COVID-19 Has Reshaped Federal Health IT Security

Changes brought by COVID-19 have produced a corresponding shift in federal cybersecurity posture, particularly among agencies responsible for overseeing health care and medical IT systems.

These adjustments encompass both more comprehensive remote security as well as growing vigilance to cyber threats that emerged with particular force during the pandemic. Speakers at the GovernmentCIO Media CyberScape: Health Care event discussed how the rapid shift to telework created newfound security risks that federal agencies had to address.

“The way the environment has changed completely and fundamentally is that now we have not just devices to consider, but we have purview over security for all the infrastructure that exists within the broader telework environment. So that’s the routers and the switches in people’s homes. It’s their personal devices in some cases. So things like multi-factor authentication became super important,” said Sean Frazier, federal chief security officer at Okta.

This shift to telework and a greater focus on remote device security has encouraged federal technology leadership to reevaluate their approach to cybersecurity more broadly, encouraging a more dynamic and responsive posture that will be better suited to staying ahead of technological advancement and the evolving threat landscape.

“Even in the best of times prior to the pandemic we had an overreliance on the perimeter at any one organization. It was always, ‘If it was behind your firewall, you could protect it,’ which we’ve generally found is not true and hasn’t been true for a while,” said Jessica Wilkerson, cyber policy advisor at the Food and Drug Administration. “There was this mad rush of everything now being outside of the perimeter. So the big complication of having to adjust safety best practices on the fly in the middle of several other concurrent crises that were happening all at the same time has been a major challenge and will probably remain a major challenge. Because it’s highly unlikely that we’re going to go back to exactly the way that things were before.”

This has accompanied a considerable shift in the common threats to health IT systems, with a notable spike in ransomware attacks over the past year. This has had serious implications for the delivery of health care.

“Adversaries have changed their tactics. Notably during the pandemic, we saw a huge rise in ransomware attacks. Ransomware is a different type of cyber attack than we normally would understand or see, since most of the cyber attacks focus on data confidentiality and exfiltrating information. In health care, and with ransomware, it’s a very different type of thing where it goes after the integrity and availability of human life …. When you cut off access to those systems, this can impact lab systems, therapeutic or diagnostics, then doctors are put in a position where they can’t leverage those tools to save. So ransomware can have a profoundly different type of impact in health care than other types of attacks,” said Beau Woods, senior advisor at the Cybersecurity and Infrastructure Security Agency (CISA).

The outcome has been a growing focus on consolidating cybersecurity best practices in response and collaborating across agencies to ensure resiliency and prevent vulnerabilities from being exploited by malicious actors. Much of this has centered around the National Institute of Standards and Technology (NIST) acting as a knowledge and collaborative hub for federal agencies, while also publishing updated cyber guidelines designed to protect various IT capacities.

“We have a dedicated team who focuses primarily on cybersecurity posture for health care organizations. We also have access to a foundation of expertise, resources, relationships and experience as a collaborative hub. We’ve worked on multiple cybersecurity standards and guidance with risk-based approaches,” said Ron Pulivarti, project lead engineer for health care cybersecurity at NIST. “During the later part of 2021, we will be releasing SP 1800-30. That’s for securing remote patient monitoring, which is going to be used for distributed architecture while leveraging that NIST privacy framework.”