With the rapid pivot to remote work across industries, including healthcare, cybersecurity leaders had to adapt quickly to ensure their organizations remained protected.
During a HIMSS Digital session, chief information security officers from two prominent provider organizations discussed some of the lessons they learned in the process of safeguarding information amid a pandemic. These include the importance of clear communication about security protocols, continuing to run simulated phishing attacks and putting patient care first.
With 76,000 people in its organization, New York City-based Northwell Health had to be crystal-clear in its communications about cybersecurity, especially as people started working from home.
“We collaborated with not only our IT areas but also our corporate compliance group, our office of legal affairs, our risk management team, our internal audit group…because we wanted to have one voice out to our user population,” said Kathy Hughes, Northwell Health’s vice president and chief information security officer, during the discussion.
Together, these factions created multiple infographics, authored articles and developed videos detailing strategies using technology in this remote world, including how best to secure data and phone calls, she said.
The health system also continued doing simulated phishing exercises.
“During this pandemic…healthcare was very highly targeted as an industry,” Hughes said. “So, we really needed to make sure that security training and communication was at the front and center of everything that we did.”
A consistent focus on cybersecurity is required when teams move to work-from-home environments en masse, but so is flexibility. For an organization to be nimble — an essential attribute amid a pandemic requiring rapid strategy shifts — red tape needs to be eliminated, even in terms of cybersecurity.
“You have to accept that risk management is equally important, and sometimes more important, than security itself,” said Stephen Dunkle, chief information security officer at Danville, Pennsylvania-based Geisinger Health System, during the session. “The reality is the patients come first, and if we have communicated the risk and we have advised — the right thing is doing what is right for the patient and the organization while mitigating risk as much as possible.”
In fact, getting too caught up in the weeds of technology implementation was not necessarily a good thing during the height of the public health crisis.
Geisinger’s information security team adopted a “crawl-walk-run” approach, Dunkle said. This meant that that initially, the team did what they had to do to get a service up-and-running, and then they would collaborate with clinical peers to improve the service.
“The new normal is nothing’s normal,” Dunkle said. “We’re at a point where — and to me, it’s rather exciting — what worked yesterday may not work today and that’s okay…We need to be very adaptive.”
The dual threat of Covid-19 and cyber-attacks are still very much present for the healthcare industry. Focusing on flexibility and clear communication can go a long way toward helping organizations tackle both.
Photo: LeoWolfert, Getty Images