AMA Issues Guidance to Help Healthcare Organizations Mitigate COVID-19 Cyber Risks
The American Medical Association has warned hospitals, health systems, and medical practices about the increase in cyber risks targeting the healthcare sector and has provided recommendations on the steps that can be taken to ensure threats are mitigated and network security is improved.
Laura Hoffman, AMA assistant director of federal affairs, explained the current threats in a recent AMA COVID-19 Update and announced a new resource has been developed by the AMA and American Hospital Association (AHA) on technology considerations for healthcare organizations for the remainder of 2020 to improve network security and bolster patient privacy efforts.
The COVID-19 pandemic has created many new challenges for healthcare organizations which are having to treat increased numbers of patients while working in ways that may be unfamiliar. The pandemic has seen a major expansion of telehealth services, with many patients now receiving care virtually using new technology platforms.
These new technologies and platforms have introduced vulnerabilities and broadened the attack surface and cybercriminals have taken advantage and have stepped up attacks on the healthcare sector. At the start of the pandemic there was an increase in phishing attacks on the industry. Virtual Private Networks have been used to support remote working, telehealth, and remote monitoring of medical devices, which has increased the attack surface. Several vulnerabilities have been identified in these solutions which have been exploited by threat actors to gain access to healthcare networks.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
There has also been a major increase in ransomware attacks on the healthcare sector. The operators of Ryuk ransomware have been targeting the healthcare industry and have stepped up their attacks in recent weeks. These attacks prevent access to protected health information and disable mission critical systems, causing delays to patient care and placing patient safety at risk. The AMA has also observed an increase in insider threats during the pandemic. Insiders have identified security vulnerabilities and have taken advantage and exploited those vulnerabilities for financial gain.
“As practices reopen, and hospitals around the country prepare for a second wave of COVID-19 infections coinciding with cold and flu season, our organizations are providing this update on steps physicians should take to prepare for the coming months,” explained AMA/AHA in the new guidance document – Technology Considerations for the Rest of 2020.
The AMA recommends healthcare providers should request routine updates from their health information technology vendors or security professionals. The guidance document lists a series of questions that should be asked of those providers to ensure that vulnerabilities are identified and addressed. The questions cover network security, the use of legacy devices and software that is no longer supported, access rights to systems given to third parties and vendors during the pandemic, and the location of all protected health information.
In addition to addressing cybersecurity risks, healthcare providers should get prepared for when the Public Health Emergency comes to an end. During the pandemic, the HHS’ Office for Civil Rights announced it would be exercising enforcement discretion with respect to the good faith use of technology to support telehealth. When the Public Health Emergency ends, healthcare providers will be required to comply fully with HIPAA once again.
The telehealth platforms that have been used during the pandemic may no longer be suitable for use, and if use can continue, business associate agreements will need to be entered into with technology vendors. It is also necessary to conduct security risk assessments on telehealth platforms to identify risks and vulnerabilities to protected health information associated, if they have not already been conducted.
The AMA is encouraging physicians and hospitals to start having discussions with their telemedicine vendors and to take steps to conduct or implement a security risk analysis, so they are prepared for when the Public Health Emergency ends.
In the guidance, the AMA/AHA also suggest asking telemedicine vendors about their privacy practices, intended data use and security protocols. “Many physicians do not realize that a telemedicine platform or application may be low-cost or free because the vendor’s business model is based on aggregating and selling patients’ data. If possible, consult with your legal team to clarify how video, audio, and other data are being captured and stored by the vendor and who has access. You can also ask whether the vendor will share results of third-party security audits, including SOC 2 or HITRUST, in addition to the results of their penetration testing.”
It is also advisable to enable all available privacy and security tools when using telemedicine platforms, including end-to-end encryption to prevent third-parties from intercepting communications between providers and patients. Providers should also be open with patients about the potential privacy risks associated with the use of telemedicine platforms and make sure they are aware of any risks involved with virtual care.