One of the lasting legacies COVID-19 will leave is a shift to a permanent remote workforce; it’s not just a change in how we work, but also a change in what adversaries are likely to target.
Healthcare organizations, for example, have increasingly become a soft target for cyber-criminals in light of other entities, such as education, travel, and retail, going on hiatus. A hospital is still in operation during this crisis, and it presents a likely target no matter if the adversarial intent is profit, notiarity, or even access to research related to the pandemic.
First let’s start with the attack surface, which has dramatically expanded. Telemedicine has been accelerated by more than a decade and in some cases is leveraging commercial solutions that were never designed to handle healthcare data from a security or privacy perspective. Add to this hundreds of employees and vendors working from home with shared workstations and hastily configured VPNs.
It is important to realize that this is not temporary; this is a permant change in our connectivity, network, and attack surface. While there’s no putting the genie back in the bottle, healthcare leaders must evolve their worldview on security, fortify protections, and double down on training as work shifts outside the physical network, and as employees leave companies, bringing along with them sensitive and protected data.
Historically limited investment in security and IT
For context, healthcare organizations tend to devote about three percent of their IT budgets to security, which is a fraction of the spending in other industries, like financial services. This translates to money lost and sensitive data in dangerous hands.
In fact, new research from IBM shows the cost per record for a healthcare breach amounted to $429 in 2019. This is by far the highest of any industry – and it’s only getting worse. U.S. healthcare breaches last year amounted to $11.8 billion, more than double 2018’s $4.7 billion.
Adding extra security measures to reflect the new threat landscape
Consequently, hygiene is of the utmost importance. For security managers, revisiting security plans and re-assessing the threat landscape is crucial, as playing catch-up with security always puts the bad guy ahead. More so, they should conduct an assessment of their security posture and even consider a compromise assessment to ensure the bad guys did not get in.
At this stage, endpoint protection, identity access management, multi-factor authentication, and network segmentation are the equivalent of masks and gowns for remote workers. The need for these has never been higher and many (most) businesses have yet to deploy these technologies. These need to be on the top of your budget list coming out the other side of this crisis.
Keeping company data as employees leave
As budgets dwindle for healthcare organizations, lay-offs are inevitable. Non-critical healthcare workers are often privy to sensitive data, and IT managers need to ensure all data stays with the company when an employee departs. A helpful process is following the principle of least privilege: only give employees access to the data they need to do their jobs.
It’s also important to trust but verify. Endpoint protection products can track file movements, so security managers should look for any unusual movements of large file volumes going back at least three months before the employee’s departure.
Be aware of unapproved software, multiple unauthorized access attempts to systems they did not have access to, non-corporate VPNs, and question the movement of data to any new mobile devices. A good policy is also to prohibit the use of USB and portable storage devices and only allow access to corporate sanctioned cloud environments
Once that outdated mindset shifts and the focus turns towards implementing custom strategies, investing more in security upfront, and educating employees on protective IT and data practices, there’s no reason why organizations – healthcare and otherwise – can’t have the workforce that CISOs dream of, keeping both employees and data safe and secure.