Telehealth has expanded rapidly during COVID-19. In March 2020, the Centers for Medicare & Medicaid Services (CMS) greatly expanded access to telehealth by allowing for reimbursement for telehealth services. And the Office for Civil Rights (OCR), the agency that oversees HIPAA compliance, relaxed rules by suspending sanctions and penalties for violations related to telehealth services provided in good faith during the temporary COVID-19 emergency period.
We applaud these changes because telehealth allows patients and health care providers to reduce their exposure to others, and reduce the chance of becoming infected with or transmitting COVID-19. Telehealth has also expanded access to many individuals who may live in remote areas or may not have good transportation options.
The FBI Sounds the Alarm on Cybersecurity During COVID-19
Throughout April and May, the FBI has repeatedly warned about growing cybersecurity risks during the pandemic. In mid-April the FBI reported that cybercrime incidents had grown 400% since the beginning of the pandemic.
Cyber criminals are exploiting the increased use of virtual environments by all sectors, including government agencies, private organizations and individuals. During normal times we all depend on electronic communications to conduct business and communicate with family and friends, but with the pandemic, essential communications over computer have increased, with education, and telework relying on services like Zoom, Google Meets, and FaceTime.
Cyber criminals are also using fear about the pandemic and insecurity about their employment to tempt people to respond to phishing emails. Examples include messages like, “Click here for access to rapid COVID-19 testing” and “You will not be able to continue employment until you fill out the attached work status form.” But the link or attachment contains malicious software (malware) that infects the recipient’s device, and gains access to private data, including protected health information, or PHI.
A Cruel Twist
The FBI issued a specific warning about fake termination phishing emails and meeting invites on May 21. According to the FBI, “The emails entice victims to click on malicious links purporting to provide more information or online conferences pertaining to the victim’s termination or severance packages.” People who are fearful and uncertain are more likely to open attachments like this, which can allow entry to cyber thieves.
The healthcare industry is particularly vulnerable, because it’s already overwhelmed, providing care to patients, and because protected health information – patient data – is so valuable to thieves on the black market.
Fight Back with Cybersecurity Training
The single most important and effective defense against successful phishing attempts is cybersecurity awareness training. Many of the phishing emails still use the same tactics, which can be detected by employees who are forewarned and have learned to be suspicious. Fake domains in the sender’s email and links within the email and attachments to the email are two obvious ones. Employees should even be wary of emails that appear to come from within their organization if links or attachments come with it – if the email was unexpected, scroll over the sender’s name to identify where it came from.
Video Conferencing is Uniquely Vulnerable
Not all video conferencing tools are secure. In fact, early on, the very popular Zoom application experienced multiple hijackings when business meetings and school classes were interrupted with pornographic images and hate speech. Zoom later addressed that security flaw.
But there are other ways that the video conference apps can be exploited. For example, if the meeting requires a password to enter, the password may be distributed beyond the invited group (or stolen) and end up in the wrong hands. A thief who eavesdrops on a meeting can learn private and proprietary information that helps them do more intrusive exploits into the organization’s databases, e.g., names, emails and other contact information of employees.
Telehealth and Healthcare
The surge in telehealth has brought new opportunities for cyber criminals. With telehealth, cybersecurity risks are present from both the providers’ and the patients’ side of the interaction. A physician or therapist working from home may have a secure system with malware detection and protection, but that same healthcare provider has no control over the security of patients’ devices being used to access telehealth services. Malicious software lurking on a patient’s device could use the patient’s telehealth connection to their provider as an entry point into the provider’s home computer, and reach back to the provider’s IT system at their main place of work.
We have written before about the vulnerabilities of “virtual private networks” or VPNs, which are networks that connect remote locations, usually to a central or main IT structure at the original workplace. The basics of VPN security include: updated and patched software on all devices; workforce cybersecurity training on how to avoid phishing scams; multi-factor authentication for all connections; and strong passwords. For more about securing an office at home to comply with HIPAA, check out our June 23 blog.
Guidance from the AMA and AHA on Telehealth Security
Because they recognize the unique cybersecurity challenges of their members, the American Medical Association and the American Hospital Association have jointly issued guidance on working from home for physicians, but the same advice could apply to any kind of health care provider – nurses, rehab specialists, mental health professionals. The guidance is an easy read, with good tips and resources for more information about maintaining good cybersecurity.
Tips to Protect Telehealth Security
A solid HIPAA Risk Management Plan that you create, tailored to your organization, is the critical first step. But key checklist items to be aware of include:
- Use secure Telehealth Service Providers and comply with industry cybersecurity guidance
- Protect all devices on your network, including tablets and smartphones
- Strengthen medical device security
- Learn how to detect phishing and ransomware emails, and provide cybersecurity training to staff
- Create and practice a Contingency Plan – know what to do if the worst happens whether it’s a minor security incident, a breach of PHI or Ransomware
The HIPAA E-Tool® Can Teach You How to Prepare, Prevent, Respond and Recover
The best defense to cybersecurity risks is healthy and complete HIPAA compliance. Our Risk Analysis – Risk Management module – the heart of your compliance – covers all the bases, with guidance about multi- factor authentication, password management, access controls, and a security rule checklist.
The HIPAA E-Tool® follows HIPAA and the National Institute of Standards and Technology (NIST) protocols for IT security. It also contains basic HIPAA training and cybersecurity awareness training, designed for busy staff to help them learn how to recognize cybercrime, and what to do if it happens to them.