30/60/90 Plan During Covid-19 Checklist

Issue link:

Contents of this Issue


Page 0 of 2

1 Planning From a CISO's Perspective During the COVID-19 Crisis Written by Ben Denkers; Senior Vice President of Cybersecurity and Privacy Services at CynergisTek and Dave Bailey; Director of Security Services at CynergisTek Being a CISO in healthcare has always been a difficult juggling act. That job has now evolved into juggling flaming swords. Protecting against cyberthreats and maintaining business continuity has always been part of the job. However, now this has to be done across a landscape that includes new threats taking advantage of the crisis and targeted at those in crisis, as well as an attack surface that has expanded far beyond the normal workspace and is not safely behind an enterprise's firewall on centrally managed and maintained devices. Telehealth is exploding and even the Office for Civil Rights (OCR) is allowing apps like FaceTime, Facebook Messenger, Google Hangouts, and Skype to provide telehealth services during the crisis. Communications are over public carriers and users are working from home on networks that may or may not be secured and likely include an array of devices that are not or cannot be secured and are "always on." The following checklist is not intended to be exhaustive nor will the timing suggested, or even the items listed, be appropriate in every environment or organization. However, it does represent the areas that today's CISO does not want to let slip through the cracks while trying to securely adopt the organization to a new model in a fast-paced, ever-changing environment. It may represent many things that will have to be addressed as the demands of time and resources begin to return to some semblance of "normal" or at least routine. 30/60/90 Day Planning Cybersecurity Checklist for Operations During and Post COVID-19 Within 30 Days: • Review and update communications plans and call trees, alternative contact information for all security, IT, clinical engineering, and any functional areas related to privacy and security (e.g. supply chain, privacy, HR, legal, and risk management). • Change the domain admin passwords ensuring a length greater than 14 characters and increase admin access reviews: ° Disable any unneeded access during COVID-19 operations, ° Expand current multifactor authentication (MFA) implementations to administrator accounts, ° Review lines of succession to privileged administrators in the event administrators become infected; and ° Ensure that admin accounts are separate from general user account use. • Review emergency access procedures: ° Ensure appropriate steps are taken if access is granted to sensitive data outside of standard provisioning practices. • Minimize change in the environment unless required for break/fix or projects needed to address COVID-19 threats. • Continue regular patching and updating, and evaluate new risks as new threats emerge. ° Downtime will become harder to schedule consider focusing on "critical" and security-specific updates related to new COVID-19 attacks. • Perform telehealth risk reviews and acceptance, and document risk acceptance for all new telehealth initiatives. ° In particular, investigate VPN – ensure if an exit node is inside the firewall and that logging includes IP address and the user that it was assigned to. ° Review VPN providers infrastructure: Determine if any third-party subcontracted telecommunication providers reside in foreign countries (nation-states) that support the proposed VPN access or if the infrastructure is all owned by the VPN provider. 30

Articles in this issue

view archives of Checklists - 30/60/90 Plan During Covid-19 Checklist