Most Americans will likely never forget where they were in March of 2020 when the world seemingly shut down. While many used that time to reflect, enjoyed down time with family or even binge watched streaming services, health care workers geared up to save the lives of people impacted by COVID-19. The novelty of this coronavirus posed exceptional challenges, placed unparalleled strain on the health care industry and exposed vulnerabilities.
One vulnerability in particular has, does and will continue to be a significant risk. That threat is cybercrime. It is as relentless as it is lucrative, and it has taken the health care industry by storm during a time when resources are low, and distractions are high.
DIGITAL CALM BEFORE THE STORM
In an almost unbelievable twist, some major cybercrime groups promised a “ceasefire” on cybersecurity attacks of the health care industry at the beginning of the pandemic. DoppelPaymer Ransomware stated that they “always try to avoid hospitals…nursing homes” but if they happened to be responsible for a ransomware attack of a health care provider during the pandemic, they would provide a decryptor key free of charge. Likewise, Nefilim Ransomware took the same approach. However, groups like Netwalker Ransomware and Maze promised not to intentionally target health care facilities, but would not commit to decryption if a health care entity was inadvertently impacted.
While the alleged truce made by some of the larger cybercriminal groups may have appeared to be altruistic, the motivation may have been totally self-serving. During a global crisis, these groups likely decided that staying below the radar of law enforcement and military agencies was more about self-preservation than kindness to their fellow man.
CYBERCRIMINAL LEAVY BREAKS
While hopes were high that a global pandemic would cause bad actors to have mercy on mankind, data reflects that cybercrimes escalated during the pandemic. On October 28, 2020, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) issued a joint advisory warning of an “increased and imminent cybercrime threat to U.S. hospitals and health care providers.” It further stated that these bad actors were producing attacks which caused “data theft and disruption of healthcare services.”
As the global threat of cybercriminal activity proliferates within the health care sector, the industry must find ways to fight back. One way that the health care industry can stand up against these persistent threats is more investments in their information security infrastructure, similar to that of the financial sector. These investments should include stronger password requirements, endpoint protection, and multi-factor authentication.
Every effort must be made to determine and mitigate risk to protected health information. There are several proactive measures that health care entities can take to decrease their risk of inappropriate disclosures of patient data. Those measures include, but are not limited to, the following:
- Invest in Anti-Virus Protection Software – Anti-virus protection software is a tool that can help entities detect and neutralize threats. Most entities prefer efficiency. This software will assist by filtering out malware which often slows down information system processes. It has the added benefit of protecting your investment and allowing you to avoid the expense of purchasing new operating systems should your existing system become damaged due to malware.
- On-Site and Off-Site System Backup – Federal regulations require covered entities to ensure on-site and off-site backup. Should an entity become a victim of a ransomware attack or be forced to pivot to emergency operations, it is necessary to have backup systems that allow the entity to access and utilize reliable data.
- Workforce Training – There is no greater defense to cyber threats than a well-trained workforce. Entities should ensure that cybersecurity threats are emphasized to workforce members in refresher training so that employees are able to appropriately identify and report suspicious activity.
- Segregation of Data – Entities should ensure that they are complying with the Minimum Necessary Rule for access to their information systems.
The COVID-19 pandemic has produced significant uncertainty in the health care environment and highlighted the need for renewed emphasis on protecting patient data. HIPAA covered entities should use this time to assess whether they are operating in compliance with the Privacy Rule, Security Rule and Breach Notification Rule. Likewise, they should reassess their Risk Analysis to ensure that it is HIPAA-compliant and take necessary action to avoid unauthorized disclosures.
Samarria Dunson (firstname.lastname@example.org) is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama. She is also Of Counsel with the law firm of Balch & Bingham, LLP.