Healthcare

3 Ways to Mitigate Cyber Risk in Temporary COVID-19 Hospitals

Brian Thomas | May 1, 2020

As cases of COVID-19 have grown, a lack of capacity has led governments to erect temporary hospitals in our nation’s stadiums, parks, and convention centers.

Unfortunately, these ad-hoc medical facilities have created significant cybersecurity challenges for the already beleaguered healthcare industry. Healthcare IT News reports that makeshift care centers carry a unique set of vulnerabilities since they are built quickly with patient care in mind, not cybersecurity. These remote medical facilities also expand the attack surface beyond the traditional network perimeter, creating the perfect storm for hackers to exploit vulnerabilities.

In order to adapt to the “new normal,” cybersecurity professionals need to get creative. Here are three key measures that security leaders can take to mitigate risk in temporary hospital environments.

1.      Visualize the risk landscape

During the coronavirus pandemic, field hospitals provide vital access to care when other resources are strained. But the medical devices used to triage, monitor, and manage COVID-19 patients are an easy target for bad actors looking to access hospital networks.

Managing cyber risk across this complex digital ecosystem can be particularly difficult because security teams may not have a handle on the risk hidden across these digital assets. They need a way to gain visibility into these digital assets so they can be secured no matter where they are — in a makeshift clinic or in new cloud instances that extend IT capabilities to remote users. After all, you can’t secure what you can’t see.

With a centralized dashboard view of the location of all these assets and the corresponding cyber risk associated with each, security teams can quickly develop plans for remediation. They can also visualize areas of disproportionate risk such as an insecure, yet critical, IoT patient monitoring device and prioritize that asset for mitigation — ensuring more efficient allocation of tools and resources.

2.      Discover new and emerging risk in remote environments  

The increase in temporary hospitals is analogous to the rise in the number of workers now working remotely since the pandemic began. Both present new, yet similar, challenges to cybersecurity professionals because they sit outside the defense-in-depth architecture.

These remote environments lack adequate security controls and are rife with vulnerabilities. Those field hospitals that run on local networks within stadiums or convention centers are especially vulnerable. The security posture of these networks is entirely unknown and likely to lack the necessary security provisions required to protect provider, patient, and financial data. Teams may also be unable to implement basic security procedures such as network segmentation to protect and isolated critical equipment such as connected medical devices.

To respond to this emerging need, security teams can leverage remote office risk discovery tools to easily and effectively identify vulnerabilities and infections on IP addresses known to be associated with remote operating environments — even if they don’t have full endpoint protection in place. These tools help security teams discover otherwise unknown security issues across remote endpoints on a continuous basis for quick remediation.

3.      Continue to practice basic security hygiene

Another step healthcare organizations can take to reduce risk — and save time and effort — is to practice the basics of cybersecurity hygiene.

Some of the most impactful measures to achieving cyber resiliency include ensuring that systems are updated, patches are installed, and open ports are closed. A failure to do so exposes organizations to security breaches. In fact, about 95% of security breaches can be prevented with basic cybersecurity hygiene.

COVID-19 is forcing hospitals to get creative

Caring for the health of coronavirus patients is a priority for governments and healthcare organizations around the world. But there are very real and non-trivial reasons why securing the infrastructure temporary hospitals run on needs to be done in parallel with their construction, not as an afterthought. Critical patient care may depend on connected medical devices that must be defended at all costs. Additionally, healthcare organizations and hospitals are guardians of life-impacting digital assets and vast amounts of patient data that, if compromised, could have catastrophic effects.

As stewards of this critical environment — even as it shifts to a remote-care model — security teams and leadership must revisit basic cybersecurity hygiene practices and rethink their security performance management programs to elevate the issue of cybersecurity risk. This means finding proven and efficient ways to continuously assess risk exposure across the extended attack surface. Only then can remediation be prioritized and the continuity of patient care and treatment ensured during this critical time.

BitSight Attack Surface Analytics Demo

Suggested Posts

3 Ways to Mitigate Cyber Risk in Temporary COVID-19 Hospitals

As cases of COVID-19 have grown, a lack of capacity has led governments to erect temporary hospitals in our nation’s stadiums, parks, and convention centers.

READ MORE »

Could Hackers Target Healthcare Next with Coronavirus Scam?

Cyber hackers are an opportune group of people, hunting like predators and shifting their approach as needed. And now, they’re leveraging the concern and — in some cases — hysteria about the coronavirus outbreak to advance their nefarious...

READ MORE »

How Healthcare Organizations Can Get Ahead of New and Worrisome Cybersecurity Developments

Cybersecurity is a priority for many organizations these days, but one sector of particular concern is healthcare.

READ MORE »

Subscribe to get security news and updates in your inbox.