David Holtzman, Executive Advisor for CynergisTek sits down to discuss how healthcare organizations can flatten the curve in the spike of cybersecurity incidents that we are seeing during the COVID-19 pandemic. He will discuss strategies to leverage training materials designed to increase the information security IQ for health care providers and administrative staff working from home or using their personal devices to access information networks. David will also explore why video conferencing and text messaging technologies that meet the requirements of the HIPAA Security Rule standards could provide healthcare organizations resilience in this exceptional time.
Links to stories:
Read David Holtzma’s article “COVID-19: Tips for Secure Remote Worksites, Telehealth Video, and Messaging” on more information about telehealth and remote worksites.
Hello, and welcome to see CTEK Voices the Risk Perspective. I’m your host Lauren Frickle.
Today I’m joined by David Holtzman, Executive Advisor at CynergisTek. David is considered a subject matter expert in health information and privacy policies involving HIPAA.
Hi David, thanks for joining us today!
So, Lauren thanks very much for having me this afternoon!
Today I want to talk about how our work life and the approach that we’re taking to securing the work from home environment and our telehealth resources have changed dramatically. In how that change hasn’t been for the better and we need to now reassess how we are looking at information security and begin addressing the challenges that the new telehealth in the work from home remote activities are taking in placing some stress on the cybersecurity of our information systems.
So, during the COVID-19 pandemic, many healthcare providers and administrative staff are working from home. Today’s technology allows providers and support teams to do much of what they could do from the medical office or administrative worksite remotely through a variety of device platforms, including computers tablets and smartphones. But these personal devices are proving to be more susceptible to cybersecurity vulnerabilities that pose a significant information security risk to patient data and the networks which are accessed remotely.
Risks to our information systems have changed since we have changed the way we work or handle information. The transformative shift in the settings in the manner in which healthcare is operating presents a tremendous challenge to traditional notions for assessing enterprise information security risk and applying safeguards to thwart cybersecurity threats.
It’s simply not possible for healthcare organizations to dispatch technicians to the homes of its practitioners and workforce members to identify and mitigate vulnerabilities created through the new reliance on telehealth in the business of healthcare.
Strategies that leverage targeted training materials developed by reputable sources paired with employing video conferencing and text messaging technologies that meet the requirements of the HIPAA security rule standards could provide healthcare organizations resilience in this exceptional time.
So Wooderson training resources that are available for a remote workforce to help us to respond to a spike in cyber threats that exploit telework technologies during the COVID-19 pandemic. The American Medical Association and the American Hospital Association have teamed up to provide physicians and hospitals with educational material on protecting a remote work environment from cybercriminals.
The two associations have created a joint cybersecurity resource called “Working from home during the COVID-19 pandemic”, that offers actions to strengthen computers, networks, and medical devices from the rise and COVID-19 themed security threats and attacks.
These resources include checklists, sources, tips, and advice on strengthening protections in to keep peace with deceptive cyber-attacks that could disrupt patient care or threaten medical records and other data. So, the AMA and AHA resource “Working from home during the COVID-19 pandemic”, could be found by googling (cybersecurity work from home COVID-19). Google that term and it will lead you right to the correct resource.
Another available resource was developed by the National Cybersecurity Center of Excellence for NCCOE, at the National Institute of Standards and Technology, otherwise known as NIST. They have produced a series of multimedia materials that introduce how to safeguard data and reduce cybersecurity threats when using information technology. These materials are available at the website csrc.nist.gov. Again, that is csrc.nist.gov.
The program telework security basics introduces some simple things a remote workforce member can do to improve their information security. The tips apply to almost all situations and they’re relevant to whether using the healthcare organizations laptop, tablet, or smartphone or their own personal desktop or tablet. The resource preventing eavesdropping and protecting privacy on virtual meetings shares basic precautions that can help ensure that telehealth and other video conference meetings are secure from eavesdropping or disruption from unauthorized users.
This has become an increasingly volatile topic as we are seeing Zoom meetings and other meetings, that are provided through the Zoom architecture platform, are being interrupted by cyber hackers in miscreants of all types that are being extremely disruptive and interfering with meetings that could include telework or telehealth sessions in which PHI is being transmitted or exchanged.
So again, these Resources are available at csrc.nist.gov. So, let’s turn to telehealth services and how we can provide some better security in the face of the need to provide greater services to our patient basis and so that we can avoid having patients have face-to-face encounters and to lessen the spread of COVID-19 through medical services and treatment and counters.
You’ll recall that at the end of March, the Office for Civil Rights of the U.S. Department of Health and Human Services, provided a Notice of Enforcement Discretion in which they agreed to not enforce specific provisions of the HIPAA privacy, security, and breach notification rules when telehealth services were being provided through commonly available technologies.
And in addition to the notice of enforcement discretion, they also issued an FAQ that provided a series of very helpful answers to questions. They also provided in that FAQ a number of video conferencing and text messaging services that they said were HIPAA compliant. Some of these services included Amazon Chime, Cisco WebEx Meetings and WebEx Teams, Doxy.me (that advertises to be a free service), Google G Suite Hangouts, GoToMeeting, Skype for Business and Microsoft Teams, Spruce Healthcare Messenger, Updox (that’s Updox), VSee, and Zoom for Healthcare. These are all services that are HIPAA compliant.
Among the requirements that healthcare providers and hospitals should look for when comparing video conferencing or text messaging services is that the data is encrypted during to transmission, ensure that you PHI is not shared for purposes that are not approved, and it has put into place a risk management plan to identify and mitigate threats and vulnerabilities to data.
