CynergisTek’s Executive Advisor Marti Arvin and first-time guest Andrew Bindner, Senior Offensive Security Consultant for CynergisTek join us today to discuss the importance of keeping up a strong privacy and security program during a high priority pandemic such as COVID-19. Andrew and Marti talk about why privacy and security have to go on even in the current environment that we see ourselves in at the moment. As they weigh out the risks that an organization may face if leadership decides to minimize their privacy and security efforts.
- Download our checklist, “Planning for Incident Response During the COVID-19 Crisis: Tales on Tackling The Security Debt”
- For a full repository of COVID-19 crisis resources, visit our CTEK COVID-19 Communications page for news, articles, podcasts, and more.
- Contact us with any questions regarding the regulatory changes during the COVID-19 crisis.
Hello, welcome to The Risk Perspective. I’m your host Lauren Frickle. Today, I’m joined by CTEK’s Marti Arvin, an industry-recognized subject matter expert in healthcare security and ethics. I am also joined by a new first-time guest Andrew Bindner, Senior Offensive Security Consultant here at CTEK.
Today we bring you our show titled, Even During a Pandemic Privacy and Security Must Go On.
Hello, Marti and Andrew. Welcome to the show!
Hello, Lauren glad to be here. Andrew since, it’s your first time on with us. Why don’t you give the audience just a brief background?
Absolutely! Thanks for having me. See I have been in security for about 20 years. I started off my career with the US Navy working for various three-letter organizations out of Washington DC. Eventually moving into more of a commercial sector. I’ve been doing penetration testing specifically for the last oh, +10 years, and I have co-authored “Hacking with Kali”, and I have spoken about various conferences such as RSA. But one of my passions is social engineering and IoT.
Thanks, Andrew. Well, today we’re going to talk about why privacy and security has to go on even in the current strange environment that we see ourselves in.
One of the things I want to discuss specifically around that our topic today is the risk that you’re all at for allowing read leadership to minimize your efforts. And what I mean by that, they might be considering furloughing staff in the privacy officer the security office because they don’t see them as essential. They’re not patient care folks. They don’t provide that direct care to the patient you need to convince your senior leadership why this is not the time to be doing that.
The temptation for them might be there to save money, but the risk to the organization is even greater today than it was six months ago. We’ve read numerous stories about how hackers are targeting healthcare during the COVID crisis, the uptick in ransomware and things of that nature have all occurred. So, the risk is greater and that’s why now is not the time to think about laying off that staff or furloughing them.
The other thing that’s likely greater is the temptation to actually look at a record when you’re not supposed to. So, looking at a patient record and folks who might not normally be tempted to do so might not be able to resist that temptation now if they’re concerned about a co-worker and whether that individual is tested positive for COVID-19. Then they might be willing to look at it when normally they wouldn’t if they’re thinking well, I’ve been in contact with that person am I at risk for getting it and am I at risk for taking this home to my family?
And then my final thought on this is, you know, help your leadership understand that while the regulators have backed off to try to ease the burden. They have not gone away and the regulatory obligations around many things under the privacy and security rule are still there.
Andrew, do you have any additional thoughts on that?
Absolutely, we don’t just have a shift in policy and the way that we’re thinking we also have everyone working from home. It’s not just people out of the office. It’s also people dealing with new technologies, new setups, new ways of thinking, and approaching their work situation they’re living. There was a survey that actually came out from Tripwire that said previously only about 4% of people were working from home. We’ve now gone up to roughly about 34% which is a drastic increase. There’s means that we have a lot more to support in the long run and we have different ways of helping support and grow the business instead.
So, if we are laying off those key essential people in the background who are making all those ones and zeros come together. Then we ultimately end up hurting ourselves and shooting our own organizations in the foot. So, this is time to be more amped up on security and be more proactive about implementing new technologies and new security measures. But we also, in that case, have to look at the different ways of user access monitoring. How we actually connect to the network and how we ensure that we’re actually monitoring for those capabilities.
Yeah, I think that’s a great point, Andrew. Because that’s something I’ve seen at least one organization consider backing off on when you’re talking about the user access monitoring associated with accesses to patient records. This is a regulatory obligation. It will need to continue and as I mentioned a moment ago the temptation today to look might be greater than it was six months ago. People might be thinking that again, what if my colleague is positive for COVID? What do I need to know, and they might be tempted to look?
