As Pandemic Enters 2nd Year, CISOs Face Ongoing Telework, Telemedicine Challenges

Health Care Compliance Association (HCCA)

Health Care Compliance Association (HCCA)

[author: Jane Anderson]

Report on Patient Privacy 21, no. 4 (April 2021)

As the COVID-19 pandemic progressed from its urgent beginning to almost a “new normal,” chief information security officers (CISOs) at health systems have been fighting to combat emerging cyberthreats while supporting the sudden shift to telemedicine and working from home. In doing so, the officers said, the experience offers lessons for the path forward.

Five privacy and cybersecurity experts offered their take on the pandemic and what it revealed about the health care industry’s cyber strengths and weaknesses on March 22 at the 30th annual National HIPAA Summit, which was held virtually.[1]

“Last March was a pretty big blur,” said Jacki Monson, vice president and chief privacy and information security officer at Sutter Health in northern California. “Literally from one day to the next, we went from having a couple of hundred workforce members working from home to close to 15,000.” This affected security, of course, but it also affected workflow, she said. “Things are different with people working in the office versus at home, and there’s lots of security issues and lots of privacy issues that we had to accommodate.”

Telemedicine was a major, urgent issue, Monson said. Prior to the pandemic, Sutter Health had some telemedicine activity, but when California canceled all inpatient and outpatient appointments in March, the health system had to move as many appointments as possible to telemedicine, she said. “We went from about 400 or 500 telemedicine visits to close to 200,000 a day within a couple of weeks when the pandemic hit, and there’s all kinds of challenges and opportunities that came with that with respect to security.”

HHS helped by issuing emergency public health exceptions that allowed providers some flexibility with telemedicine early in the pandemic, Monson said. But the health system still had to select and implement telemedicine platforms, all while the pandemic was building, she said. At the same time, “we also saw the cybersecurity numbers of potential attacks triple. And so it was just a very, very busy time trying to manage it all.”

Monson said that her team did not experience any furloughs. However, many workforce members in field offices, hospitals and clinics did, “because obviously, when you close operations other than inpatient critical functions, you have a lot of workforce members that you just don’t have work for.” Bad actors seemed to realize this dynamic existed, she said. “We actually had some individuals approached at one of our affiliates to sell their user name and password for around $20,000 to give [the bad actor] multifactor authentication access to our systems.” There also were issues surrounding access to COVID-19 research data, she said. “So I’m not sure we could have run with a smaller staff, and we have been very fortunate not to have been impacted by any layoffs or furloughs, just because of the criticality of the function. And we really believe that privacy and security is a patient safety issue, and so that’s how my senior leaders contemplate needing to continue to invest in it.”

Darren Dworkin, senior vice president of enterprise information services and chief information officer (CIO) at Cedars-Sinai Health System, said it moved rapidly to ramp up its telemedicine operation. “We went from a rough utilization of 3% to 5%—which parenthetically we were awfully proud of—to breaking 50% and 60% in some areas,” he said. “It was an interesting time to be a CIO. Our first reaction was to support our frontline caregivers and really figure out how to support our patients and our community by essentially saying ‘yes’ and being as flexible as we possibly could in ways that, candidly, we didn’t really imagine we would do. The truth of the matter is that sometimes an emergency drives in necessity.”

Still, Dworkin added, “very quickly it sets in that there does need to be some degree of hardening. To be perfectly candid, we’re still dealing with that aftershock of what that hardening looks like. Some of those things just take a really long time.” As the pandemic moves into its second year, it continues to “essentially affect all of our operations in ways that we didn’t really understand” during the system’s quick initial reactions. He said his team is still trying to figure out how to handle some issues.

[View source.]

Written by:

Health Care Compliance Association (HCCA)

Health Care Compliance Association (HCCA) on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.