Ordinarily, HIPAA requires health care providers and other covered entities to only create maintain or transmit PHI using service providers that guarantee to follow the HIPAA standards and to have a business associate agreement in place.
Service providers that sign BAA’s and then break the rules can be liable for civil and criminal penalties, even during this period when OCR is choosing not to enforce some provisions of the HIPAA rules. Even though we’re in a period in which OCR has promised to look the other way to allow healthcare providers to use unsecured video conferencing and text messaging technologies in order to provide telehealth services during the COVID-19 pandemic.
It’s important to remember that there is a reason that these technologies aren’t HIPAA compliant because they don’t have basic privacy and security protections and safeguards baked into their design and architecture. They are inherently insecure, and they pose a significant risk to the confidentiality, integrity, and availability of the health information that is being handled by these technologies. And there will come a day when we have to return to ensuring that the services and technologies that we use do meet the HIPAA security rule requirements. Because as OCR has stated in their notice of enforcement discretion, they are planning to begin enforcing the HIPAA security rule requirements once the emergency declaration for the COVID-19 pandemic period has ended.
It’s going to be very difficult, if not a shock to the system, to try to wean or healthcare providers and many other organizations off these commonly available technologies. Perhaps the best practice is to begin now, to begin using these technologies and service providers that were available and accessible prior to the COVID-19 health Emergency and we should return to using these services that are both HIPAA compliant in widely available.
Information security and privacy teams have to be proactive in working with healthcare providers that are using commonly available technology to communicate with patients or provide telehealth services. So, for example use of these internet-facing personal communication devices that are more vulnerable to cybersecurity threats when used with Wi-Fi connections that are not secure.
Hackers have wasted no time to exploit the Coronavirus pandemic to attack healthcare organizations. As well, as patients looking for testing and treatment. We have seen many examples of phishing attacks disguised as emails sent to mimic announcements from the Centers for Disease Control.
Another cyber-criminal has created a phone map to pinpoint COVID-19 cases but have is actually inserted malware that would steal usernames, passwords, credit card information, and other sensitive data stored on the device. That is that was accessing this malware leading website. Healthcare organizations must carefully monitor traffic on their information that works and look into unusual activity that could represent an intruder scanning for sensitive data or exfiltration of files stored in the system.
There are a number of resources available for information privacy and security professionals in the health care sector to alert them to the latest trends and threat sharing. The Healthcare and Public Health Sector Cybersecurity Coordinating Council, or the acronym HSCC, which is at the website healthsectorcouncil.org has a number of resources and materials that will be of great assistance for organizations throughout the healthcare infrastructure. There is no cost or fee for using the services of the Health Sector Coordinating Council and you can sign up at healthsectorcouncil.org for updates and threat sharing bulletins.
A number of states have created cybersecurity fusion centers that have been established to provide resources and communicate threat information to any organization that is a part of the critical infrastructure.
One example is the New Jersey Cybersecurity and Communications Integration Cell, or the in NJCCIC. Their web address is https://cyber.nj.gov/. This is a one-stop-shop for cybersecurity information sharing threat intelligence in incident reporting. The NJCCIC works to make critical infrastructure more resilient to cyber-attacks by promoting awareness of cyber threats and widespread adoption of best practices. They provide a wide array of cybersecurity services, including the development and distribution of cyber alerts and advisories, cyber tips, and best practices for effectively managing cyber risk.
The resources of the NJCCIC are available to all and are an example of the many free real-time cybersecurity information sharing resources that are available. So widespread proliferation of telehealth communication services has long been hoped to facilitate convenient healthcare provider and communication. The efforts by the federal government to ease the compliance burden during this unprecedented health emergency, promising to not enforce the HIPAA standards against healthcare providers when providing telehealth treatment, changes how healthcare organizations manage security of patient information.
In addition, the proliferation of remote workforce strategies for healthcare providers or administrative support services is changing how we work and how we handle health information.
Healthcare organizations should approach these unprecedented transformations and how organizations provide care and perform basic work activities with eyes open to the far-reaching regulatory and information security challenges that result through the widespread adoption of remote workplace communications with commonly available internet-based messaging in video conferencing technologies.
We here at CynergisTek are available to help. Please contact us at cynergistek.com/covid19/ if we can assist you in any questions about the requirements of the HIPAA privacy and security rules or assist you in securing your information system from cybersecurity incidents.
Thanks for your time today and have a wonderful productive day.
Thank you so much, David, for that information.
Quick question on the content. You just reviewed once the COVID-19 health emergency is over, do you think that OCR will begin enforcing the privacy and security rules for telehealth?
I think that Telehealth and remote working is here to stay even after the immediate emergency declaration has ended, I expect HHS and the Office for Civil Rights to relax many of the restrictions of the privacy and security rules to enable the provision of telehealth services through reduced regulatory burden. How that form that will exactly take, whether it will be a revision of the HIPAA rules themselves, or it will be a longer period of enforcement discretion that remains to be seen. But the challenge is that that does nothing to help us secure our information systems.
And that is why our recommendation is to use services in vendors that can demonstrate that they are safeguarding the information transmission and the data that they’re creating maintaining. In other words, only use vendors that will provide you with the same basic safeguards that would demonstrate HIPAA compliance. In order to ensure that you’re able to maintain appropriate and inappropriate and complete information security risk management program for your entire enterprise.
Thank you so much, David, for more information Telehealth and remote edit for more information on telehealth and remote sites staying around for an extended period of time, please visit our website www.cynergistek.com.
Thanks for listening!