Privacy and Cybersecurity Considerations and Opportunities Related to COVID-19
Health & Life Sciences Alert 03/24/20 Meghan C. O'Connor, Simone Colgan Dunlap
Increased precautions to slow the spread of COVID-19 have forced unprecedented reliance on technology and remote connectivity (e.g., work from home arrangements and telehealth services) across all industries and in the private sector. This rapid and significant shift raises enhanced privacy and cybersecurity concerns and creates special concerns in the highly regulated health care industry.
The Quarles & Brady Health Information Technology, Privacy & Security Team is closely monitoring privacy and cybersecurity developments related to COVID-19, and can offer guidance to clients facing immediate questions or seeking to prepare for continued effects stemming from the pandemic.
Following are some of the key takeaways and considerations for planning and responding to privacy and cybersecurity issues as the COVID-19 situation continues to unfold. Above all, remember that this situation is fluid and businesses must all remain vigilant and flexible when responding to changing conditions and needs.
Expanded Remote Workforce
Key Takeaways: Test connectivity, train workforce on remote access, consider bandwidth limits, consider effects of increased workforce exfiltration of data and reassess role-based access designations for current conditions, test redundancies and backup plans, acknowledge increased security exposure due to remote workforce, and remember your culture.
Increased Remote Connectivity. If your non-essential workforce members are still on-site, test your remote connectivity capabilities, bandwidth, and server capacity; confirm you have the IT infrastructure and concurrent licenses and subscriptions to support increased users. As companies move to work-from-home arrangements, workforce members who are not accustomed to working from home will suddenly have remote connectivity, potentially without training on the relative lack of security of personal accounts and home technology. Consider pushing out training materials and reminding the workforce of company policies on secure and appropriate remote work, including:
- Approved technology and software and communication of sensitive company information via internal electronic communication platforms
- Confirming no sensitive information is visible to non-authorized users via video conference and screen-sharing
- Use of public Wi-Fi networks
- Avoiding use of personal devices and accounts to download or transmit company information
- The ability to store, download, or copy data from company systems to personal devices
- Use of encrypted email
- Print-from-home options and storage and proper disposal of paper files
- Logging out of computers at the end of the day or during breaks to prevent non-employee access
- Consider working on and talking about sensitive company information out of earshot of those present in the home as well as virtual assistants and other visual or voice-enabled IoT devices
- Practice good security hygiene (discussed below)
- Ensuring cell phones, tablets, and laptop computers that can be used to access work systems are stored securely when not in use
Develop a list of FAQs your IT help desk is receiving, and make those available to workforce members to avoid overwhelming IT with repeat questions. Offer your virtual private network (VPN), virtual desktops interfaces (VDI), or other remote access to company systems and enable multi-factor authentication. Also, use technology where possible to enforce and enable company culture (e.g., chat, video, and conference systems to enable communication).
Bandwidth Limits. Broadband providers may be lifting data caps, but bandwidth limits should be considered in remote operations planning. Remote workforces are competing with other online uses, including schools moving to online learning, increased telehealth usage, and streaming services. This increased dependence on and use of technology and remote connectivity will slow users and test bandwidth limits.
If bandwidth becomes an issue, consider workforce communications and monitoring to control video streaming and other data intensive activities. For example, ensure that workforce members know that personal online activities should be done on their own devices. Additionally, guidance to help workforce members minimize non-essential home internet use during working hours may also be effective (e.g., limit children’s video streaming to standard definition, turning off internet connected devices like video game systems that can automatically update during the day without notice, etc.).
Role-Based Access. With an increased remote workforce comes increased exfiltration of data historically only accessible via more secure and monitored processes. While remote access is necessary for businesses to function amid the COVID-19 pandemic, it is important to consider appropriate access.
Health and life sciences entities are familiar with the minimum necessary concept, but now is a time to reassess access needs. Adjust and monitor role-based access to match job duties. Consider whether you can restrict access to high-risk systems with sensitive data or mission critical designations to workforce members with appropriate training and need to know. You can adjust access rights as the situation continues to unfold.
