New Normal: Security in a COVID World
5 key questions with Mike Landeck, Information Risk Management Strategist, Alluma
1. What’s a common security problem that has only accelerated during COVID-19?
Phishing attacks. The fraudulent practice of sending emails purporting to be from reputable organizations to induce individuals to share confidential information, or to click a link that will infect your computer are way, way up—all wrapped up in COVID “help.”
People behind phishing schemes have a good understanding of human behavior. We’re going through a traumatic period, and COVID-19 represents a threat that keeps us in a kind of prolonged trauma. This pushes us into survival mode: you’re hungry for information, you’re hungry for control. In normal circumstances, you might not click on these emails, and you might not be fooled. But the people behind these threats are very good at crafting these emails to tap into that hunger for information and control.
This security risk is especially critical for vulnerable people, as we’re seeing with the increase in scams related to the COVID-19 “stimulus checks.”
2. As agencies adapt to social distancing and shelter in place guidelines, how does this affect their ability to manage security risks?
We have seen policy changes that are helping agencies adapt to changing circumstances to better serve the public, such as allowing their employees to work from home, or being able to take consent over the phone. These can be good policy changes, but there are some things that need to be in place to ensure agencies and the people they serve are protected. One is a Remote VPN, or virtual private network. Many agencies had to scramble to get this in place, and it showed that many government technology systems aren’t built for this way of working.
The other component of security is the people factor. When your brain is experiencing a lot of new and different demands, or you’re doing things on the phone you may have done in person before, you can fall into a reactive state of mind. Self-care is really important for agency workers, to keep from making mistakes they ordinarily wouldn’t.
Those of us who work with protected health information (PHI) had built in security protections at the office to help keep this information private. For example, at the office, you may be used to locking your computer screen, not clicking on certain links, using your badge to access certain areas, and keeping folders out of view. But now that many of us are working from home, we can experience a loss of our office security culture. Our home and work boundaries break down. In order to protect both PHI and confidential business information, we have to be mindful about who can see our desk, hear our phone calls, what we print out, and that we maintain the same processes at home for handling confidential information.
3. It sounds like managing information risk isn’t just about technology tools.
It’s really three parts: people, processes, and technology. Agencies have processes in place, scripts that were designed to prevent risks. Processes were effective before, and they can be depended upon during this time.
Fraudulent contacts to customer support lines prey on the agency’s staffs’ eagerness to help, which is heightened during an emergency response. Workers can be susceptible to people attempting to get information they shouldn’t: information about a specific person (i.e.: ex-spouse, or child custody situation), getting benefits they would not ordinarily qualify for, or gleaning information about the technology being used.
The support processes and phone scripts that were put in place provide a level of protection against these calls. Modifying them spontaneously defeats their purpose. Agencies can implement expedited approval processes for any necessary changes, but they should have a process to address needed changes.
4. Is there a technology tool or change that’s helping us deal with the new demands of life during COVID-19?
Our approach is that you always have to think about technology and policy together. For example, telehealth is both a technology and policy issue. For the volume of people who need telehealth support at this time, the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policy had to evolve. For example, care providers who had never thought about online delivery of their services had to quickly shift their practices to using telehealth and other online communications. The U.S. Health and Human Services’ (HHS) Office of Civil Rights – which enforces HIPAA— allowed health care providers to use low-cost, easy to use teleconferencing platforms such as Zoom without penalty during this public health emergency.
Although this policy change may allow providers to avoid the risks of a HIPAA fine, the federal government has provided very little guidance on how best to use these new technology options to protect their patient’s information in the short term and, more importantly, for the long term. So it’s important for providers to think about ways they can defend customer data against breaches in a variety of ways, including through their people, processes, and choice of technology.
5. What do you think are some future trends that will grow out of this time?
Telehealth will accelerate. One of our clients, Arizona, has been ahead on this issue because a lot of people who are applying and needing Medicaid in their state are in rural areas. But most government agencies had no contingency plans for how to quickly change their business processes and operations to a distributed, remote model. For example, government employees who work in health and human services agencies use desktops not laptops, and no secure VPN to conduct their job. Most do not have office-issued cell phones either. The ability to work from home requires basic infrastructure (internet, VPN) and tools as well as adjustments to workflow and other procedures that were not in place before this emergency. As a result, there’s a kind of catch up that’s happening now to modernize the way we work, both in how work is done as well as the technology solution itself.
I also see a trend toward thinking of scale, because we’ve seen this tremendous increase in need all at once. And we have to work more efficiently to deal with the scale of demand. We won’t want to lose those efficiencies, but we’ve got to figure out how the systems government uses, how they manage their data, and standard policies and procedures can be revised to support those efficiencies. I predict that’s where a lot of innovation is going to come: around how we deliver efficiently while keeping people safe and their information secure. We have to think about how governance can facilitate efficiency. Because whether it’s a pandemic, or natural disasters, there will be other things in the future where we will be pushed to deliver more, and more rapidly, than we’re used to doing now.
Alluma’s Mike Landeck led the security implementation and then operationalized two of the country’s largest cloud-based healthcare IT projects. Mike has been responsible for the overall security of systems with financial transactions of over $4 billion per month, as well security programs regulated by HIPAA, SOX, PCI, FISMA (NIST 800-53), the IRS (FTI IRS 1075), and FedRAMP.
Mike is a frequent conference speaker and workshop presenter speaking across the country on such topics as software security testing and security program management. He is a CISSP as well as a PCSM, and has several degrees in the behavioral sciences. Mike is always happy to speak to nonprofit organizations on cybersecurity and staying safe online.