5 things COVID-19 taught us about health care security
- Posted on July 20, 2020
- Estimated reading time 3 minutes
This article was originally written by Avanade alum Chris Richter.
One thing you can’t say about these last few months is that they’ve been boring. As COVID-19 pushes organizations to respond, reset and renew, we’re learning more about the potential of digital transformation every day. These lessons are coming fast and hard. Ignore them and you risk never getting your organization back to a “new normal.”
I had the pleasure of discussing this with Microsoft and IDG during a recent panel discussion (done virtually, of course.) Below I’ve collected the five biggest insights, but I recommend you take the time to watch it in full. While the conversation was focused on security in the health and life sciences industry, the lessons we shared are relevant to all.
1. No time to relax.
As health care organizations make the shift to radically new ways of working and providing care, bad actors are wasting no time in taking advantage of the chaos. Security leaders have noticed. We polled our webinar attendees, and ransomware was one of their top concerns. I am also seeing a lot of worry over credential theft, phishing and spear phishing. One security firm reported a 30,000% increase in phishing attempts since January.
2. Identity is more king than ever.
We’ve been telling our clients for a few years that identity is the cornerstone to modern security and COVID-19 has made this truer than ever. With the rise of remote working, security leaders need to make it easy for employees to access all kinds of applications in new ways. Many of them are SaaS-based and work out of the gate with identity and access management tools, such as Microsoft Azure AD. However, a significant proportion are private, and closing that gap between legacy apps and cloud authentication is a high priority for health care IT.
(As a quick aside, IT is struggling to make multifactor authentication work in unique circumstances, such as sterile operating rooms where clinicians are wearing gloves and masks. Not the best get-up for facial recognition.)
3. Location matters.
As remote working increases, security leaders are dealing with a series of related challenges. We discussed the need to provide prescriptive guidelines to employees working from home, helping strengthen security on things such as Wi-Fi networks and personal devices. We also reminded everyone that physical documents need to be treated with care, something many don’t think about when printing out documents at home, for example.
Another major theme we’re seeing is upgrading VPNs. Most organizations never imagined having to run so much bandwidth, from so many concurrent users, so often, on the single VPN system they had in place. This has led to a rush to find alternative and secure ways to provide remote access to private networks, without sacrificing performance or user experience.
4. Don’t forget about compliance.
Global pandemics seem to make even the strictest regulatory agencies a little more relaxed. Aside from the FDA greenlighting experimental treatments and vaccines, major compliance codes such as HIPAA have eased up on some of their rules. These changes are intended to help you adhere to compliance requirements as you rapidly shift to a new world of work. While this leeway can be powerful, you can’t get passive. I recommend working with an experienced partner to help you best understand your compliance control requirements, especially as you shift to public cloud collaboration and communication platforms.
5. It’s the end of best-of-breed.
It used to be that health care organizations looked to best-of-breed vendors to fill in the gaps for every single digital use case. Today, the sheer speed of change, coupled with a growing need to control costs and simplify IT, is making this approach obsolete. What we’re seeing is a shift toward “best-of-platform,” with a clear frontrunner emerging with Microsoft 365 and Azure. There are many instant wins with the platform approach. IT has fewer unrelated tools to manage; you can very likely reduce spending on various third-party tools with entitlements you already own in your enterprise license; and the Azure/Microsoft 365 ecosystem is designed as an integrated platform which can reduce complexity and improve operational security performance.
So, where to now?
You might be wondering how you can take these lessons and start applying them to your own unique circumstances. Check out the webinar we hosted with IDG and Microsoft - it’s free to watch and there’s far more to the conversation than the brief notes I’ve shared above.
Learn how we can help you plan, deploy and manage a secure health care transformation.