Plan and Prepare for Failure. Be prepared for failures and overload on system resources. Not everything will work. Test your backups, identify redundancies, and implement your emergency mode operations plans to support business continuity.
Many businesses have sent workforce members home but keep IT personnel and skeleton operations teams on site. Businesses should prepare backup plans (a Plan C) in the event of shelter-in-place orders or workforce sickness/exposure that limit the ability of an on-site IT presence. Identify mission critical systems and team members, and set redundancies and backups where possible.
Find Your Culture. Remember your workforce may be scared, responding to lack of normal human interaction, and adjusting to a new work-from-home lifestyle. Try to find ways to foster moments of normalcy between coworkers.
For more resources, check out the SANS Institute tips to secure your organization in a work-from-home environment and National Institute of Standards and Technology telework cybersecurity guidance.
Increased Cyber Risk
Key Takeaways: Practice good security hygiene, remain vigilant, remind workforce how to spot scams, streamline access to information from reliable sources, manage third party risk, and monitor evolving technical and administrative safeguards.
Businesses should operate in a heightened state during the shift to remote work. Bad actors are taking advantage of COVID-19 fears, rapidly evolving environments, a distracted workforce, individuals’ good will, and unprecedented changes in business operations in all industries, hoping to trick individuals into visiting websites or opening allegedly helpful files and documents that contain malware. The current state of uncertainty, increased patient volume for health and life sciences entities, and unprecedented remote workforce creates a heightened risk of cyber exposure.
Where is the Risk? The increased threats come from a variety of sources, including phishing campaigns, ransomware attacks, targeted attacks against the health and life sciences industry, bad actors posing as CDC or WHO, and increased risk from a remote workforce. Threat actors play on public fears and viral news stories to trick individuals into providing sensitive information, donate to fraudulent charities, or spread malicious software disguised as important news alerts, COVID-19 monitoring, and pleas for donations.
For example, Jonathan Krebs reported on March 12 that cybercriminals have been disseminating websites and emails designed to look like the Johns Hopkins University’s interactive COVID-19 dashboard. These links contain accurate information, but credential-harvesting malware is embedded in a download required for access. Johns Hopkins University released a statement noting that the map on the University’s website is safe to use.
We are aware of an increased number of phishing campaigns aimed at hospitals, public health agencies, and other health and life sciences entities, hoping that during the pandemic, businesses will pay ransoms without question in order to regain access to mission critical patient care systems. In addition, the US Department of Health and Human Services (HHS) confirmed that it suffered a cyber-attack on March 15, reportedly aimed at slowing its COVID-19 response. On March 16, HHS issued a statement noting that despite the increase in activity on HHS cyber infrastructure, the agency remains fully operational.
The unprecedented spike in remote workforce also increases cyber risk for businesses. As noted above, relatively untrained or inexperienced workforce members are now accessing data and systems remotely using unsecure internet connections and external IP addresses. Along with this increased workforce comes increased additional access points to your business, and identifying inappropriate access is harder.
Practice Good Security Hygiene. The good news is that vigilance, diligence, and basic security hygiene in your workforce training materials can be one of the best ways to combat cyber risk. A distracted and stressed workforce is less likely to employ appropriate vigilance. This is a prime opportunity to remind your workforce of appropriate precautions and diligence, including:
- Do not open attachments in unsolicited emails (review US Department of Homeland Security Cyber and Infrastructure Security Agency (CISA) guidance on email attachments)
- Do not click on links in unsolicited emails
- Do not provide personal or financial information in response to an online solicitation or unsolicited email
- Be wary of generic greetings and senders you do not know
- Understand how to spot social engineering and phishing attacks, including well-crafted and sophisticated messages and spoofed emails (see CISA guidance)
- Understand how the IT department and CEO will and will not communicate with remote workforce members (e.g., user emails requesting credentials, wire card transfer requests)
- Central points of contact for requesting wire transfers, check requests, etc. to limit internal confusion
- Use trusted sources like legitimate government websites for COVID-19 information
- Do not donate to charities without verifying authenticity (review Federal Trade Commission guidance on charity scams)
- Do not download unauthorized or unsupported software on company or personal devices used to work from home
- Update software and settings of home devices used for remote work (e.g., updating home Wi-Fi routers to the latest firmware and using strong Wi-Fi passwords)
Companies should also remain up to date on patches, updates, and security fixes but remain cognizant of timing of releases to disrupt work as little as possible.
