Health Care Privacy in the Age of Pandemic

The coronavirus pandemic forced an abrupt switch from traditional doctor office visits to telemedicine. The move is causing changes in health care privacy protections in the process. All of this was necessary to save human lives in a public health crisis. But it also created new challenges for security pros and privacy advocates.

Nelson Mullins’ Roy Wyman

“All of the regulatory changes, so far, have been limited to this outbreak period, and most are only federal. There is reason to think that many may be permanent, however, and that private payors and states will also relax their rules,” said Roy Wyman, partner and co-chair of the Privacy & Security Industry Group at Nelson Mullins law firm.

In order words, the tight fist on privacy and security issues in medical data has loosened its grip. Not that such data was entirely immune pre-pandemic. Examples of hospital data breaches and ransomware attacks are plentiful before and during the worldwide outbreak.

“As expected, the purported ceasefire on health care providers by ransomware operators has proven short-lived. Rather than being rooted in any sort of altruism, the attackers were simply waiting for the optimum time to strike: when Fresenius [Europe’s largest private hospital operator] was under immense strain as it attempted to meet the demands onset by the COVID-19 pandemic. This should act as a lesson to other health care providers and industries,” said David Jemmett, CEO and founder, Cerberus Sentinel.

Attackers are ready to strike again — this time for telemedicine data.

Telemedicine as Attack Vectors

Telemedicine presents yet another possible attack vector to a constantly growing threat attack surface. Security professionals must now protect that data to prevent potential blackmail and personalized physical attacks on executives and key employees. But they also must defend against ransomware and other attacks on telemedicine providers.

Telehealth experienced an overnight boon to facilitate treating COVID-19 patients and those with other illnesses to prevent exposure to the virus. It also helped decongest clinical and hospital space as communities struggle to care for unprecedented numbers of critically ill patients. But telemedicine is not likely to be a temporary fix.

“As people grow more comfortable with the technology, demand may stay high, and the regulations may follow that demand. Second, unfortunately, it’s not certain that COVID-19 will not have additional waves or that other epidemics may follow. Government agencies and legislators may find that there is never a good time to return to stricter limitations and much of life now will become status quo,” Wyman said.

Emerging Threat Vector: Contact Tracing

Meanwhile, more means to stop the virus’ spread are coming into play. That’s stretching health care privacy and security limits even thinner.

For example, Google and Apple joined forces to announce new contact tracing technology to help track who has been exposed to the virus via contact with a known infected person. But digital contact tracing through personal phones can do more than reveal pathogen spread to public health officials. It can also unveil sensitive information to corporations and malefactors.

Collibra’s Myke Lyons

“One of the biggest challenges in dealing with data privacy around contact tracing will be understanding where all the data is and knowing the systems that house it,” said Myke Lyons, CISO at Collibra, a metadata management provider. “There is a lot of misinformation and distrust around data, and consumers need to know how their data is being used, where it came from, how it is being secured, and what will happen once the data is no longer needed.”

Data privacy laws from HIPAA in the U.S. to Europe’s GDPR mandate where and how to store and use health care data. But loosening such laws to accommodate telemedicine and contact tracing …