Securing remote access for healthcare workers

Many healthcare organizations have hired more remote workers in recent years, but have struggled to keep their cyber security defenses up-to-date. Amidst financial pressures and staff shortages, they have had to rely on shorter-term “fixes” to protect the hybrid workforce against intensifying attacks.

For instance, during the global pandemic, when more employees began working remotely, 51% of medical practices spent less than $5,000 setting up their hybrid or remote practice. Common healthcare cyber security examples included adopting more virtual private networks (VPNs) and shifting some applications (but not all security functions) to the cloud.

But such short-term fixes make healthcare organizations more vulnerable to cyber attacks. For those that continue to embrace a hybrid work model and its benefits (which include improved staff morale, reduced burnout, and increased productivity), a long-term security strategy is in order.

Three of the top “work-from-anywhere” risks for remote healthcare workers include the reliance on VPNs, multi-channel phishing, and shadow IT. Below are how a modern Zero Trust approach addresses those risks in a more sustainable way.

Disadvantages of VPNs

Traditionally, healthcare organizations have relied on the “castle-and-moat” security model, which focuses on protecting the network perimeter. In a hybrid work context, this means using VPNs and remote desktop software to check remote users’ credentials and encrypt traffic between users and the various applications or devices in the central corporate environment.

However, VPN risks — such as the zero-day vulnerabilities in certain Ivanti and Palo Alto Networks products, and the brute-force attacks against Cisco’s VPN solutions — illustrate the inherent flaws of a perimeter-based approach. VPN access is:

• Too risky: As illustrated by the zero-day flaws found in multiple VPNs (more examples here and here), VPN security is unreliable. The network-level access and default trust granted by VPNs also invites the possibility of lateral movement.
• Too slow: With access depending on the user’s location, device, role, and identity provider, the VPN user may experience latency.
• Too inefficient: VPNs can slow down user onboarding, delay the rollout of new apps, and waste precious IT time when they break.

It’s understandable that healthcare organizations — dealing with unprecedented financial headwinds and IT staffing shortages — initially turned to VPNs during the pandemic. However, it is clearer that VPNs (which were designed for short-term connections by a few systems) are not sustainable for the expanding scope of remote healthcare work.

The more effective, sustainable approach is Zero Trust security. Unlike risky VPNs, Zero Trust services require strict identity verification for every person and device trying to access resources on a private network, regardless of location.

For instance, Zero Trust technologies enable healthcare organizations to:

• Verify every application access request based on more than just identity: Geolocation, device security posture, enterprise security standards, a continuation evaluation of risk/trust, and other factors are considered before someone is granted access to a resource.
• Inspect and filter all employee Internet traffic: Wherever employees work, their Internet browsing is susceptible to phishing, malware, ransomware, and other attacks. Unlike a VPN, Zero Trust provides the ability to block browser-based attacks. It can also prevent workers from visiting or interacting with suspicious websites.

Phishing attacks

More patient records are compromised via phishing scams than any other reason, according to a study of healthcare-related data breaches from 2015 to 2020.

For example, phishing was the root cause of one ransomware attack against the University of Vermont (UVM) Health Network. It started when a traveling employee used their work laptop to check personal emails. One email, which appeared to be from the employee’s homeowners association, launched malware that allowed attackers to move laterally to access UVM Health Network’s systems. The attack disrupted operations for weeks: hundreds of employees were unable to work; patient procedures were delayed; and the organization suffered more than $63 million in losses.

Highly targeted, malware-less business email compromise (BEC) phishing is also on the rise. In June 2024, the FBI and the US Department of Health and Human Services issued a warning about attackers gaining access to healthcare employees’ email accounts, and then using the login information to divert insurance disbursement payments.

For modern workforces, work and data do not just sit in email. For instance, SMS (text messaging) and public and private messaging applications are attack vectors that take advantage of the ability to send links over those channels, and also how people consume information and work. There’s cloud collaboration, where attackers rely on links, files, and BEC phishing on tools like Google Workspace, Atlassian, and Microsoft Office 365. And, there’s web and social phishing targeting people on LinkedIn and other platforms.

To prevent such “multichannel” attacks, healthcare providers can use a multi-layered approach that first protects email, then extends Zero Trust to other web-based traffic.

With a Zero Trust approach to combatting phishing, organizations can:

• Automatically isolate suspicious email links and prevent workers’ devices from being exposed to malicious web content
• Limit users’ interactions with suspicious websites, and prevent malicious scripts embedded within webpages from running locally on the worker’s device
• Block access outright to high-risk sites (such as those already known to participate in phishing)
• Restrict what can be uploaded, typed, or copied and pasted into third-party apps; workers can also be prevented from uploading proprietary data into third-party generative AI tools

Risks of shadow IT

Hybrid work environments increase the risk of “shadow IT” — the unsanctioned use of software, hardware, or other systems. According to a 2024 survey, the majority (81%) of IT leaders at US health systems report shadow IT software purchases. And nearly half (48%) had not audited their organization’s software within the past year.

Shadow IT is a particularly serious threat to healthcare organizations. It undermines IT’s ability to secure and monitor critical systems, putting patient data at risk. Unsanctioned SaaS apps, for example, make it virtually impossible to verify HIPAA compliance of protected health information (PHI), and increase the risk of zero-day exploits and data breaches.

Should organizations go user by user, file by file, SaaS app by SaaS app and review everything for what could be potentially problematic? For most organizations, that’s unrealistic.

To help reduce the use of unauthorized apps, implement ongoing risk management training for employees, and a “blame-free” culture (for those who may have already adopted shadow IT).

Those approaches should also be augmented with Zero Trust technical controls that:

• Provide visibility into SaaS applications and network origins that workers are visiting; then, organizations can create policies to allow, restrict, or block the usage of shadow IT as needed
• Safeguard SaaS apps and other cloud-hosted services by continuously scanning them for exposed files, suspicious activity, and misconfigurations (a common cause of data breaches)
• Reduce data exposure by detecting and blocking people from oversharing sensitive data via the cloud, applications, email, and devices

Simplify hybrid work security with a connectivity cloud

Cloudflare Zero Trust services consolidate many once-distinct technology services to make it easier to secure any connection, and keep workers on any device in any location safe and productive using the Internet, applications, and infrastructure. All services are delivered by a connectivity cloud, a unified, intelligent platform of cloud-native services that simplifies secure “any-to-any” connectivity across all IT environments.

With Cloudflare’s connectivity cloud, healthcare providers secure patient data, enable seamless tech experiences for clinicians, and deliver top-class virtual care — all with greater agility and control.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Dive deeper into this topic.

Learn more about how to close the security gaps that hinder healthcare innovation with the Modernizing healthcare provider cyber security ebook.