HHS Issues Security, Privacy Guidance for COVID-19 IssuesNew Materials Warn of Cyberthreats, Potential HIPAA Violations
Federal regulators are alerting healthcare organizations about an array of coronavirus-themed cyberthreats. Plus, they're advising them to avoid potential HIPAA privacy violations involving unauthorized disclosures of patient information to news outlets during the COVID-19 crisis.
On Monday, the Department of Health and Human Services' Office for Civil Rights issued guidance compiling a list of resources to help organizations "detect, prevent, respond and recover" from a surge of coronavirus-themed cyberthreats, ranging from ransomware and other types of extortion to phishing and attacks on video conferencing technology platforms.
"Cybercriminals may take advantage of the current COVID-19 global pandemic for their own financial gain or other malicious motives," OCR notes in a statement. With the increase in COVID-19-related malicious activity, OCR is encouraging HIPAA covered entities and business associates to review the resources.
For example, OCR highlights materials from the National Security Agency that include criteria to consider when selecting an online collaboration tool as well as information on how to use these tools securely, especially as more employees work from home.
OCR also advises entities to tap recent materials from the HHS Health Sector Cybersecurity Coordination Center, or HC3, outlining ways video conference tools, such as Zoom and Cisco WebEx, could be exploited and recommendations to mitigate these issues.
OCR's collection of resources also includes materials from HC3 outlining other cyberthreats facing healthcare organizations during the COVID-19 crisis, including phishing scams, fake coronavirus domains and websites containing malware, ransomware, and others.
On Wednesday, OCR re-issued an announcement released earlier by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency and the United Kingdom's National Cyber Security Center warning about "password spraying attacks by advanced persistent threat groups on institutions conducting COVID-19 medical research (see Alert: APT Groups Targeting COVID-19 Researchers).
With resources stretched during the COVID-19 crisis, healthcare organizations and their workforces are particularly vulnerable to coronavirus-themed malicious cyber activities, some experts note.
"Criminals exploit fear and uncertainty by tempting people to open phishing emails or click on pop-up ads about COVID-19," notes independent privacy and security attorney Paul Hales.
The rise in the use of telemedicine also creates potential risks, he adds. "I worry that providers using telehealth for the first time will make inadvertent errors that expose patients and themselves to identity theft, ransomware attacks and other criminal activity," he says.
"The last thing anyone wants is to have to respond to a cyberattack in the midst of this COVID-19 crisis."
—Attorney Iliana Peters
Privacy attorney Iliana Peters of the law firm Polsinelli says that OCR's collection of resources on COVID-19 cyber threats - as well as additional guidance and alerts from the FBI, National Institute of Standards and Technology, and Federal Trade Commission - offer important security considerations for healthcare sector entities as they deal with the crisis.
"While HIPAA covered entities and business associates are largely trying to focus on COVID-19 response, they should ensure that they continue to devote resources to ensuring good security practices to address the risks of new applications, technologies, and threats," she says. "The last thing anyone wants is to have to respond to a cyberattack in the midst of this COVID-19 crisis."
Preventing Privacy Violations
In addition to issuing the cyberthreat resource material, OCR on Tuesday issued guidance reminding healthcare providers that the HIPAA Privacy Rule does not permit them to give news media and film crews access to facilities where patients' protected health information will be accessible unless they have the patients' prior authorization, stressing this restriction applies even during the COVID-19 crisis.
The guidance also clarifies that masking or obscuring patients' faces or identifying information before broadcasting a recording of a patient is insufficient because a valid HIPAA authorization is still required before giving the media such access.
"The COVID-19 public health emergency does not alter the HIPAA Privacy Rule's existing restrictions on disclosures of PHI to the media," OCR's new guidance says.
"Hospitals and healthcare providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn't cut it," says OCR Director Roger Severino.
When a patient is receiving treatment, "they are typically surrounded by PHI, such as their name or medical record number on a hospital room door or identification bracelet, notes about their care including conditions or medications written on bulletin boards, real-time displays of heart or lung function, and oral communications about their health and healthcare," OCR notes in the guidance.
But what about situations where a nurse or doctor - unbeknownst to the hospital or patients - has posted on social media or provided to news media outlets video footage recorded on their personal smartphones of chaotic hospital wings treating backlogs of COVID-19 patients?
"Individuals can be directly liable for criminal violations of HIPAA pursuant to the Department of Justice authority, but HIPAA covered entities and business associates are liable for the civil penalties pursuant to HHS's authority," says Peters, a former senior adviser at OCR.
"This is an area of significant risk for HIPAA covered entities and business associates, given all of the cases that HHS has settled on impermissible disclosures to media and on social media."
OCR has previously hit several healthcare organizations with hefty HIPAA enforcement fines in cases involving improper disclosure of patient information to the media outlets.
Those include financial settlements totaling $1 million in 2018 with three Boston hospitals - Massachusetts General and Brigham & Women's and Boston Medical Center - for allowing TV crews on their premises in 2014 and 2015 without obtaining authorization from patients (see: Hospitals Fined $1 Million After TV Crews Film Patients).
In 2016, OCR entered a $2.2 million settlement with New York-Presbyterian Hospital in connection with the filming of a TV program.
And in May 2017, OCR slapped Memorial Hermann Health System, which operates 16 hospitals in the Houston area, with a $2.4 million settlement stemming from the 2015 disclosure of one patient's information to the news media without the individual's consent.
Need for Clarification on HIPAA
Commenting on the OCR guidance, Hales, the attorney, observes: "OCR clearly found it necessary to counter widespread misinformation that HIPAA rules don't apply to the COVID-19 emergency as long as a covered entity acts in good faith."
Since HHS declared COVID-19 a national public health emergency, OCR has issued several limited HIPAA waivers and notices of enforcement discretion.
For instance, in March, OCR relaxed certain requirements pertaining to HIPAA privacy provisions in order to help improve patient care and information sharing during the outbreak. Also, providers are now allowed to offer telehealth services through certain video chat applications.