March 19, 2020
The situation around COVID-19 (Novel Coronavirus) has continued to evolve across the globe, including recent changes to HIPAA & Telehealth as well as how to share PHI during this public health emergency. Late last night, the OCR & Cybersecurity and Infrastructure Security Agency (CISA) released another bulletin regarding new concerns around maintaining the security of your data and PHI. Scammers frequently increase their attacks during a public emergency, when they know that there is an increased dependence on digital communications and heightened fear and uncertainty, and the bulletin included several recommendations to protect your practice.
The CISA warned individuals of the increased cyber threats related to the Coronavirus. They recommend caution when receiving any emails with a subject line related to COVID-19 as well as anything containing an attachment or hyperlink, as these are often directed to fraudulent websites asking individuals to provide private information. To exercise proper security measures, the CISA offered specific precautions to take:
- Avoid clicking links on any unsolicited emails from sources you don’t know
- Do not provide or respond to any emails that request personal or financial information
- Verify the authenticity of any charity or crowdfunding site prior to making any donations or sharing with others
- Be aware of “investment opportunities” through online promotions claiming that the stock of publicly-traded companies will increase as their products or services are essential to preventing or curing the Coronavirus
- Refer to trusted sources such as government websites or credible news sources for information regarding COVID-19
Leveraging public fear during a health emergency isn’t the only tactic that is used by scammers during this Coronavirus outbreak. As most companies have decided to move to remote operations, there has been an even larger window for cyber threat actors to hack into private information as sensitive data is now accessed through unsecured networks. Good “cyber hygiene” to instill in your practice includes:
- Securing systems that enable remote access
- Ensuring that employees have updated all anti-malware and anti-virus software on their devices
- Encrypting any emails that include PHI or any other personal or financial information
- Properly disposing of any PHI both electronic and paper when working off-site
Protecting PHI from cyberattacks also means ensuring you are aware of the HIPAA regulations surrounding public health emergencies. Reminding employees of appropriate access to PHI and implementing controls such as applying additional protections for COVID-19 health records are especially important. As the news continues to focus on the Coronavirus, individuals who have access to public health records may become curious about the health of those around them. It is important to ensure that PHI is only accessed when necessary, especially on less secure wireless networks such as those used when working from home.