How Health Care Providers Are Combating an Increase in Cyber Crime

As hospitals and health care providers deal with the impact of the COVID-19 pandemic, many are also combating an increase in attacks by cyber criminals, including phishing scams, ransomware and other threats to information security. As chief technology and security officer at Children’s Hospital of Philadelphia (CHOP), Monique St. John ’94 is on the front line of the industry’s response to these attacks. St. John’s role includes responsibility for technology, strategy, implementation and support services for the internationally known pediatric health system.

We recently talked with St. John about the ways that COVID-19 has created new or heightened cybersecurity concerns for health care providers. Along with Babak Forouraghi, Ph.D., professor of computer science, St. John will also be the featured speaker at an upcoming Saint Joseph’s Unlimited Learning webinar, “The Role of Information Security During COVID-19 and Beyond” from 12-1 p.m. on May 20.

An edited transcript of the conversation follows.

What are the most notable ways that the COVID-19 pandemic has created new or exacerbated cybersecurity concerns for hospitals and health care systems? 

Monique St. John: There has been increased risk with the mobilization and expansion of telehealth and remote workers. We always need to make sure security protocols are in place, but with such an increase we have to evaluate whether we need to expand capacity and assess if the security protocols currently in place are still appropriate. The second thing is that hackers began targeting health care providers because they assumed they would be distracted with COVID-19 activities. For example, they have been sending phishing emails targeted to health care providers to deliver malicious code.

What guidance have you been giving to internal stakeholders, such as employees, and external stakeholders, such as patients and their families, about these threats?

St. John: Education and awareness are key. We’ve sent example phishing messages to help our employees learn to identify what a fake email looks like. We also send educational materials on what threats to look out for and what we’re seeing in the region and globally so they can be prepared. To me, our employees are our first line of defense and it’s very important for us to keep them educated and aware.

In regard to patients and their families, it’s making sure they verify who messages are coming from and that they don’t click on anything until they are sure who the sender is and what the attachment is. We also explain how to follow best practices, such as never writing down passwords, making sure passwords are complex or even phrases so that you remember them, but they are harder to crack. We also ask them to make sure they have security devices or antivirus software installed and that they are updating it at regularly scheduled intervals.

How do you make sure the communications you send are understandable for a non-tech audience?

St. John: Whether wearing my technology hat or my security hat, we need to make communications digestible and keep them simple. Many people help review our communications before they are disseminated, and they work with us to drill down messages that are most appropriate for various audiences.

At CHOP, we know our employees are very busy, so we need to ensure that when we choose to send communications, they are well-planned and deliver the right information, at the right time, to the right people. We do our best to deliver only concise, clear information; we’ll often send pictures to show people an example of what we’re seeing and ask that if they see something similar, to let us know

How do you stay informed about what threats exist?

St. John: We partner with third-party companies to stay abreast of new information and to get threat intelligence. We regularly connect with regional law enforcement and other agencies to talk to us about what they’re seeing. We also talk with other health systems … systems are out there helping each other. It’s not just one organization looking out for itself; it’s a network of people wanting to make a difference in the information security community, not just for their company, but for the benefit of all.

What can we learn from the current pandemic-related cyberthreats that can help us prepare for future crises?

St. John: Cyber risk and cyber threats will continue to increase and create an impact on every organization. That can range from a data issue to business operations impacts or even impacts on your household. It’s our job to assess the risk and the severity of what’s going on in the industry and our threat levels, and first and foremost to continue to have the conversations, to make sure threats are understood.

Hackers never sleep. We must always be prepared for threats and professionally, we need to practice for cyber threats just like we would for any other threat, including emergency drills. How we respond is just as important as identifying a threat.

How did your Saint Joseph’s experience impact your career path?

St. John: Saint Joseph’s instilled in me a drive to make a difference in giving back, not just going to work. The community service programs and courses really set the groundwork for my career and helped shape me personally. The other thing I would mention is that throughout my career, I’ve been given the opportunity to advance, and some key opportunities have come from Saint Joseph’s alums. It’s our role as leaders to continue to grow other leaders, provide those opportunities and to pay it forward. That’s what Saint Joseph’s brings out in all of us.