Telecommuting became the norm during the COVID-19 pandemic. The healthcare industry was not exempt from this trend, even clinicians who sometimes conducted virtual visits with their patients from the comfort of their home. Other non-clinician roles within the industry also switched to telecommuting.
Patient privacy is one of the cornerstones of providing care, so healthcare cybersecurity is more important than ever. With the onslaught of more employees telecommuting than ever before, healthcare security leaders were tasked with finding ways to ensure healthcare employees were following the necessary steps to keep systems and their patients safe and secure.
The pandemic forced many IT security teams to think quickly to ensure devices that were going home with the organization’s employees remained secure. They were tasked with making sure everyone continued to take steps toward safety while outside the office, such as changing passwords and taking other security measures. And as things start to open up again, many organizations are letting their employees continue to work remotely, which means security teams need to ensure their safety measures can work on a more permanent basis.
Stephen Dunkel, CISO at Geisinger Health System, said at a HIMSS21 Digital session that the pandemic and the sudden need for employees to switch to telecommuting took everyone by surprise.
“In my many years in the profession, I never would have anticipated anything like what we encountered. And there were so many moving parts. Your mind's racing, you're worried about the organization, you're worried about the patients, and you're also worried about your own department,” he said.
Many organizations are finding that employees enjoy telecommuting, so they must approach cybersecurity with that in mind.
“The new normal is that nothing is normal,” Dunkel said.
He noted that the entire organization worked as a team in “can-do” mode when the pandemic forced changes in how and where everyone worked.
“And we were also empathetic with our peers because we all understood the stress involved with this. And so, we listened much better, in my opinion, than we ever had before. And that was very beneficial,” Dunkel.
While keeping cybersecurity top of mind as healthcare employees were telecommuting, the organization worked hard to also not lose sight of keeping their goals centered around the needs of patients.
“Patient care comes first. And you have to accept that risk management is equally important and sometimes more important than security itself. And sometimes security just has to compromise,” Dunkel said.
He added their goal was to mitigate the risks as much as possible while doing what was right for patients and the organization.
“I know my peers appreciated it in the organization because they didn't run into, as they called it, a lot of bureaucracy in that. It’s very much a partnership, and it's certainly in a time like this where it's all hands on deck, it's absolutely critical to think out of the box,” Dunkel said.
He praised his team for their efforts during the transition of the organization’s employees to telecommuting.
“They are efficient in delivery,” Dunkel said. “They have gotten even better.”
His biggest surprise of the entire process was that it actually worked.
“I'll be honest, I was very concerned how this was going to work, especially when we started talking months at home,” Dunkel said. “And then you start thinking about all the implications. How are we handling payment processing from a remote environment? Just how is the workforce going to handle this? But the technology, including the internet, it withstood the test.”
Kathy Hughes, CISO and VP at Northwell Health, has about 76,000 people to communicate security methods to within her organization.
They used a variety of tools to remind employees how to stay secure while telecommuting, including email, intranet, videos and screensavers.
“We created multiple infographics that really explained what people needed to do and how they needed to operate in this remote world to secure their data, to secure their phone calls, to secure everything that they did in a way that was different from being inside an office location or hospital location,” Hughes said.
Her department collaborated with many other departments within the organization, including legal affairs, HR and risk management.
“We also leveraged social media. And, of course, we kept doing our simulated phishing exercises because during this pandemic, as you know, healthcare was very highly targeted as an industry,” Hughes said.
Her own team was already heading toward remote working before the pandemic hit, and it will be the new normal going forward.
“When the pandemic hit, it was really a matter of just increasing some of the capacity, communicating and extending that model out to other areas of the organization. And it was pretty much seamless,” she said.
Some of the logistics were challenging, however, such as teaching everyone to use Microsoft Teams and figuring out the phone system, but it was overall a positive experience. And one that the organization plans to continue moving forward with a largely remote workforce. Their employee surveys indicate their staff is overwhelmingly in support of telecommuting.
“They enjoy the flexibility. They enjoy not having to get in a car and sit in an hour of traffic and deal with all of that and running from building to building and conference room to conference room. They feel as though they're more productive. They feel they have a better work-life balance,” Hughes said.
However, some have indicated they do miss seeing each other, so they will likely schedule some in-person meetings and events from time to time.
“That's going be our new norm is to work largely remotely to take advantage of all these virtual technologies such as we're using now, and continue to use that and expand upon that,” Hughes said.
For patient care, the organization had to quickly adopt ways of providing digital care. But while there is still some work to be done in that area, she noted that patients appreciated not having to go in person or wait in a waiting room. However, in-person care is not going away completely any time soon.
“It's very important that the patients also have the opportunity to go see their physician in person. And I think that that's a very important element of this is all about a human-to-human type of interaction. And to patients, that's very important,” Hughes said. “So, I think there's been a recognition that both are very successful, and they both have their place depending on what the situation is.”
One of her favorite things about the quick transition to telecommuting during the pandemic was how everyone in the organization worked as a team toward common goals.
“Everybody in the entire organization just banded together as a unit. They put all the politics and everything else aside. Everybody was focused on our frontline workers,” Hughes said. “I never felt as though we really had a true divide between the clinical leadership and the IT leadership. I think that's one of the things that we really have always prided ourselves on is that we have always worked collaboratively and as a unit. We work with them on solutions.”
Dunkel and Hughes offered their top tips for healthcare organizations offering a telecommuting option for their employees.
“Plan ahead. Anticipate the threats. Work hard on threat intel,” Dunkel said. “You win in this game by being ahead of the curve as much as you can.”
Hughes noted that documentation is important.
“One of the things that we spent quite a bit of time after the pandemic was when it was going down is that we said, ‘We need to get everything that we've done on paper and document it, and make it a living active breathing document. And we need to make sure that we practice and exercise it regularly.’ Because you will forget a year from now what you did today, so it's important to also write it down and practice,” Hughes said.
The views and opinions expressed in this content or by commenters are those of the author and do not necessarily reflect the official policy or position of HIMSS or its affiliates.
December 6–7, 2021 | Digital
Technology will continue to revolutionize healthcare, but the results will come up short if we don’t also secure critical data and protect patient privacy and safety. Now more than ever, not only do security leaders have to maintain their ongoing duties, but they are also forced to protect rapidly expanding, remote infrastructures from more exploitative cyberthreats and phishing attacks.