Hospital executives are working day and night to keep staff safe and update operations to combat the COVID-19 pandemic, including chief information security officers.
Here are five things for CISOs to know:
1. The Office for Civil Rights of HHS announced on April 9 that it will not penalize community-based testing sites for potential HIPAA violations during the pandemic. The rules, which were relaxed immediately and have a retroactive effect to March 13, will allow hospitals and business associates to share limited patient information without violating HIPAA.
2. The Federal Trade Commission has received more than 14,000 complaints about scams totaling $10 million in losses since Jan. 1, as of mid April. The scams have involved stimulus checks, unproven treatments and medical supply sales, among others. Thousands of email addresses and passwords of Zoom accounts were posted and being sold for pennies on the dark web. An independent security firm found 530,000 accounts for sale on a dark web marketplace, with many of the email addresses having been compromised in previous data breaches.
3. As COVID-19 scams and cyberattacks, many of which are targeting hospitals and consumers, continue to escalate, government agencies such as the FBI are issuing formal warnings. On April 16, the FBI warned companies focused on COVID-19 treatment research of foreign government hackers that typically target the biopharmaceutical industry but have now been attempting to infiltrate healthcare and research institutions. U.S. Secretary of State Mike Pompeo on April 17 issued a warning in response to a cyberattack against a hospital in the Czech Republic that limited its ability to care for COVID-19 patients. He urged all states to remain alert to cybercriminals targeting hospitals.
4. Big tech organizations such as Microsoft and Amazon Web Services on April 20 asked Congress to provide more funding to states for cybersecurity in the next coronavirus stimulus bill. After warning dozens of hospitals earlier this month of a vulnerability allowing a hacker to exploit their virtual private networks in a ransomware attack, Microsoft on April 14 made its AccountGuard threat notification service available for free to healthcare providers to protect against cyberattacks. The system notifies organizations when there are attacks and provides advice and training support to guard against cyberattacks.
5. Hospitals and health systems are telling staff to expect cyberattacks, according to a recent Pew report. The Greater New York Hospital Association notified affiliated members of an active cybersecurity threat that is exploiting vulnerabilities and Inova Health System is requiring all employees working from home to use two-factor authentication before logging into the network. However, the Falls Church, Va.-based health system's Chief Information Security Officer Scott Larsen said it is difficult to keep up cybersecurity efforts during a pandemic while staff's attention is divided. To help healthcare organizations practice proper cybersecurity hygiene, the American Medical Association and American Hospital Association released guidelines for employees working from home during the pandemic.