Veteran HIPAA Risk Assessor Recommends Quarterly Checkups

Rising threat of ransomware during pandemic is putting more lives on the line in healthcare.

As the pandemic continues to dominate business decisions across industries, healthcare CISOs and CIOs are continuing to develop strategies and technology approaches to maintain some semblance of business continuity and patient care.

According to Joe Leonard, former military intelligence officer and current CTO and VP of security strategy for cybersecurity firm GuidePoint Security, there’s been a noticeable shift in how hospitals and healthcare organizations look at security. From a budget burden to a patient care enabler, the security posture of a hospital is fundamental to its ability to grow and treat patients.

In an interview with HealthLeaders, Leonard explains the intricacies of blending healthcare IT operations with proactive cybersecurity measures during this pandemic.

HealthLeaders: How has the pandemic focused C-suites and hospital boards to look at cybersecurity as a patient care driver?

Joe Leonard: C-suites/hospital boards cybersecurity awareness is heightened as a ransomware attack during the pandemic could potentially cause loss of life of a patient. During the pandemic, it is critical that life support machines and medical-grade devices stay operational and there is no impact to patient care. C-suites and hospital boards should be evaluating their security programs and asking questions about how they are protecting the patients that they provide services for.

The pandemic has created many challenges, as we have had to stay socially distant, and that has impacted our ability to properly evaluate our security posture. What were the security risks when we sent many healthcare providers outside the healthcare facility to administer the vaccine?

As we go forward, our patient care model should be designed to scale up quickly and provide support from anywhere, but we need to protect patient information, so security should be designed into our healthcare solutions. As we approach the post-pandemic phase, C-suites will need to reevaluate the patient care support model (on-site, remote, hybrid) they are providing, and review that security is integrated into these support models. Our security testing model will become more complex as we work in a hybrid world.

Joe Leonard, CTO and VP of security strategy, GuidePoint Security (Photo courtesy of GuidePoint Security)

HL:  How might this continue to progress as employees return to offices in a hybrid capacity?

Leonard: As we approach the post-pandemic phase, a hybrid model is very likely to become the standard model. New tools will need to be developed to support a "work from anywhere" model, which provides an on-premise or off-premise healthcare support model. Many workers will be able to work remotely and leverage technology like telehealth to assist patients. Telehealth will grow and patients will get more options and better services as doctors can be engaged remotely for assistance. Telehealth testing capabilities will expand and provide better healthcare to patients.

We will witness an evolution that evolves just as we did going from a thermometer we put in our mouths to a contactless infrared thermometer. The remote workforce will be more agile and able to assist patients quickly. The hybrid model will make us more flexible and give us the ability to provide patient care from anywhere. The COVID pandemic was an example of how we scaled up remote sites all over the United States to support testing more patients as our hospitals couldn't handle the number of patients.

HL: Where are security programs making investments as we enter the next phase of the pandemic?

Leonard: C-suites and hospital boards are concerned about security. The question they ask is, "How secure are we?" In some cases, the healthcare organizations really don't know. They don't have the tools to really evaluate their organization's security posture.  It is imperative to have a comprehensive security program that tests the organization's people, process, and technology controls and identifies the risk and the impact to the organization. The risks should be prioritized based on the risks to the healthcare facility, and a remediation plan should be developed. The items that are remediated should be retested to validate the remediation worked. 

The security program should have a continuous security testing model, and there should be quarterly business reviews with the executive team to review the organization's overall progress and plan to reduce the risks. HIPAA, PCI [payment card industry data security standard], and PII [personally identifiable information] are normally a part of most healthcare organizations, and should be included as part of the comprehensive security program. Ransomware is a top concern, so tabletop exercises should be developed to test the healthcare organization's response to an attack such as ransomware. Phishing testing needs to happen at frequent intervals, and security awareness training needs to be a part of the comprehensive security program.

HL: How can security be "baked into" all healthcare tech products and services, and reduce or eliminate the need for physicians and other provider staff to become security experts?

Leonard: The best security controls are "transparent" and require little to no input from the user. In the healthcare environment, seconds could be the difference between life and death. The healthcare products need to be evaluated for ease of use, and security needs to be baked in, but it shouldn't slow people down trying to save someone's life. When technology is evaluated, we're often excited about all the great features, but we overlook items that are critical, like manageability, maintenance, and useability. Many times I have seen products implemented that failed because the product was too disruptive to the organization. Products should be brought in and should be evaluated against many use cases to ensure the service will be great and that the product can actually be supported.

HL: What enhancements or improvements can be made to further this process from a regulatory standpoint? What new rules and regulations can help tame the healthcare cybersecurity monster?

Leonard: Over the past 16 years, a majority of the HIPAA assessments I have sold have lasted 6 to 8 weeks, and then a report was delivered with the remediation recommendations and findings. In most cases, we would go back in one year and do the same thing over again. I believe one year is too long between reviews of the overall healthcare security posture. I would recommend an enhancement to start performing quarterly reviews to track the HIPAA risk assessment remediation work that was performed. What I have witnessed is that a majority of healthcare organizations do a HIPAA risk assessment once a year, then they work on the remediation for the next year, followed by another yearly HIPAA assessment. The HIPAA security rule and privacy assessment should be done annually (mandatory), and the results should be reported.