have been overlooked: 

1. Protecting and responding to the increase in cyber attacks

The challenge: COVID-19 has made health systems a target for cyber attacks.

What you can do:

  • Become familiar with the new wave of cyber attacks targeting your health system. These include, but are not limited to, fraud schemes, denial-of-service attacks, attempts to steal patient information with the aim of committing insurance fraud, and the use of social media accounts to distribute malicious material.
  • Re-establish the network traffic baseline needed to detect attacks. Network traffic baselines will have changed significantly as your workforce has shifted to working remotely, and new healthcare professionals step up to help during the crisis. Recalibrate security monitoring settings accordingly.
  • Prepare to react quickly to a cyber incident by validating response and escalation procedures when handling security attacks.

2. Managing the significant increase in teleworking

The challenge: Non-clinical staff are working from home instead of the office and large numbers of retired healthcare clinicians and medical students have stepped up to assist.

What you can do: 

  • Enforce the use of secure teleworking solutions, including virtual private networks (VPN) and multi-factor authentication.
  • Issue telework guidelines and encourage the use of collaborative platforms such as video conferencing tools, secure portals and protected shared drives.
  • Provide links to official pandemic resources such as government agency and increase organizational messaging to keep workers well informed.
  • Understand the risks, and implement compensating controls (e.g., increased monitoring) and when deferring critical software patches and putting medical devices on unsegmented networks.
  • Provide a refresher to help desk and support personnel about social engineering and privacy protocols as they will see an uptick of patient calls.

3. Defending against phishing attacks

The challenge: There has been an increase in phishing and spam emails that use COVID-19 as a topic. These are particularly targeted at corporate executives and use the pandemic to stress the urgency of their request.

What you can do:

  • Highlight the issue of phishing attacks to your executives, and the organization more broadly. Make sure employees know who to contact if they have questions or suspicions.
  • Educate end users on how they can distinguish between real emails and phishing emails. Provide ongoing security awareness materials and reminders to your workforce during the pandemic.
  • Continue to respond to phishing attacks by removing suspicious emails from mail servers and employee mailboxes before reaching their intended destination.

4. Minimize downtime for medical devices

The challenge: Medical devices that have been in storage may not be ready for immediate use.

What you can do:

  • Evaluate medical devices that are not currently in use to determine their operability – they may not have received the most recent patches or be checked for recalls.
  • Ensure that tracking and inventory of devices remains up-to-date so that devices can be allocated where they are needed the most.
  • Prioritize vulnerabilities that require an immediate fix. Change the default password of medical devices and refrain from connecting devices with known high-risk vulnerabilities to the network. Use software patches to fix remote code execution vulnerabilities within virtual private networks. 

5. Stabilizing your network

The challenge: The infrastructure that supports health systems is not designed to accommodate the surge in network traffic during the COVID-19 pandemic. 

What you can do:

  • Review whether your current infrastructure has the capacity to support increased traffic and a greater number of remote users. Implement additional network appliances, secure extra bandwidth, and buy licenses and tools, as necessary.
  • Accelerate onboarding of retired medical staff who are returning to the workforce. Ensure only the appropriate and necessary access to systems, as required to do their jobs, is granted.
  • Consider setting up additional help centers to support the likely influx of questions from patients. 

6. Leveraging your vendors

The challenge: Vendors of essential medical equipment are under pressure to deliver, when their own supply chains are being disrupted and their staff are falling ill or entering self-isolation.

What you can do:

  • Proactively reach out to your vendors to understand whether shortages of critical medical equipment will impact you.
  • Confirm vendor delivery timelines and seek alternative vendors that may be able to assist if shortages are anticipated. For the latter, exercise caution – Interpol has warned of criminals running financial scams, posing as medical distributors, who claim to sell masks and other supplies.
  • Be persistent in advocating with the government for the supplies you need to protect your clinicians and treat your patients.
  • Reach out to your community for additional supplies. Approach local businesses, such as dentists and construction companies, as well as members of the public, who may have the supplies they can donate.

7. Handling critical decisions when decision-makers are out

The challenge: Key business leaders and clinicians may fall sick and become unavailable to make critical decisions.

What you can do:

  • Confirm the functions that are essential to support patient safety during a crisis, and personnel that manage and execute critical processes.
  • Identify backups/delegates for decision-makers that fall ill and ensure they have access to the documentation, tools and training that will allow them to make well informed decisions.
  • Communicate frequently about any change in personnel. This includes business leaders, clinicians, and those in key supporting roles such as payroll, procurement, and IT. 

8. Offer reassurance and support through targeted communications

The challenge: During a pandemic, anxiety and panic are at an all-time high. Your staff and patients want to know that you are making every effort to support them physically, mentally, medically and financially.

What you can do:

  • Minimize misinformation by offering your workforce and patients reliable resources they can use to keep up-to-date on COVID-19 and its potential impact on them and their family.
  • Increase support for employees, for example, by adjusting paid sick leave policies, running a mental health crisis hotline or offering financial assistance.
  • Provide regular updates on how you are supporting your workforce and patients on key topics (e.g., how you are keeping your clinicians safe by addressing equipment shortages).

Summary

Security enables patient safety and care by preserving the accuracy of the patient data, while still protecting patient confidentiality and privacy. During a pandemic, anxiety and panic are at an all-time high. Opportunistic cyber attackers will be looking to exploit this, but they can be fended off, if health organizations take appropriate action.

About this article

By Nicole L Mendolera

EY Americas Cybersecurity & Business Resiliency Manager

Cybersecurity and business resiliency guru. Foster parent to at-risk teens with special needs. Enjoys traveling, hiking and volunteering. Grew up in Buffalo, New York and still loves the snow.

Contributors