Develop clear work from home policies and protocols. If practice staff continues to work from home, create policies that establish clear expectations and requirements for remote work security. Setting up a VPN can be one good way to provide a secure connection to practice records.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Brian Bobo, CIO and CISO at Greenway Health.
As chief information and security officer (CIO/CISO), Brian Bobo leads Greenway Health’s IT organization, overseeing the security of the hosted environments of thousands of customers. Passionate about building teams and fostering collaboration, Brian brings his experience from the aviation, retail, manufacturing and logistics industries, as well as the military, to create long-term cyber strategies.
Thank you so much for joining us in this interview series! Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I’ve had a bit of a wandering career. I’ve worked in roles across a wide range of industries, including everything from manufacturing and logistics to aviation and retail, where I led IT and cyber teams in both Fortune 500s — like Target and Ecolab — and medium-sized companies. Today, I lead Greenway Health’s IT organization with 70 employees and thousands of our clients’ hosted environments. At the same time, I’m serving as a Brigadier General in the National Guard and I’ve led teams of 600+ in overseas operations and led cyber activities. I like to joke that I’m still trying to figure out what I want to do when I grow up — but my career in cybersecurity has certainly been compelling and rewarding.
Are you working on any exciting new projects now? How do you think that will help people?
Over the course of this year,our team has heavily focused on empowering our customers with the tools and resources they need to continue providing quality care to patients while ensuring business continuity for the practice. For example, with virtual care visits expected to exceed one billion in 2020, our team quickly developed and launched Greenway Telehealth™, a secure, HIPAA-compliant solution designed with an easy-to-use interface for both providers and patients, in direct response to these evolving customer needs and the increasing demand for a secure, high-quality and flexible remote care solution that practices can implement as part of a long-term virtual care strategy.
While it’s clear that virtual care tools are the future of healthcare delivery, interestingly, a recent report found that the rapid adoption and onboarding of telehealth vendors led to a significantly increased digital footprint and attack surface, leaving both provider and patient data at risk. Delivering on our promise of providing practices with innovative healthcare solutions that keep patients — and the practice — healthy and safe, Greenway Telehealth was built according to requirements of the Security Rule to prevent data interception and protection of electronic protected health information. And as a next step, our customers will soon benefit from having a telehealth solution integrated with its core EHR to further assist them in reducing provider burnout and maximizing the efficiency of the practice.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- The dynamic nature of cybersecurity. Cybersecurity in healthcare never stays the same — there’s always a new threat or twist in which we have to respond.
- The cybersecurity space is extremely collaborative, with many individuals open to networking, sharing ideas and helping others out when and where able. This industry feels like a true community focused on achieving the greater good, and that’s what motivates and inspires me and my team each day.
- Regarding my current role in healthcare cybersecurity, there is a big responsibility in keeping patient, practice and employee information safe and secure, and I am passionate about fulfilling this duty.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Ransomware has always been a critical cyber threat in healthcare. In fact, in the last quarter of 2019 alone, there was a 350% year-over-year increase in ransomware attacks on healthcare entities. The COVID-19 pandemic has only increased these threats even more, all the while creating new ones. As an example, a recently released report from SecurityScorecard and DarkOwl found that telehealth systems have experienced an enormous increase in targeted attacks during COVID, as the pandemic has presented a multitude of cyberattack opportunities, such as phishing attempts to patchy work-from-home security practices. Considering healthcare is now the number one most targeted industry in the US, in 2021 and beyond there is a real need and opportunity to shore up security so irreparable harm is not done.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
There’s no specific rule about catching something that’s amiss because there’s an infinite number of possibilities. But, there are a few signs to be aware of:
Email phishing is a type of cybersecurity scam where cyber criminals impersonate legitimate organizations through email in order to steal sensitive information, such as login credentials, credit card information, patient data and more. Even some of the most secure and prepared organizations can fall victim to a phishing attack, so it’s critical all teams educate staff on what a phishing email, text or social media post looks like and invest in an inbox defense software and other appropriate technology.
A non-Secure connection, such as using Public WiFi,is a major risk, as hackers have access to every piece of information you’re sending out on the Internet, and can also use an unsecured Wi-Fi connection to distribute malware. While this should be avoided, if you do have to use Public WiFi, always and only connect to HTTPS and never connect to a service that’s HTTP.Some browser extensions can also be dangerous, as most extensions have the ability to collect a lot of data about users, which leads to privacy issues. When using extensions, only install those from official Web stores, and pay close attention to the permissions that they require. There are also many good security solutions that should be utilized to detect and neutralize malicious code in browser extension.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
There are a few steps we advise healthcare organizations to make should there be a data or security breach. The first step is to assess the security risk of the breach and implement the appropriate security measures to prevent any further data loss or prevent the breach from getting any worse — i.e., to “stop the bleeding.” You do this by isolating the impacted systems. If you don’t have an incident response team, you should proactively engage with a vendor to provide assistance on demand and help you understand immediate steps, forensic considerations, and long-term mitigation work.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
The healthcare industry has been a target for cybercriminals well before COVID-19, but since the pandemic, cybersecurity threats have taken full advantage of the overwhelmed healthcare system, with an almost 50 percent increase in reported breaches between February and May of 2020. Attackers have expanded phishing and social engineering efforts, preying on the anxiety and fear caused by the coronavirus, or seeking donations for COVID-related causes, and disguising their attacks to look like trusted entities. Other cyber-enabled financial crimes have escalated, including business email compromise, personally identifiable information theft, ransomware and account takeovers. The bigger issue, though, centers around the industry’s overnight pivot at the start of COVID-19 to expand remote care modalities. These technologies enabled providers to more safely attend to patients’ routine needs and address the increasing demand related to the pandemic. To facilitate more telehealth offerings and meet physician needs, HIPAA regulations were relaxed, allowing for use of new technology platforms — including some that presented higher security risks. Additionally, with offices closed and the public being urged to stay at home to prevent the spread of COVID-19, more providers were teleworking. The use of unsecured WiFi and lack of enterprise virtual private networks (VPNs) opened the opportunity for increased cybercrime against the healthcare sector.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
For healthcare specifically, there are five ways to begin safeguarding your organization almost immediately, regardless of practice size or access to key resources.
- Proactively secure your systems. Part of being proactive is ensuring all software and solutions are updated and the latest patches are applied. Also plan to use strong passwords and enable multi-factor identification if you are using cloud-based solutions, such as Office 365 or Google Apps.
- Ensure teleconferencing solutions are protected. The use of virtual care solutions will not subside following the COVID-19 pandemic. And becausepractices handle sensitive patient data over these platforms, security needs to be top priority. Adopt a HIPAA-compliant telehealth solution that fits into your already established practice workflow for an extra layer of security and protection.
- Develop clear work from home policies and protocols. If practice staff continues to work from home, create policies that establish clear expectations and requirements for remote work security. Setting up a VPN can be one good way to provide a secure connection to practice records.
- Educate staff on how to avoid cyber threats. Education and awareness are key. Ensure staff is aware of all potential threats and how to protect themselves and patient data. Consider providing practice-wide training to be proactive in safeguarding the practice from cybercriminals and hackers.
- Work with a third-party cybersecurity expert. Cyberattacks will continue, but security consultants and trusted vendors can help evaluate your practice’s security risk and provide recommendations for improving your company’s defense.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!