#HowTo: Protect COVID-19 Data from Breaches and Theft

COVID-19 ushered in an unprecedented time for IT professionals at all levels. Fighting the disease meant gathering, storing and organizing a tremendous volume of data. One patient might receive several PCR tests for infection, be hospitalized for the disease, then receive three vaccination shots (two doses and a booster). Each interaction, plus any medications and procedures, could be recorded by multiple organizations like hospitals, health insurers and state or county public health departments.

Confidential health records are protected by privacy laws like the Health Insurance Portability and Accountability Act (HIPAA). Violations could result in civil, monetary or criminal penalties for those responsible. Organizations must thus safeguard patient data as securely as possible while sharing what data they legally can to help understand the disease.

IT professionals have faced cybersecurity challenges since the first lockdowns. The severity of the restrictions designed to minimize infections forced healthcare organizations to implement systems for working remotely. Rushing these rollouts, IT departments left out vital security procedures. They have scrambled to correct these flaws, first and foremost by embracing cloud-based computing.

To the Cloud

Healthcare and government organizations are embracing cloud-based services. The cloud’s advantages include letting authorized users access information from anywhere on earth. Services like Amazon's AWS, Google's Google Cloud Platform and Microsoft's Azure are designed with exceptional security. These companies monitor their systems for attempted data breaches and work around the clock to ensure the software has the latest security updates. The system tracks all login attempts and what users review, change or download, thereby tracing unauthorized uses to each individual.

Despite these precautions, hackers might still access stored data, so information in the cloud must be encrypted. Unauthorized access without an encryption key will yield only unusable gibberish. Cloud services make multiple backups, enhancing protection in case a data center is damaged.

Anonymous Data

Data shared between healthcare systems and researchers via the cloud must be unidentifiable, stripped of private details (name, address, social security number and precise birthdate). De-identified data is virtually useless to thieves but helpful to researchers or public health officials.

VPNs

Most companies require employees to access internal networks through a VPN. VPNs protect confidential materials transmitted between users and the cloud, keeping cyber-criminals from eavesdropping on the transfer. Most VPNs use multifactor authentication, making users input a randomly generated code plus their password every login. VPN with multifactor authentication dramatically enhances overall network security for remote workers.

Mobile Devices

Information can be collected and stored on smartphones, laptops, tablets and more. Great for fieldwork, smart devices are light and portable, which makes them vulnerable to loss, theft or damage. To mitigate these risks, several apps automatically back up new or altered data to the cloud. If a mobile device becomes unusable, most of the new data survives.

IT departments can install software like BitLocker to encrypt the devices if lost or stolen, requiring a password to unlock the hard drive. If a user enters an incorrect password multiple times, the device locks down until reset with a unique 16-digit key available only to administrators.

The Human Factor

Usually, the weakest link is the user when it comes to cybersecurity. Many have felt significant stress over the pandemic, their employment situation and their workload. In a recent survey of US risk professionals who suffered cyber-attacks or data breaches, 82% blamed remote technology or employee behavior. The rush to embrace remote work kept many employees from training to recognize phishing, ransomware or social engineering. Such training must be ongoing and must reinforce the necessity for vigilance whether contacted by someone outside or inside the organization.

Cyber-criminals have become more sophisticated in their techniques to compromise networks. A Deloitte study showed that about 35% of successful attacks used innovations like machine learning to access systems.

COVID-19 has changed our day-to-day lives. With the additional cases from new variants, a pre-pandemic status quo may be further delayed. Pandemic or not, cybersecurity remains a primary focus for IT professionals 24 hours a day, seven days a week, 365 days a year. They must be hypervigilant when collecting or disseminating data as new challenges emerge almost daily. Taking the necessary precautions and training staff to recognize these threats goes a long way to mitigating the risks of a data breach.

What’s Hot on Infosecurity Magazine?