Hospital executives are working day and night keep staff safe and update operations to combat the COVID-19 pandemic, including chief information security officers.
Here are five things for CISOs to know:
1. The explosion of telehealth has put a strain on remote access technologies, Mitch Parker, CISO of Indianapolis-based Indiana University Health, told InfoRisk Today. CISOs must also pay close attention to emerging medical device securities issues, including new ventilators being put into stockpiles. Privacy and security challenges may also emerge as hospitals transition to paper records in field locations.
2. Microsoft has warned dozens of hospitals of a vulnerability allowing a hacker to exploit their networks in a ransomware attack. The vulnerabilities are within virtual private networks that hospitals are using as some of their staff work remotely. Additionally, popular videoconferencing platform Zoom is struggling to manage the dramatic influx in users and privacy issues as the COVID-19 pandemic drives more people to work remotely. The FBI has issued a warning on videoconferencing hijacking, prompted by incidents on the Zoom platform.
3. Many COVID-19 cyberattacks have been targeting hospitals and consumers. HHS alerted hospitals and health systems of someone posing as an Office for Civil Rights investigator to get patient health information. The Internal Revenue Service is warning consumers of a spike in phishing scams related to the coronavirus stimulus payments. According to the agency, hackers are emailing taxpayers asking for their financial information and Social Security numbers in order to send them their "stimulus check". Phony websites that claim to be selling COVID-19 vaccines have also popped up along with phishing attacks with malicious links to COVID-19 maps.
4. President Donald Trump announced March 17 that his administration would be relaxing HIPAA guidelines. Under the relaxed HIPAA regulations, hospitals don't need to obtain a patient's permission to speak with family members or friends involved in the patient's care. Additionally, hospitals do not need to comply with the requirement to honor a request to opt out of the facility directory. Hospitals and other HIPAA-covered entities should only share COVID-19 information for public health and health oversight activities. HHS has also said it would not enforce HIPAA penalties for potential violations.
5. With the relaxed HIPAA guidelines, the Office for Civil Rights of HHS announced April 2 that it would not penalize hospitals or their business associations for disclosing COVID-19 related protected health information. Hospitals are also permitted share a limited amount of protected health information about patients who have been diagnosed or exposed to COVID-19 with law enforcement, paramedics and other first responders.