As patient care becomes more decentralized and distributed, healthcare providers and their patients are now, more than ever, in need of telehealth solutions. The OCR has responded to risks of in-person visits in the midst of the coronavirus (COVID-19) by relaxing its enforcement of HIPAA safeguards related to the use of video conferencing tools like Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. It is important to realize that, although practitioners won’t be penalized during the coronavirus pandemic, OCR is not approving these technologies as secure modes of communication. Hackers are still crafting cyber attacks keeping current vulnerabilities in mind. For the safety of the patients’ information, it is therefore essential to still leverage as many security best practices as possible. Listed below are a few tips to keep in mind as healthcare professionals move to telehealth for patient care.

1. Use Private Networks instead of public wifi. You should be at home, but if you are not, you should not use any public or open wifi networks. Use either a personal hotspot from a device you own or a VPN solution for your phone, tablet, or laptop. There is too much risk of a hacker attacking you on the public network and possibly getting access to your private communication.
2. Be careful how you share meeting links. The FBI reported last week that hackers are hijacking meetings held by Zoom, a virtual conference provider. As you create virtual meeting invitations, the connection information (links) should never be sent to a public-facing site. Links should be sent directly to the patient – not a group! It is also important to use the latest version of the teleconference software for any security updates.
3. Review Security Awareness. Refresh safe internet use training for you and your staff. User mistakes or negligence account for most security breaches. Ensuring that your team is aware of these security practices will help save you and your patients a lot of grief.
4. Review Privacy Practices. Ensure your staff understands what relaxed HIPAA enforcement means: you are not able to share patient data just because of the pandemic!
5. Use encrypted messaging and webforms. Tools that cost less than you think (under $100) are available that can be integrated into your current email provider and add encryption. Web forms that encrypt the input data can be easily added to your website. This can support a virtual intake process and the patient’s review of privacy notifications.

Even though the OCR will not be penalizing you for the use of remote services, you will still run the risk of ransomware, civil lawsuits for privacy negligence, or poor online reviews that can impact your reputation. With the unknowns created with COVID-19, hiring a security consultant may not be feasible. Companies like Posture can help guide practitioners through these regulatory changes while helping to improve their security and privacy program. With reasonable rates of $99 per month, it’s a brilliant and simple way to handle your HIPAA Compliance Program as you move into Telehealth.

The global spread of COVID-19 has generated countless privacy, data protection, security, and compliance questions for companies working hard to provide care in our new reality of “socially distant” interactions. For all organizations that depend on direct customer engagement, adopting new technologies to enable and support remote audio and video communications is the only path toward remaining in business. Healthcare providers are particularly affected by this paradigm shift. Many smaller providers that only offered in-person services have been forced to quickly adopt new technologies and platforms as a means to offer care to patients. Protecting the security and privacy of patient health-related information is challenging at the best of times, and it is now made even more difficult during the current crisis.

The Health Insurance Portability and Accountability Act (HIPAA) requires all entities with access to Electronic Protected Health Information (ePHI) to protect the security and privacy of that information. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued waivers and notices of enforcement discretion for several issues related to HIPAA compliance during the pandemic. The following paragraph summarizes the key actions that OCR has taken to modify HIPAA in response to the COVID-19 pandemic:

“OCR’s enforcement discretion for noncompliance with HIPAA regulations against providers leveraging telehealth platforms that may not comply with the privacy rule. The waiver allows covered providers to potentially use any non-public facing remote, audio, or video communication platforms available to provide telehealth and communicate with patients during the pandemic. OCR will not penalize those providers for using potentially non-HIPAA-compliant tools, regardless of whether or not the service is used to diagnose or treat COVID-19-related conditions.”

Learn more about how to get started with HIPPA Compliance with Posture

1. Employees should be trained on potential security risks and the secure use of remote tools.
2. For employees working remotely, Virtual Private Network (VPN) connections should be made mandatory.
3. Employers must provide guidelines and policies on restricting the use of private devices and supplying adequate password protection.
4. Employee security awareness training should be promoted by educating employees about the rising level of coronavirus-related cyberthreats, including potential responses and incident handling.
5. IT departments must be provided with the resources needed to support employees working securely from home by expanding their network and videoconferencing capacity with vendor-supplied services.

Ensuring data privacy as we battle COVID-19

COVID-19’s impact on data privacy, protection and security

Can We Track COVID-19 and Protect Privacy at the Same Time?

COVID-19: Data protection lessons from Google’s contact-tracing API

The Value of RDA for COVID-19

COVID-19 Changes HIPAA Compliance, But Caution Necessary

OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency

OCR Issues Guidance on Telehealth Remote Communications Following Its Notification of Enforcement Discretion

Key HIPAA Changes in Light of COVID-19

Insights into HHS COVID-19 HIPAA Waivers and Lasting Implications

How can European companies best prevent measures intended to control the COVID-19 pandemic from also undermining data privacy and security?

Data security tips to help weather a pandemic

HIPAA, Hackers & Secure Telehealth: 5 Simple Tips to Secure Your Environment

Telehealth, the use of digital technologies such as computers and mobile devices to access health care services remotely, has increased during the Covid-19 pandemic. Health professionals are making use of technology to deliver services and care for patients. As a result, healthcare organizations are becoming increasingly susceptible to cyberattacks, threatening and compromising confidential patient data.

According to Cybersecurity Ventures, the healthcare industry, which is a $1.2 trillion sector, will fall victim to two to three times more cyberattacks in 2021 than the average numbers for other industries. Black Book Market Research stated that “more than 93 percent of healthcare organizations have experienced a data breach over the past three years, and 57 percent have had more than five data breaches during the same time frame.”

With statistics like that, one can conclude that the healthcare industry is under attack. There are many reasons why healthcare organizations are a target for cyber-attacks. It is therefore imperative that organizations and patients alike, are made aware of some reasons why.

The healthcare industry has made many advances in medical innovations, but not every organization has kept pace. Many technologies, software, and infrastructures are outdated and have minimal resilience to cyberattacks. System updates are important and software should be the most recent version. But eventually, some software reaches end-of-life, and vendors stop providing updates. According to a report published by Duo.com, of the 82% of healthcare organizations that are using Windows, 76% are still using Windows 7 – an operating system that is “so outdated that patches can’t keep it secure”.

Medical professionals are trained to deal with a lot of things but protecting themselves from cyber threats is not normally one of them. As a result, healthcare staff are often unprepared to deal with cyber risks. But with security incidents becoming an increasing everyday reality, all staff need to be trained in order to be able to identify threats such as phishing and social engineering.

Hospitals and other healthcare organizations store a great deal of patient data. This data is a valuable target for cyber attackers due to its monetary value. Hackers can sell the data on the black market or essentially sell hacked patient information back to healthcare organizations by using ransomware to hold the information hostage.

There are a variety of reasons why healthcare systems are often targets of cyber attackers such as outdated technology, untrained staff, and valuable patient information. Being aware of these reasons highlights the importance of healthcare cybersecurity awareness.

Posture provides small and mid-size enterprises with a low-cost solution to improve their organizations’ cybersecurity hygiene. From HIPAA and cybersecurity awareness training, risk assessment, to a marketplace with vetted cost-effective security tools and services.

• 9 Reasons Healthcare is the Biggest Target for Cyberattacks
• Why is Healthcare Data a Prime Target for Hackers?
• Hackers are leveling up and catching healthcare off-guard
• Healthcare Sector Becoming Primary Target for Cyber Attacks
• Telehealth: Technology meets health care