COVID-19 Healthcare Cybersecurity: Best Practices for a Remote Workforce

Measures to stem the COVID-19 pandemic are driving more of the U.S. workforce to remote, or teleworking, arrangements, including healthcare industry personnel who can operate from home (e.g., financial, administrative, healthcare IT teams, and other non-patient-facing roles). In keeping with state- and communitywide shelter-in-place orders and bans on nonessential travel, work-from-home practices reduce person-to-person contact in an effort control the transmission of the novel coronavirus within populations and families. The well-intentioned transition to remote work, however, carries an underlying risk: increased exposure to cybersecurity threats.

The State of Cybersecurity Amid COVID-19

The simple equation of more users accessing and relying on the internet from more places exposes cybersecurity vulnerabilities (risk = likelihood x impact), as does the possibility of using home internet connections and personal devices that don’t have the same level of security as corporate IT-managed resources. Additionally, collective rising anxiety, fear, and curiosity make internet users more vulnerable to malicious cyberattacks through false communications and information sources that appear legitimate.

Add to the above factors an upward trend in remote work overall before COVID-19-driven changes (a 159 percent increase in remote work between 2005 and 2017) and—for healthcare  providers, specifically—an increased incidence of ransomware attacks of 350 percent in Q4, 2019. In addition, amid the COVID-19 pandemic, the frequency of reported social engineering attacks across the globe has increased. For example, confirmed threat vectors have used fake COVID-19 impact maps to spread malware that steals passwords. These threats have mocked a legitimate and trusted source—John Hopkins Medicine.

Awareness of rising cybersecurity risks during the COVID-19 pandemic as well as cyber-hygiene best practices will help keep an increasingly remote healthcare workforce and their organizations safe.

A Time for Extra Vigilant Cyber-Safe Best Practices

Remote workers can increase their online safety by refreshing and ramping up cyber-hygiene best practices:

#1: Recognize and Report Suspicious Emails (Phishing)

Scams during the COVID-19 pandemic may appear to be from reputable public health authorities (e.g., Health and Human Services, the World Health Organization, or the Centers for Disease Control and Prevention) and reference COVID-19, coronavirus, and related topics to exploit a sense of trust in what may seem a known source. Suspicious email patterns to watch for include the following:

• Alerts about suspicious activity or log-in attempts.
• Alerts about problems with accounts or payment information.
• Requests to confirm personal information.
• Fake invoices.
• Requests to click on a link to make a payment or update payment details.
• Alerts regarding eligibility to register for a government refund.
• An email impersonating a known and trusted company (possibly using that company’s logo and header).
• An alert that an account is on hold due to a billing problem.
• An email with a generic greeting (e.g., “Hi, Dear.”).

Follow organizational guidance on how to report suspicious emails. Many organizations will have an anti-phishing program with utilities for reporting built into their corporate email clients.

#2: Protect Home Internet Connections

Corporate IT and infrastructure engineering teams often have a number of controls in place that protect internet connections within the office environment. When connecting from home, however, certain practices will ensure security and quality:

• Bandwidth: As COVID-19 drives more of the global workforce home, bandwidth demands increase. Remote workers should ensure they’re getting the bandwidth they’re contracted for with their internet services provider (ISP). Tools including speedtest.net or fast.com can measure home bandwidth. Some ISPs have been known to place data caps, or limits, on their services, but in light of the pandemic, many ISPs are removing caps voluntarily.
• Connectivity: Individuals using Wi-Fi or a hotspot at home, need to ensure they’re using a modern encryption tool, such as Wi-Fi Protected Access II (WPA2), with a strong preshared key (PSK), that’s equivalent to a password, to establish a connection to the home network. Never connect over public Wi-Fi, such as airports, coffee shops, libraries, community wireless access points, or other connections that aren’t verifiably secure. To access the internet away from home, tethering to a mobile hotspot (smartphone) is the safer option.
• Virtual private network (VPN) with multifactor authentication (MFA): A VPN encrypts information to tunnel it from its source to its destination. Many organizations’ corporate IT and infrastructure engineering teams maintain a VPN infrastructure to keep team members secure. With MFA, a device user must successfully present two or more pieces of evidence (e.g., codes smartphone apps generate) to an authentication mechanism to gain access to a network.
• Corporate-issued devices: Remote workers connecting to their corporate network or partner-hosted environments should only use corporate-issued devices—versus personal devices. These devices likely have the necessary safeguards to work securely and are managed and updated regularly by the corporate IT team.
• Web browsing: Internet users need to be cautious about the sites they visit. As mentioned earlier, there are confirmed malicious websites related to coronavirus that may appear legitimate but are engineered to infect devices through a web browser. While conducting sensitive transactions, verify the sites used are secure and implement secure socket layer protocols (SSL) with the website to secure the traffic between the originating device and the destination site.
• Phishing (email), vishing (voice calls), and smishing (SMS):Increased social engineering attacks like these demand extra diligence. If a remote worker identifies suspicious activity, they need to report it to their organization, such as with a reporting email utility built into their corporate email or to the organization’s information security team.
• Video conferencing: Virtual conference room users need to inventory their meeting attendees. Increasingly, known cyberattacks may attempt to allow eavesdroppers by randomly identifying links to meetings. Virtual conference hosts should require a password to join the meeting and ask anyone unfamiliar to identify themselves.
• Passwords: Many corporate IT and infrastructure engineering teams set requirements on minimum password lengths, composition, and complexity. Strong passwords and long passphrases are more secure than shorter passwords, and users need to rotate passwords at least every 90 days. Enabling MFA, as applications and systems allow, supplements passwords security; two-factor authentication (one factor the user knows, such as a password, combined with another they have been provided or receive digitally, such as a one-time password token) is an effective authentication practice.
• Stay patched: A corporate-issued device is likely managed centrally and receives updates via a systems management and deployment solutions (e.g., Quest KACE, Microsoft System Center Configuration Manager, SolarWinds Patch Manager, etc.); remote workers should keep up with these updates as they reach their device. Users are responsible for patching (downloading and applying the latest firmware update from the vendor) home infrastructure, such as routers and firewalls.
• For additional advice on avoiding phishing and social engineering attacks, see the Department of Homeland Security.

Steadfast Safeguards for Uncertain Times

In a time marked by global uncertainty, the growing remote workforce can protect their personal and organizational internet security by relying on a known entity—cyber-hygiene best practices. Despite unprecedented change and adaptation, individuals working from home who follow proven cybersecurity guidelines, with some added awareness of COVID-19-specific threats, will keep themselves and their organizations cyber-safe through the pandemic and beyond.

Additional Reading

Would you like to learn more about this topic? Here are some articles we suggest:

1. Health Catalyst Plans to Support Health System Clients’ COVID-19 Response with Three Initial Solutions Focused on Patient Tracking, Public Health Surveillance and Staff Augmentation Support
2. Health Catalyst Unveils Two Systems and a Service for COVID-19 Response

PowerPoint Slides

Would you like to use or share these concepts? Download the presentation highlighting the key main points.

Click Here to Download the Slides