You might also see folks thinking, hey maybe folks aren’t being as diligent now as they were before, and so I’m going to go ahead and look at the record and in hope that I don’t get caught because that diligence isn’t there. So, thinking about continuing that.
Again, the regulations and the guidance from OCR says that this has to be based on your risk assessment. So, look at what you were monitoring pre-COVID and think about do I need to change that it is there things that I want to do differently during COVID and that’s okay you’re basing it on your risk assessment.
But don’t stop your efforts altogether and continue looking at things like worker on worker accesses, worker on family accesses, worker on high-profile individual accesses. But think about it if which one of those is your highest risk and that worker on worker access may be your highest risk today. Even if it wasn’t your highest risk six months ago.
So that may be something, you know want to consider transitioning to are focusing more heavily on if you do need to cut back on your efforts, you know, think about prioritizing it and still continuing it on those areas that are the highest risk. That’s really talking about accesses by employees to patient records there are other types of user access monitoring that you should be doing under the security rule.
Andrew, do you want to add any thoughts or comments on that?
You are reading my mind! Yes, I’m sitting here thinking about how do we actually monitor our own networks? Um so, one of the things that’s been traction testers, we do networks, we do web applications, we do mobile applications everything under the sun. If it has a warranty, we’re hired on to break that warranty. But there’s some overall governing bodies. When we look at the open web application security project or oh WASC. They actually have a top ten list that they do every couple of years in web applications. The number 10 slot of the top 10 things has been for a very long-time logging and monitoring and those become really important in understanding how someone’s accessing your system, whose accessing your system, are they authentic are they coming in at their normal times. There are all different ways to monitor.
In some of those cases, we have you might look at even just the simple things such as are we getting a large amount of invalid login attempts. If no one’s actually monitoring those logs and they’re just going to a database somewhere and we won’t actually be able to see you know. No one will actually be able to report on a possible incident be coming in.
So, we do have to maintain our diligence in our logging and monitoring on all systems. But because of the pandemic and everyone working at home, we need to be looking even further out. A lot of external networks many companies that have logging or they’re turned on or the minimal, but no one really pays attention to them. Now is a key time to pay attention to those access logs and making sure that we’re putting up our Geo fences and things like that to make sure that we’re trying our best to maintain that set focal point to avoid a breach.
Yes, and you know breaches are another area where people have to stay focused on this. If you have an improper access whether it’s by an external bad actor or whether it’s an internal employee that’s looked at a record they’re not supposed to. You have to review those kinds of incidents and follow up on any complaints you might get. You know you might see an increase of complaints from employees who believe that someone has looked at their record that shouldn’t have or even from patience. Those are efforts you can’t stop during the COVID pandemic crisis. And again, you have to continue to document your analysis of that incident and your determination on whether it was a breach or not.
OCR has indicated a number of areas where they said they will exercise enforcement discretion. Meaning they’re not waving the requirements of the rule, they’re not saying you don’t have to comply with the rule. What they’re saying is if you have instances where you’re not complying with these particular provisions of the rule, we’re not going to enforce the rule against you.
Now failure to timely notify individuals of a breach is not one of the areas that they have said, they will exercise enforcement discretion. And so, I would encourage you to make sure that you continue your process and you also continue to focus in on doing this in a timely fashion.
Remember under the regulations the data compromise, or the incident is considered discovered, on the day that anyone at the covered entity knew or should have known that it occurred, except for the person who actually did it.
So, as a general premise that means that when the incident occurred, you’re considered to have discovered it and that’s when your clock starts ticking. And I’d also encourage people to remember that they don’t have 60 days, they have up to 60 days. The regulation says you have to notify without undue delay, but no more than 60 days. And while it might take you a bit longer in the current environment because of the conditions you’re working under and perhaps, you know, whether you’ve got more instances that you have to evaluate. You might take a little longer, but you can’t just sit on your laurels and say well I’ve got 60 days to do this, so I’m not going to worry about looking at it today, I’ll just wait a couple of weeks. That might could be considered undue delay.
Just going to interject enough, you may have up to 60 days for any of those types of breaches in the healthcare industry. But did you know that actually most breaches can end up 200 days behind, that is 200 days before somebody even notices a breach? Each 200 days before somebody actually begins to report a technical breach.
In a lot of cases, we also see that it’s not just internally where people are reporting it. It’s also coming from external entities contacting the company saying hey, I think something’s wrong here.