Streamline Communication From Reliable Sources. With non-centralized functions, businesses should also develop an enterprise strategy and decision-making protocol in order to provide consistent messages to workforce members. Businesses should use this opportunity to send consistent updates to workforce members with identified or common cybersecurity questions. If possible, an internal landing page with reliable and updated information (e.g., correct contact information and resource enter) should also be made available to avoid workforce members turning to unreliable websites for COVID-19 updates
Manage Third Party Risk. As businesses shift to an increased remote workforce, businesses also become increasingly reliant on vendors, including IT software and services. This presents an opportunity to confirm your vendors fit with your business continuity, emergency operations, and incident management plans. When considering redundancies and backup capabilities, consider whether third-party vendors provide appropriate reliability and which vendors support critical functions.
Standard operations may not be feasible as the COVID-19 situation unfolds (e.g., vendors’ ability to meet response time SLAs or maintain all data access to on-site at their facilities). Companies should work together to ensure access to critical services can continue in accordance with legally required security standards and allow for the health and safety of vendors’ workforce members. This will require coordination and may require evolving standards as the situation unfolds.
Monitor Technical and Administrative Safeguards. Security monitoring solutions may indicate increased false positives as workforce members access company systems remotely. Businesses may see an increased demand for additional security support to monitor, filter, and respond to false positives and actual incidents. You should be particularly vigilant in monitoring unauthorized access and exfiltration hidden among increased workforce activities.
In addition to technical safeguards, it is likely that standard administrative safeguards and policies are not fully appropriate for the COVID-19 pandemic. This is an opportunity to review and revise policies, risk management strategies, and historical tabletop exercises to consider priority updates to support incident response capabilities. Consider drafting a temporary COVID-19 policy outlining exceptions to usual and customary practices (e.g., remote access, transmission of data) and confirming that applicable legal requirements (e.g., HIPAA, PCI DSS, state law, CCPA) are still met. Also consider whether existing insurance coverage is adequate for changes you are making to address the pandemic response.
Health Information and COVID-19
Key Takeaways: Recognize HIPAA requirements are still applicable in a public health emergency, understand the scope of the limited HIPAA waiver, consider interaction of state and federal law for public health disclosures, assess safeguard adequacy, and enable strong access controls on COVID-19 records.
Limited HIPAA Waiver. In response to the declaration of a nationwide emergency concerning COVID-19, HHS issued a waiver (effective March 15) of limited HIPAA Privacy Rule obligations for covered entities located in Secretary Azar’s January 31 public health emergency declaration area during the first 72 hours after the activation of the entity’s emergency response plan. Under the waiver, HHS will waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the Privacy Rule:
- Obtaining a patient's agreement to speak with family or friends or to be included in the facility directory
- Distributing the facility Notice of Privacy Practices (and keeping it updated, given the changes in how information may be used or disclosed)
- Honoring a patient's requests for certain privacy restrictions or confidential communications
The waiver is limited. Is does not apply to hospitals who have not instituted a disaster protocol or 72 hours after instituting a disaster protocol. Also, it is not clear whether temporary facilities set up for testing or emergency room overflow/prescreening fall under the waiver.
HIPAA Guidance. The US Department of Health and Human Services Office for Civil Rights (OCR) issued a bulletin on COVID-19-related use and disclosure of protected health information. The guidance addresses a variety of disclosure options, including treatment, public health, those involved in an individual’s care, prevention of a serious and imminent threat, and media. While these are not new concepts, OCR’s bulletin places these HIPAA concepts in the context of COVID-19.
