Penn Medicine CISO offers tips for COVID-19 cybersecurity response
As hospitals and health systems nationwide grapple with the fast-moving demands of the coronavirus crisis, they're also faced with an added challenge: fending off a sustained upswell in cybersecurity threats, perpetrated by bad actors taking advantage of the pandemic's chaos.
Healthcare IT News spoke recently with Dan Costantino, Chief Information Security Officer at Penn Medicine, who offered some insights into how his infosec staff has adjusted its strategies to support the health system during the public health emergency.
He described new efforts to thwart COVID-19 themed phishing attempts, efforts to securely roll out new telehealth offerings and the ongoing need to be nimble and accommodating to the needs of clinical staff on the front lines.
Q. Generally speaking, have you made changes to your security posture in light of these new opportunistic cyber threats? Or is it a matter of ensuring you maintain the strategies you’ve always had in place?
A. We're continuing to push along on many of the previous projects that we had underway. We're continuing to focus on a lot of our former strategic objectives that we already had in place, in as many ways as we can.
However, obviously, in light of what's happening there, there has been a need to make some small adjustments. That's just the new threat landscape that we're faced with, and some of the new demands from the clinical and operations perspective.
We've started to increase our own levels of awareness and threat modeling around things like COVID-19-themed phishing emails, and some of the specific attacks that the industry in general may be seeing during a time like this.
By doing that, we've implemented a heightened level of awareness within our security operations center. We have a full security operations center on-site at Penn Medicine, and we also outsource a portion of security operations as well. And so we've increased our level of vigilance, high level of vigilance, within that security operations center.
And we've done that with the understanding that cyber criminals will use a time of crisis to cover some of their actions in a very opportunistic way. And so we try to track and match our operations and vigilance to that.
Secondly, the health system has needed to adjust their approach to clinical care. And with that, we've had to adjust ours to remain aligned in certain ways.
They're starting to introduce a lot of new workflows and technologies in a really short period of time. And in order to keep pace with that, we've needed to build somewhat of a rapid-response risk-analysis capability.
And this allows us to continue evaluating the security and the architecture of new solutions at a high level, while not slowing down the development and deployment of said technologies and new workflows and business processes.
That's been an adjustment for our team. It puts us in a position where we are still able to align and keep pace with the business to provide them that level of support from a security perspective, and that level of analysis and review that we need. But also, you know, I'm not slowing things down to normal lead times and service level agreements that we would have in place for something like that.
We're able to turn them around rather quickly, which is which is needed in the health system.
And I think, frankly, with the security team, it's been beneficial for us to align in that way. Historically, security teams have found that if you don't align yourself well, and if you don't support clinical operations, eventually, you know, some of these technologies will find their ways through the cracks.
And so we've tried to align ourselves to be a strong business partner in a way that the clinical operations and, in general, health system leadership teams will want to come to us for consultation on those things.
Q. What sort of coordination do you have with other clinical and operational IT leaders across Penn Medicine as this public health emergency unfolds?
A. Our level of coordination with the clinical-operations-center teams has always been strong. We pride ourselves as a program, and always, in our ability to align extremely well with the business and operations and always remain highly collaborative with the health system leadership.
But these times have certainly put us in more regular contact with leaders through the rapid evolution of how we're currently providing care right now. And so, while they're not necessarily scheduled meetings, we find ourselves in contact with clinical and operations, individuals and leaders pretty regularly.
Oftentimes what that looks like is, is some type of new clinical workflow or new clinical technology that's being either developed, implemented or simply just designed and thought about. A lot of clinical leaders are coming to our security program for assistance, to understand what it looks like in order to secure a technology or a process.
What would it look like to secure something that they're looking at? What kind of turnaround time would it need? Is it worth going after? A lot of times we're being asked, you know, "We have an opportunity here. We have a need, and we may have a technology, but does the benefit outweigh the risk?" And they're trying to understand in a really short period of time, what could the risk [be] or like from something like this, and we're trying to match that demand the best we can.
There have been a lot of cases where we've been able to accommodate those requests very quickly. I'd say in most cases being able to do that, and then in some cases, we have needed to slow things down just a bit in order to fully understand the scope of it, and clinical leadership has been very understanding of that.
During the early stages of Penn Medicine's response to COVID-19, as the non-essential personnel were starting to be sent home, we had to make sure that there were still support roles for the frontline staff. And so, as a security team, we stood up a completely off-site remote-access command center, capable of assisting over 20,000 remote employees to get connected to our network through a secure conduit, and be able to assist the frontline staff – whether that be through charting, project management, data analytics, you name it.
We've had more than 29,000 unique employees connect to our network remotely and securely since we started our own response.
Q. Hospitals all over the country are embracing telehealth to a scale that many are not used to. And remote care presents another whole set of security challenges. I presume Penn Medicine has expanded its telehealth offerings?
A. We have. Penn Medicine already had a pretty strong telehealth offering, but your point, this crisis has certainly put telehealth right in the spotlight due to its unique capabilities [as] well. We've mostly bulked up our current telehealth offerings and technologies, which we had previously vetted and previously reviewed, and ensured that we were doing things the right way and getting the most secure way possible.
But then we've also to think about some backstops. If the infrastructure of our current offering can't handle the demand, what do we do? That's where things have become, I think, a little bit more fluid for us as a security team, as we've had to evaluate and begin the implementation of a completely different telehealth solution that can act as a secondary solution or a backstop to what we already had in place. That's been a pretty fluid situation.
We've been highly engaged and involved in that. And in reviewing the technologies and working pretty closely with the vendor to make sure that they can meet some of our workflows, we can keep things within our security standards. But so far, I would say things have gone extremely well.
Q. Do you have any advice or perspective for smaller hospitals and health systems as they seek to manage safety and security during these challenging times?
A. One of the key things for smaller hospitals to keep in mind – and maybe all hospitals should keep in mind – is that during a time like this, there's really a need to be accommodating but not reckless. Clinical operations are moving so quickly that there really may not be time to slow things down like there were in the past, from a security perspective.
But that said, if you are a security professional, it's your job to shine a light on potentially risky technologies and workflows. If they're identified, then you need to make sure the right people are aware of it, as unpopular as it may be to do something like that during a crisis.
I'm not saying to put a stop to things, but it's still the job of information security to keep the health system aware when things may look risky, and to provide the right level of consultation and insight into the best way to secure them.
But it's important to understand that health systems' cyber-risk tolerance may need to change in order to accommodate a crisis like this. It's not permanent, and the risk should still be limited. However, security teams need to be prepared to make certain exceptions. And they need to find alternative ways to mitigate the risks that may be introduced during a time like this. Lastly, they need to remain aligned with business and the pace of work that that's needed in order to get through these trying times.