3 Healthcare Security Wake Up Calls
By Stephen Trout, , HIPAA Blog, Resources

Never let a good crisis go to waste. 

Whoever said it first (possibly Churchill, though it’s debated) understood a deeper truth about life, often missed in easier times: storms of crisis and suffering tend to shake us out of complacency, spurring us to seek change.

Case in point: it goes without saying that COVID-19 has been the titanic struggle of the year (over 50 million cases globally, and counting) for individuals, families, and organizations. Yet while the losses have been great, the crisis has also challenged many to see their faith renewed, families brought closer, and their courage to “help others into the lifeboats” (think nurses and other first responders especially) pushed to beautiful new heights.

In the business of healthcare technology and cybersecurity, the same holds true: violent storms and invisible icebergs (malicious viruses, cyberattacks) may indeed rock our boat, but they also motivate us to do something more than grab a life jacket and bail out. We begin to think about how to “secure the ship” in new ways. 

One reason we’ve done this is that the storm of COVID-19 has seen opportunists – unscrupulous actors seeking to exploit the “fear and uncertainty caused by the unstable social and economic situation” as INTERPOL reported. COVID-19 themed phishing emails and fraudulent domains sprang up early and spread almost as fast as the virus. Meanwhile, Ransomware and other kinds of attacks from nefarious sources showed no signs of slowing. 

As a result, data handling experts like Microsoft (following Google and other cloud providers like HIPAA Vault) appear to be doubling down on security:

Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace: that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies and, especially, enabling multi-factor authentication (MFA). Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.  – Microsoft’s 2020 Digital Defense Report

So the question is a good one: what are you learning in the wake of COVID-19? 

Here are 3 areas – from a healthcare perspective – where the pandemic storm has indeed rocked the data-security boat, but also spurred positive change:

1. Organizations are Taking Email Phishing more Seriously

Microsoft’s Digital Defense Report notes that over the past year, cybercriminals have become savvier (as noted) – even willing to capitalize on COVID-19 themes early in the pandemic. This was a clear indicator of how agile and evolving (and yes, heartless) the attackers are. 

Interestingly, the report details a general shift for these cybercriminals, changing their primary means of attack from malware to email phishing. As such, they’re utilizing increasingly sophisticated methods to attempt to sway recipients and harvest their credentials. 

A popular but effective approach you’ve probably seen is to imitate top brands – including Amazon and Apple – to lure consumers. Clicking on links in the email opens the door for them to deliver their harmful payload, compromise your system, and even breach your data.

What Can be Done?

For healthcare organizations, the use of secure, encrypted email that requires authentication is one way to recognize valid emails. This helps filter out the possibility of falling for phishing schemes, and so protects sensitive data.

Cybersecurity training – such as that offered by Infosec – can also help an organization’s employees recognize potential attacks in the high volume of emails companies typically receive. This is a strategic way that companies can forge a strong defense while eliminating potential weak links in their workforce that might cripple their network.

2. Taking Remote Telehealth Security Seriously

We’ve seen how new technologies such as IoT and 5G are supporting remote healthcare efforts, bringing much-needed treatments to entire, unserved populations. Because of COVID-19, these efforts have been dramatically expanded. Since most of the general population now relies on virtual visits with their physicians to help ‘flatten the curve,’ telehealth has ramped up rapidly. Healthcare organizations are even realizing how effective this is in helping to streamline costs, as in-office visits and business-as-usual operations have significantly changed. 

Yet with more devices and connections being made remotely comes an increase in potential targets and security risks. Healthcare must take appropriate steps to ensure a safe environment for their client’s medical data and personal information.

What Can be Done?

Using secure connections and data encryption, along with trusted applications and a HIPAA hosting provider is indispensable for protecting personal information during telehealth sessions. At a minimum, the following practices should be also be observed by patients:

  • Visit only secure websites (look for the “lock” icon in your browser’s address bar)
  • Use strong passwords (a mix of lowercase, caps, numbers, and symbols) for all wireless connections
  • Install an antivirus program on devices

3. Taking IoT Device Security Seriously

As COVID-19 continues, we’re seeing how an increasing proliferation of IoT devices (already in process, but spiking) is widening the attack surface. As the Microsoft Report notes, there’s been an approximate 35% increase in total IoT attack volume in the first half of 2020, as compared to the latter half of 2019. 

2017’s devastating WannaCry ransomware attack certainly provided a global wake-up call in this regard. The attack highlighted how numerous devices across England and Scotland were infected due to an unpatched Windows 7 operating system.

What Can be Done?

Getting a handle on the kinds of devices currently in use in the healthcare marketplace (many without patching capabilities) will require a concerted effort, but it must be done. Using devices on segmented networks will also be key, as will requiring more sophisticated, patchable devices going forward.


There are many more “wake-up calls” concerning healthcare and security that we might list; these are just a start. Times like these call for deeper reflection, even a willingness to change our own personal status quo. Protecting patients is a holistic enterprise; we contribute to their well-being when we recognize how they can be damaged not just from an invisible virus, but also from those who would exploit their identity and personal data. 

HIPAA Vault is the leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to providing secure infrastructure and compliance for health companies, HIPAA Vault provides a full array of HIPAA compliant cloud solutions, including secure email, HIPAA compliant WordPress, secure file sharing, and more.