Coronavirus Response Disrupts Healthcare Data Privacy and HIPAA Compliance
 

Healthcare privacy and HIPAA compliance in the time of coronavirus present security professionals with three converging disruptions:

• First, governments around the world are exponentially expanding the potential attack surface, opening a pandora’s box by attempting to combat the virus’s spread with increasing use of telehealth applications, mobile location data, social contact tracking, and facial recognition.[1]
• At the same time, governments are relaxing protections of healthcare data privacy and security.
• And, exploiting the crisis, hackers are escalating phishing attacks to hijack all the data they can—focusing especially on the millions of employees now working at home.

Navigating Uncharted Territory in Healthcare Privacy and HIPAA Compliance

As a result, security professionals find themselves navigating uncharted territory when it comes to maintaining healthcare privacy and compliance with HIPAA. For example:

• The U.S. Department of Health and Human Services (HHS) has rewritten rules to give people easier access to their medical information by smartphone apps. But the American Medical Association is already warning of resulting risks to patient privacy.[2]
• HHS has also allowed medical providers to expand their use of remote telehealth applications, including video and messaging.[3]
• What’s more, enforcement of HIPAA compliance related to telehealth services will be discretionary, HHS announced. “Covered healthcare providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency,” the agency said.[4]
• Varying national applications of rules such as Europe’s General Data Protection Regulation (GDPR) are also reported to be creating confusion about handling medical and other personal information during the crisis.[5]

Reinforcing HIPAA Compliance as a Baseline for Crisis Management

It is unclear whether and for how long these and other developments will leave an imprint on healthcare privacy and security when the crisis abates. In the meantime, security professionals need to continue to exercise the best practices embodied in HIPAA regulations as a baseline for turbulent times and in preparation for the return to a “new normal.”

Unfortunately, even before the crisis, 90% of healthcare organizations experienced an email-borne threat in the past year, according to the findings of a recent report from HIMSS Media and Mimecast. 72% of organizations experienced downtime as a result.

Below are some of the key security risks addressed in HIPAA, including improper uses and disclosures, inadequate security safeguards, weak access controls, violations of privacy practices, and non-adherence to the “minimum necessary rule,” which dictates who can access PHI, or personal health information.[6] Included are steps designed to mitigate risk.

Poorly Secured Records Threaten Healthcare Privacy and Security

HIPPA privacy rules require healthcare workers and others who handle personal health information to keep records private. However, employees don’t always follow guidelines. They may share protected information with friends, family, and the press. A related concern is third-party disclosure of PHI among organizations. Mitigation strategies and tools include:

• Ensure offices have locks and adequate physical security.
• Use strong encryption to keep physical and electronic systems locked.
• Reinforce awareness training, such as how protect personal health information.
• Ensure that malware protection is up to date to protect against spyware and ransomware.
• Use data loss prevention software to control what data is sent through email.
• Make sure any lost or stolen device can be remotely wiped.
• Monitor social media posts.

Inadequate Risk Analysis Undermines Data Protection

Too often, organizations fail to conduct a comprehensive enterprise-wide analysis of systems and data—or they leave these risk assessments sitting on the proverbial shelf, unread. As a result, they’re not clear on where vulnerabilities exist and ways that personal health information can be exposed, inadvertently or intentionally. As a result, they can’t address these potential vulnerabilities, leaving systems open to hackers and attackers. Mitigation strategies and tools include:

• Review the organization’s risk analysis of processes, systems, and workflows to know where personal health information data resides.
• Ensure that malware protection is current.
• Manage both enterprise and personal devices used for healthcare.
• Reinforce awareness training so that employees understand risks and responsibilities—as well as best practices for protecting personal health information.

Insufficient Access Controls Expose Electronic Personal Health Information

Electronic records pose different healthcare privacy and HIPAA compliance risks. One of them is who has authorization to view, manage, and share data. Without strong authentication systems and controls over who can access what data, the risks to healthcare privacy and security increase dramatically. Mitigation strategies and tools include:

• Reassess authentication systems.
• Review database security.
• Restrict the use of USB sticks and other external media.
• Ensure that roles and permissions match the level of access staff require.
• Reinforce awareness training, particularly with regard to managing and guarding credentials along with passwords.

Beware Improper Disposal of Personal Health Information

Record retention and disposal pose numerous healthcare privacy and HIPAA compliance challenges—and physical and electronic information each introduce different obstacles. Many organizations don’t know exactly what they have, where it is stored, and when it should be destroyed. Mitigation strategies and tools include:

• Shred or pulp paper records.
• Demagnetize, wipe, or destroy actual devices when decommissioned.
• Understand where data resides in cloud-based systems and on connected Internet of Things (IoT) devices, especially with respect to shadow IT.
• Know where data backups reside.

It’s wise to stay alert for additional healthcare privacy and security gaps, which may encompass unattended electronic devices, downloading personal health information on unauthorized devices, inappropriate texting, and providing others with unauthorized access to medical records or specific data.

The Bottom Line

Data protection has become a moving target, as the response to the coronavirus pandemic has driven more—and more innovative—collection, analysis, and dissemination of personal health information. In particular, healthcare privacy and security concerns are rising—along with HIPAA compliance uncertainty—thanks to new applications, relaxed compliance requirements, and increasing cybercrime. Security professionals should reinforce existing protections as they navigate this new threat landscape. 

[1] “How to (Carefully) Use Tech to Contain the Coronavirus,” New York Times

[2] “New Data Rules Could Empower Patients but Undermine Their Privacy,” New York Times

[3] “OCR Issues Guidance on Telehealth Remote Communications Following Its Notification of Enforcement Discretion,” U.S. Department of Health and Human Services

[4] “FAQs on Telehealth and HIPAA During the COVID-19 Nationwide Public Health Emergency,” U.S. Department of Health and Human Services

[5] “Confusion around GDPR During Coronavirus Prompts EDPB Response,” Compliance Week

[6] “HIPAA FAQs for Professionals,” U.S. Department of Health and Human Services