Health Care Privacy in the Age of Pandemic
Changes in health care privacy protections bring several new challenges for security pros.
May 28, 2020
The coronavirus pandemic forced an abrupt switch from traditional doctor office visits to telemedicine. The move is causing changes in health care privacy protections in the process. All of this was necessary to save human lives in a public health crisis. But it also created new challenges for security pros and privacy advocates.
Nelson Mullins’ Roy Wyman
“All of the regulatory changes, so far, have been limited to this outbreak period, and most are only federal. There is reason to think that many may be permanent, however, and that private payors and states will also relax their rules,” said Roy Wyman, partner and co-chair of the Privacy & Security Industry Group at Nelson Mullins law firm.
In order words, the tight fist on privacy and security issues in medical data has loosened its grip. Not that such data was entirely immune pre-pandemic. Examples of hospital data breaches and ransomware attacks are plentiful before and during the worldwide outbreak.
“As expected, the purported ceasefire on health care providers by ransomware operators has proven short-lived. Rather than being rooted in any sort of altruism, the attackers were simply waiting for the optimum time to strike: when Fresenius [Europe’s largest private hospital operator] was under immense strain as it attempted to meet the demands onset by the COVID-19 pandemic. This should act as a lesson to other health care providers and industries,” said David Jemmett, CEO and founder, Cerberus Sentinel.
Attackers are ready to strike again — this time for telemedicine data.
Telemedicine as Attack Vectors
Telemedicine presents yet another possible attack vector to a constantly growing threat attack surface. Security professionals must now protect that data to prevent potential blackmail and personalized physical attacks on executives and key employees. But they also must defend against ransomware and other attacks on telemedicine providers.
Telehealth experienced an overnight boon to facilitate treating COVID-19 patients and those with other illnesses to prevent exposure to the virus. It also helped decongest clinical and hospital space as communities struggle to care for unprecedented numbers of critically ill patients. But telemedicine is not likely to be a temporary fix.
“As people grow more comfortable with the technology, demand may stay high, and the regulations may follow that demand. Second, unfortunately, it’s not certain that COVID-19 will not have additional waves or that other epidemics may follow. Government agencies and legislators may find that there is never a good time to return to stricter limitations and much of life now will become status quo,” Wyman said.
Emerging Threat Vector: Contact Tracing
Meanwhile, more means to stop the virus’ spread are coming into play. That’s stretching health care privacy and security limits even thinner.
For example, Google and Apple joined forces to announce new contact tracing technology to help track who has been exposed to the virus via contact with a known infected person. But digital contact tracing through personal phones can do more than reveal pathogen spread to public health officials. It can also unveil sensitive information to corporations and malefactors.
Collibra’s Myke Lyons
“One of the biggest challenges in dealing with data privacy around contact tracing will be understanding where all the data is and knowing the systems that house it,” said Myke Lyons, CISO at Collibra, a metadata management provider. “There is a lot of misinformation and distrust around data, and consumers need to know how their data is being used, where it came from, how it is being secured, and what will happen once the data is no longer needed.”
Data privacy laws from HIPAA in the U.S. to Europe’s GDPR mandate where and how to store and use health care data. But loosening such laws to accommodate telemedicine and contact tracing …
… changes that scenario entirely.
For example, Wyman said that The Centers for Medicare and Medicaid Services (CMS), DEA and HIPAA privacy and security rules have been relaxed. And Medicare is not enforcing the rule requiring the physician have a license in the state where the patient lives.
“CMS is not enforcing the ‘established-relationship rule’ so Medicare will now pay for provider services through telehealth, even if the patient has never seen that physician before. In addition, the DEA has published guidance allowing physicians to prescribe controlled substances via telemedicine without an in-person examination. State laws, however, may still have limitations,” Wyman said.
It’s likely payors and health care providers will follow suit to provide telemedicine, COVID-19 screening and contact tracing services.
More Privacy and Security Issues Arise
Additional threat vectors related to these services have also emerged.
“For example, telehealth can be provided via any video conferencing software or platform so long as the platform is private, meaning others can’t view the feed. Previously, the platform had to be encrypted and secure in order to comply with HIPAA security requirements,” said Wyman.
Given Zoom’s security issues and those of their competitors, the rising risk factor here is significant.
“Criminals are not slowing down their attacks despite being in the midst of a global pandemic. In many cases, some are ramping up their activities. Therefore, it’s important for organizations to keep pace in their cybersecurity efforts,” said Javvad Malik, security awareness advocate at KnowBe4.
Read more about:
MSPsAbout the Author
You May Also Like