Many clinical and administrative staff will be treating patients and accessing data remotely after the COVID-19 crisis settles, experts said during a Canadian webinar on the effects of the pandemic on the healthcare sector.
“Remote access is here to stay. In a big way,” said Kashif Pervaiz, CISO of Toronto’s University Health Network (UHN), a group of three hospitals, rehabilitation centres and a clinician training school.
Delivering services efficiently as well as assuring patient privacy is “definitely going to be big,” he said. UHN now has a group led by an executive vice-president dealing with ways of safely delivering virtual care, he noted, stressing that the effort is executive-led.
To deal with the pressure of operational and medical staff suddenly having to work remotely, some security policies needed “to be bent a little bit,” Pervaiz admitted. “We haven’t thrown security out of the window (but) we have had to adapt a bit.”
That meant re-thinking how to deliver remote access. Instead of relying on virtual private networks (VPNs), UHN turned to web-enabled solutions in some cases. That means his environment is “somewhat device-independent,” lowering the attack surface. He also increased network monitoring and incident response procedures.
“The days of saying no right away are long behind us,” he warned CISOs.
Pervaiz was speaking on the first day of a week-long series of webinars called siberXchange run by Richmond Hill, Ont., based SiberX, which produces cybersecurity events. Each day this week has a set of panels or speakers centred on a single topic. Tuesday’s topic is business continuity, Wednesday’s is women in cybersecurity, Thursday’s is aimed at CISOs and Friday’s theme is smart cities.
Panellist Ali Shahidi, director of information security management and privacy for Ontario Health – a group of 20 agencies including 14 local health integration networks and the Ontario Telemedicine Network (OTN) – said his agency has had to face several remote access challenges due to the pandemic.
Thanks to some “leeway” from the provincial information and privacy commissioner, the agency was able to change some security and remote access procedures, he said. Some access projects that might have taken months were done in two weeks, he explained, thanks to staff working round the clock. “It showed we can be agile.”
Shahidi, Pervaiz and panellists Daniel Pinksy, manager of the information security program at IT provider CDW Canada and Hoda Nasseri, a cyber defence manager at KPMG Canada, also said that the number of COVID-related email threats to the healthcare sector has increased. As reported elsewhere, Nasseri said there are also government warnings that other countries are interested in stealing COVID-19 related vaccine research.
However, she added, most nation state-attacks aren’t complicated. Hospitals and clinics that perform basic cybersecurity hygiene, including patching and using multi-factor authentication to protect administrative accounts, will be protected against most targeted attacks, she said.
Ultimately, said Pinksky, the goals of infosec teams need to be driven by the goals of the organization. “we exist to enable the business.” If the business changes, information security has to adapt.
The question, he said, is how does IT pivot and continue to support and enable the business, while at the same time managing risk?