The following is an interview with Dan Schaupner, Head of Cybersecurity Consulting, North America BDS at Atos and John Lynn, Founder and Chief Editor at Healthcare IT Today.
Tell us about yourself and Atos
Atos is a leading global information security services provider, with over 100,000 employees worldwide, supporting many major customers in many countries. I am the Head of Cybersecurity Consulting for our North American group and we advise organizations on cybersecurity strategy, security architecture, and digital transformation.
One story I read recently said that some ransomware networks are avoiding healthcare during COVID-19. Should healthcare feel any safer from hackers and other security threats amidst the crisis?
Absolutely not. If anything, they should be wary of many entities who want to take advantage of this crisis for various motivations.
What are the major security threats in healthcare that are being exploited because of COVID-19? What should healthcare organizations and CISOs be watching for?
Phishing and disinformation awareness are at the top of my list. Given that healthcare organizations and the general public are expected to play significant roles in defeating COVID-19, it is critical that they are getting the best information possible. Failure to address this can significantly impact the organization.
What are the key things that every healthcare organization should be doing now to ensure they’re as secure as possible during the crisis?
My hope is that all organizations have an emergency plan and that they’ve practiced it. However, knowing that this isn’t the case for all organizations, ideally there should be a crisis operations center involving coordination between the organization’s head of security, service line leaders, and information security professionals. The head of security should also be in touch with their peers, as well as local authorities, to ensure sufficiency.
How has COVID-19 impacted healthcare security budgets?
Remains to be seen. Reflexively, we hope to see contingency planning and business continuity take greater focus. However, there will be a great supply chain overhaul when we are past the crisis and that should warrant a greater focus on the cybersecurity surrounding that system.
What should an organization do to manage these security budget changes?
Use cybersecurity frameworks to chart gaps in their security capabilities.
OCR has issued multiple HIPAA enforcement discretions in response to COVID-19, are these good changes that should last past COVID-19 or are they creating security and privacy issues? Why?
One way of looking at it could be that OCR is creating security and privacy issues. HIPAA regulations are deliberate and reducing enforcement on any of the guidelines weakens security. That said, the other way of looking at it is that it is a fundamental risk management decision on the part of OCR, like tough decisions that risk managers must make every day; that is, what is the greater good given the circumstances? Certainly, the head of OCR has taken risk management leadership in making this call. But he, HHS, and the Trump administration will also be accountable for the consequences (positive or negative).
Which areas of healthcare security are getting missed because of COVID-19?
One of my big concerns is emergency messaging. My observation of messaging systems in general is that care must be taken to ensure they are configured correctly to ensure that a) they work as intended, b) display messages in a way that the reader can be certain of source, and c) the implementation is accompanied by anti-phishing training. Getting the wrong information (or ignoring legitimate information) during crises can impact our response.
What new security vulnerabilities are being introduced as healthcare organizations scale up beds for COVID-19? What can be done to minimize the security risk?
There are so many, but the one that “keeps me awake at night” is ensuring secure and authenticated messaging along the supply chain and with the general public. As states, hospitals, and other points of delivery compete for resources, I’m concerned about the impact of spoofed messages, denial of service, and phishing. Arguably, competition for ventilators, facemasks, and testing kits is already a problem, but is it being exacerbated through an insecure or inefficient messaging?
As for the general public, my concern is the access to reputable sources of news and information. As we collectively navigate the crisis, how do ensure that the public is not falling victim to hoaxes, disinformation campaigns, or other questionable sources? The implications of these threats is significant given that our success against COVID-19 will depend on how the general public plays its part, that is, social distancing, covering faces, and staying at home.
What can be done to make sure staff are aware of COVID-19 security risks when they’re so slammed with patient care?
It’s tough to ask our healthcare heroes to take on so much more as they are overwhelmed. The most important message is that care for the individual includes protecting their privacy and civil rights, and that the patient is truly not well unless those are protected too.
About Dan Schaupner
Dan Schaupner is Head of Cybersecurity Consulting for Atos North America. Dan has been with Atos since 2017 and brings two decades of experience to his leadership of consulting activities. Previously, Dan was CTO at a Washington DC risk management firm, advising the US government on cloud security. During his career, Dan has advised business and technical leadership in many industries; but he also brings perspective in healthcare including architecture for medical records management, medical device assessments, and strategic planning. Dan is a graduate of the Atos Gold for Technology Leaders program, member of the Atos expert community, and provides mentorship to the Atos FUEL program for emerging professionals. Dan holds an MBA from Virginia Tech, Engineering Bachelor’s from the University of Michigan, and CISSP and CISM certifications.
Atos is a proud sponsor of Healthcare Scene.
This interview is part of the #HealthIT100in100