Andrew, I just want to interject because I always caution people. I understand the stat you’re giving everyone about the 200-plus days, that’s usually to discover that the bad actor or something has happened in your system. So, the discovery date in that scenario is going to be the day you actually know about it. Unless your lack of knowledge is due to gross negligence that and you should have known on the day it occurred.
So, the stats are now the incident might have occurred 200 days ago, you know about it today. So, today’s when your 60-day clock starts ticking and I just wanted to be clear to the audience, not to think that they’ve run past 60 days clock, in all of those instances where the bad actor might have been in the system for longer than the 60 days.
Then again, one thing I failed to mention that you triggered for me Andrew is, you also need to look at your state law. Because state law may have shorter time frames that you have to notify under. And I know at least for California, The California Department of Public Health says you have 15 business days to report and you can be fined for every day after that 15th day that you don’t report. And so, it can you know be quite significant for organizations and again, just focusing you in on making sure that you’re still evaluating this and going through the process.
What does this mean as far as our I mean are, we constantly seeing within their own environments our clients? Are we seeing that people are actually practicing privacy and security training to address these, so they know what to do when it happens as it happens?
Well, I think that’s an important thing to talk about in the current crisis most organizations that I talked with do annual privacy and security training, and I’m not telling you to stop that. If your normal process is it would be that you have edit if under your normal process.
Let’s say you do that during the months of April and May every year, that’s when you do your annual training and require everyone to complete it. You may decide to push that out a bit and have people do it in August and September when things hopefully have calmed down. I don’t see a problem with that. But I also see most organizations telling me they don’t believe their annual privacy and security training is effective. And what you really want to do is focus in on making sure people understand some of the things that we just discussed and understand how things might change given their change in work environment.
You talked a moment ago Andrew about people working remotely and that’s an area I think you want to focus your training on. About what are the privacy considerations when folks are working remotely. What are the security considerations when they’re working remotely? But do it in shorter more digestible frequent bites.
So, you know little notices to folks. Hey, this is just a reminder. Make sure if you’re talking is, you know edit make sure if you’re discussing information that’s confidential that you’re doing it in a private setting, you know when people are working from home. They may not have the flexibility of a home office. They may be working at the kitchen table; they may be working in their living room. And so just those frequent reminders of how people can stay private our keep the information private and keep the information secure will help people remember that in these changing work environments they have other considerations to think about.
Are there other types of security training that dander you think folks should keep up on? Or things they might be doing even differently in today’s environment?
I think the key factor there is you nailed it. We should not stop. We’ve seen an exponential growth in the amount of social engineering attacks, especially through phishing as a penetration tester. One of the key things that we go through is trying to determine what area a client is in, what’s going on in the economy, what’s going on in the town, what is what’s happening with even the local football team.
As we watch over this large pandemic, we see malicious actors engaging in campaigns that are specifically geared towards information about COVID-19. Everyone knows that there’s going to be more training, everyone knows they’re going to be more compliance. Everyone knows that there’s going to be changes all the way from the government to your hometown even possibly within your own neighborhood.
But If we capitalize on those and we are running our own engagements and by own engagements, I mean, we’re testing our own people within our organization where you’re running social engineering. Then we are actively engaging them to think more and think harder about clicking on those links or submitting information that really shouldn’t be there. Reaching out to other co-workers.
Actually, that brings me to another really good point, in that because everyone is remote. When I used to run a phishing campaign, one of the things we constantly worried about was if I send this out too many people all at once. Everyone’s going to look across the office at each other and go, hey did you get this email, and that suspicion will grow, and it will stop it. We don’t have that flexibility in the case of growth workers because they have to rely on their own instincts.
So yes, having more frequent training in smaller bites definitely is going to be the winner at the end of the day. Ultimately your employees are champions of your security. If they’re not fighting for your security, no one’s fighting for your security. So, I would definitely push the training a little heavier, but in definitely smaller more digestible bites.
Well, I think that’s a great point in your comment about your employees being one of your, I’ll rephrase it, higher risk factors. I agree with that. Another area where you might have risk that is not being as heavily focused on under the current pandemic as you might normally be is your vendors and your vendor management process.
What are your thoughts on that Andrew?
Okay, vendors are key. We have so many different applications. We have so many different devices, different contractors, and different personnel performing all different functions throughout most of the organizations, especially in healthcare. And larger the company is the more likely we are to have outside vendors to be able to help alleviate the stress and the day-to-day tasks, right?