Public Health Disclosures. Under HIPAA, covered entity health care providers may disclose PHI about individuals who have been exposed to, or are suspected of having contracted, COVID-19 to public health authorities authorized by law to receive such information for preventing or controlling the spread of disease. However, providers should consult applicable authority under state law before relying solely on HIPAA as authorizing a permissive disclosure. Some states have mandatory public health reporting obligations. Further, reporting obligations and options may vary depending on whether the subject individual is a patient, workforce member who is not a patient, or workforce member who is also a patient.
For permissive reporting to public health authorities, covered entity providers should limit disclosures to minimum necessary information (e.g., information needed by the public health authority to conduct activities to prevent or control the spread of COVID-19). In addition, public health disclosures are not excluded from accounting of disclosures obligations, so covered entity providers should be prepared to record and supply individuals with required accounting information.
First Responder Access. On March 24, OCR issued guidance outlining how providers may disclose health information about an individual infected with or exposed to COVID-19 to law enforcement, paramedics, and other first responders (in addition to public health authorities) without patient authorization. The guidance outlines disclosures for treatment purposes, when first responders may be at risk of infection, and provides additional specific examples related to EMS and 911 call centers. The guidance also reminds providers of the general obligation (with limited exceptions) to limit disclosures to minimally necessary information.
State Law Still Applies. The HIPAA limited waiver and emergency situation do not, without more, waive state privacy laws. While the waiver allows some flexibility with HIPAA compliance, we are still waiting to see if state regulators will take any action to waive state privacy obligations (either those that mirror HIPAA or those that are more protective than HIPAA).
Providers should familiarize themselves with permissive and mandatory reporting obligations and state-specific obligations regarding handling, use, and disclosure of patient information.
Sensitive Health Information. In addition to HIPAA, health and life sciences entities are familiar with additional legal obligations related to particularly sensitive health information, including alcohol and drug abuse treatment records, HIV, mental health, etc. These increased protections remain in place without express waivers or exceptions for emergencies.
The Substance Abuse and Mental Health Services Administration (SAMHSA) released guidance on March 19 regarding COVID-19 and 42 C.F.R. Part 2 to ensure that substance use disorder (SUD) treatment services are uninterrupted during the public health emergency. Noting the increased need for telehealth services, including telephonic consultations, and the difficulty in obtaining written consent for disclosure of SUD records, SAMHSA noted that Part 2 prohibitions would not apply to these situations to the extent that a medical emergency exists (as determined by the provider).
Safeguards and Access Controls. HIPAA’s obligations to implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect confidentiality, integrity, and availability of protected health information are not waived in a public health emergency. Providers adapting to changing conditions, makeshift testing facilities, and increased patient volumes must continue to implement appropriate safeguards.
With increasing interest in symptoms, testing, care, and outcomes of COVID-19 patients, access controls are an important safeguard for snooping (even from well-meaning workforce members). HIPAA covered entities must implement reasonable and appropriate safeguards, to protect confidentiality, integrity, and availability of protected health information. Providers should implement heightened access controls (e.g., break the glass or VIP designations), provide reminders to workforce members on appropriate and inappropriate access, and review and respond audit logs.
Key Takeaways: Protect providers and patients in acute and routine care settings with increased use of telehealth, understand OCR’s guidance and enforcement discretion, consider interaction of HIPAA flexibility with obligations under other federal and state laws, understand capabilities and limitations of IT infrastructure and technology, enable strong safeguards, and prepare for cybersecurity events.
We have continued to see increasing flexibility and emphasis on use of telehealth during the COVID-19 pandemic. The expanded use of telehealth during the COVID-19 pandemic offers opportunities to protect patients and providers. However, increased reliance on telehealth is not without data privacy and security considerations, which will be outlined in an upcoming alert.
As the COVID-19 situation continues to unfold, we will continue to monitor data privacy and cybersecurity considerations and opportunities. For additional questions, contact your Quarles & Brady health law attorney or: