Now more than ever, healthcare workers need and deserve top-notch technical support. But between skyrocketing demand for telepractitioners and rising incidence of cybersecurity attacks, IT managers want to know how best to maintain their security posture. To help answer this, Rapid7 consulted tech leaders versed in the healthcare space for advice on adapting cybersecurity to the demand presented by COVID-19.
Emphasize availability over improvements
Emergency wisdom, medical or otherwise, begins with triage. Your primary focus is to identify the most crucial emergent healthcare needs, while remembering to keep the lights on. To that end, stress continuity of service.
As resources within the industry shift toward crisis management, security teams should clarify their positioning. Projecting a supportive, reassuring presence in uncertain times will go a long way toward compliance, and in turn help strengthen your security posture.
Reinforce that positioning by checking in to make sure teams have what they need. Prepare short, digestible, action-oriented communications, keeping in mind employees who may be new to telework protocols and feeling at sea. Make sure mass-notification services are functional and ready to deploy. Consider time-saving controls so as not to tax already-tapped energy systems. In short, do anything you can to prioritize helping workers on the front lines.
In addition to what we proactively undertake, what we avoid doing now can save resources we can’t afford to waste. Avoid new product or policy rollouts, and opt instead for ensuring critical security and IT remains functional and accessible. Take to heart the old adage, “The perfect is the enemy of the good.” It’s about minimizing friction that may interfere with HIPAA or patient care.
Lean on existing controls
In emergencies, the obvious often readily escapes us. When the world feels upended, it’s easy to forget the resources already at our disposal—and how to leverage them. Taking advantage of existing controls accomplishes two things: You avoid trying to reinvent the wheel when you don’t have time to waste, and you dodge the productivity hit that accompanies new rollouts.
Before piling on interim solutions, first step back and evaluate your immediate security program needs and goals. What’s your present workload capacity? Can you effectively reapportion network resources? How can you utilize existing controls? To improve VPN performance, you could ration bandwidth resources, create separate URLs for high-priority users, schedule remote patching for off-peak hours, or implement split tunnel capability. Monitor usage and see which creative solutions prove effective while minimizing costs. You might also reach out to trusted vendors, who should be able to offer guidance on maximizing existing assets.
Finally, resist the temptation to look back. Instead of dreaming about which implementations could have provided the strongest solutions, embrace your current controls. Differently put, it’s not about what’s ideal in theory, it’s about what’s actionable now.
Though our situation—meeting the legal and technical challenges of servicing a newly remote workforce during a worldwide pandemic—may be unprecedented, flexibility undoubtedly serves us well. We can’t adapt without it.
To that end, consider rethinking select work-from-home policies. Relaxing guidelines around company-issued devices, for example, may alleviate resource strain, reserving laptops tooled for HIPAA compliance for telemedicine providers. For the sake of operational transparency, be sure to document the changes you do make to avoid confusion in the future.
Remember, the impression you’re creating today will have an impact long-term. Demonstrating the ability to adapt and shift the spotlight to critical needs ultimately encourages a friendlier, more approachable perception of IT as a business enabler—sure to advance your security posture long after operational tempos return to normal.