So, in this case, the vendors one of the things that we really want to watch out for is, are the vendors themselves actually practicing proper security. If they are providing a device if they’re providing a service that they are remotely connecting in if you’re connecting to their service. They should have undergone some type of security compliance auditing penetration test. It is perfectly acceptable to ask them for their letter of attestation to show that they are keeping up on that security and that they are actively training their own personnel to make sure that they’re keeping up in high standards. So, they’re not impacting our own company.
But yeah in the case of annual assessments, I think you alluded to earlier that policies are changing for annual assessments and keeping the lights on and keeping things working. But also trying to maintain the documentation and policies and procedures within an organization. Am I right?
Yes, I do want to go back a bit and just make one quick comment on vendor management and that is you have processes in place potentially for existing vendors. But you may be hiring new vendors to do things for you that you didn’t anticipate because of the crisis and even if you don’t go through your full-blown vendor due diligence process for those new vendors, think about an abbreviated version. What are the key things that you absolutely would want to know before you decide to go with that vendor and then put it on a list to go back and do the more in-depth due diligence once things have calmed down a bit? But don’t just hire the new vendor without doing any due diligence it, you know because that can exponentially increase your risk and your right Andrew about the annual assessments people need to think about. That and think about whether they want to do those during the current crisis, or they want to put it off a bit.
But what they shouldn’t be doing is putting it off, you know a year from now and considering that there may be implications to that for other contractual obligations and think through and make sure that’s very thoughtful. And again, maybe you consider doing what I’ll call an abbreviated version of it instead of the full-blown thing. So that you can still keep on track some of your mitigation processes for the risk that were identified.
And I know two other areas where things can get a bit tight and particularly if folks don’t want to have, you know want to consider laying off staff or furloughing staff are handling the helpdesk tickets and then keeping your patching up-to-date.
What are your thoughts on that?
My thoughts on that, in the case of help desk tickets and patching. These are normal day-to-day functions. If we do not keep up on help desk tickets. If we don’t keep up on patching, we’re allowing holes and I’ll give some examples on that in the case of help desk tickets.
If there are a larger number of tickets for people working at home who say hey, I don’t have access, I can’t see, I can’t get my way into my email system things like that. Those can tend to fall off the radar and one can end up one having a decrease in functionality or productivity for that particular user or subset of users. But we may also be missing the mark on a potential breach or potential malicious actor trying to gain access may be locking out accounts and things like that.
Your helpdesk folks are going to be your key line of defense in noticing those small little triggers that go off before any other security systems that you might have a place such as IDS or LAS that might be missing the mark.
In the case of patching, patching is very difficult at the moment. Tripwire actually released a study that said 41% of organizations are having more challenges with devices that are even connecting to their network and they can’t really see what’s there or they may not have access to the device. Under live remote management system, or if you have it in place or if you’re currently building one out. Patching is going to be a key factor to keep upright because we’ve moved those internal devices that were once protected by our corporate level firewalls and all of our enterprise-level security to someone’s home, where they’re amusing a what’s called Soho router or small office home office router. So those are not really designed for high-level security and there’s constant vulnerabilities that keep coming out over those devices.
So, if we’re not patching our systems, we’re greatly increasing the risk of potential breach through an individual’s computer, and then when we think about VPN’s and how they’re always on always connected it gives them almost instantaneous access into our internal networks. So, keeping up with help desk tickets and keeping up with patching are vital, in those, in these times but even going forward. But should always be part of your CIS top 20 benchmark.
Yeah, thanks, Andrew. I hope everyone we’ve given you some food for thought on things you want to make sure you’re keeping up with during the COVID crisis and perhaps giving you some ammunition to go back to your leadership on why they shouldn’t reduce the privacy or security staff in the middle of the pandemic.
I’m not going to tell you that we told you everything that could be problematic or things you might want to consider. We focused in on just a few topics. But again, I hope you found this helpful and thank you for listening.
And thank you, Marti and Andrew, for that helpful information on the importance of keeping up a strong privacy and security program during a high priority pandemic such as COVID-19 for our listeners.
Remember CynergisTek is here to help. For more COVID related podcasts, please visit our website cynergistek.com/podcasts. Each podcast episode covers a cybersecurity, privacy, or compliance COVID related topic in 25 minutes or less.
We also encourage you to contact us if you and your organization need assistance in keeping up proper risk-related practices during COVID-19.
Thanks again, Marti and Andrew and thank you to our listeners.