COVID-19 and healthcare cybersecurity: How to protect patient data

1. Ensure the security of your teleconferencing platform

As meetings, classes, and even medical appointments shift to teleconferencing platforms, cyber criminals have been quick to exploit any newfound weaknesses.

Take videoconferencing service Zoom, for example. Following a surge in Zoom users amid the COVID-19 crisis, the company fell prey to cyberattacks that allowed unauthorized users to hijack Zoom meetings. Hackers also released a database of more than 2,000 Zoom account credentials.

For practices that handle sensitive patient data, the security of videoconferencing platforms used for telemedicine is paramount. The Federal Bureau of Investigation (FBI) has shared recommended actions you can take to mitigate unauthorized hijackers from joining teleconference meetings via Zoom, Facetime, Skype, etc.

In response to the nationwide public health emergency, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) has allowed additional flexibility for telehealth under the Health Insurance Portability and Accountability Act (HIPAA) during the national emergency. View this notification for details.

According to the notification, the OCR will “exercise its enforcement discretion” and — for the duration of the public health emergency — allow covered providers to use “any non-public facing audio or video communication product that is available to communicate with patients,” including FaceTime, Zoom, and Skype.

Expanded Medicare coverage makes telehealth an effective way to continue to provide patient care and maintain cash flow during this time. But practices must continue to put patient privacy and data security first.

While the OCR’s notification gives providers freedom under HIPAA to use popular videoconferencing options, practices bear the responsibility of patient data security, as well as any legal consequences in the event of a data breach. For secure, HIPAA-compliant video and chat, consider telehealth solutions from Greenway’s Marketplace Partners.

2. Implement a policy for secure remote work

If your practice staff has transitioned to working from home, make sure they follow your practice’s policy for remote work cybersecurity.

“A weak spot that work from home introduces is home networks,” said Brian Bobo, Greenway’s Chief Information and Security Officer. “If people are using consumer-grade equipment, they should use the firewall and change the default password on their routers. If they haven’t changed that password, anyone can Google the default password and take over their network.”

Protect patient data by giving staff guidelines such as these:

• Remote work should only be conducted on equipment and devices supplied by your practice. Staff should not perform work on their own personal computer.
• When accessing sensitive information, employees should use a virtual private network (VPN) for a secure connection, rather than a remote desktop protocol (RDP). RDPs do not have the level of encryption and security offered by a VPN.
• Default passwords on home routers should be changed to new, stronger passwords.
• Work computers should be locked when not in use. Use screen timeouts that require reauthentication after 10-15 minutes of inactivity.

3. Educate practice staff on cyber threats

Malicious cyber actors will take advantage of catastrophes like the COVID-19 outbreak. They leverage the public’s fear to scam individuals and steal passwords, credit card numbers, or other personal information.

One common cybersecurity scam amid the COVID-19 crisis is for cybercriminals to pose as reputable organizations that people turn to for updates and resources. Practice staff should be cautious of opening emails purporting to be sent from health organizations such as the Centers for Disease Control and Prevention (CDC), since these could have attachments containing malware or ransomware.

To safeguard your practice from cybercriminals and hackers, make sure your practice staff are trained to identify and avoid cyber threats.

One way to educate employees is to purchase services from a vendor, such as phishing simulation tests. Or you can email your staff phishing alerts that detail attacks to watch for and give cybersecurity best practices.

4. Secure your systems proactively

While the COVID-19 pandemic may be the catalyst prompting practices to consider data security, practices should follow cybersecurity best practices all the time — even if a public health emergency has not raised new security concerns.

“We need to keep doing the things that we should have doing before. That’s the number one takeaway. Now, it’s even more important,” said Brian. “Now’s the time to double check and really start thinking about what you were doing in the past — that there isn’t something you’ve missed, something you should have been doing better.”

For example, you should ensure that all patches to software, apps, and operating systems are applied in a timely manner. As new versions become available, update your operating system, EHR, and practice management (PM) system as well.

Leverage multifactor authentication for cloud-based systems and applications such as Office 365 or Google Apps. Additionally, protect your systems with a commercial version of a reputable anti-virus software. Then, set your anti-virus software to automatically update.

5. Get help and advice from health IT experts

“Data security is becoming incredibly complex and expensive, and it’s going to continue on that trajectory,” said Ethan Bing, Practice Administrator, Medical Colleagues of Texas. “Finding ways to outsource that security to the experts is key.”

If you feel overwhelmed with navigating cybersecurity on your own, we’re here to help as your trusted health IT adviser. Download our best practices e-book for a comprehensive guide to securing patient data.

As new security challenges arise, we’d be glad to answer your questions and walk you through how Greenway solutions can protect your practice against attacks