AMA Issues Guidance to Prepare Healthcare Organizations Mitigate COVID-19 Cyber Risks

The American Medical Association has cautioned hospitals, health systems, and medical practices regarding the spike in cyber risks particularly in the healthcare market, and has offered advice on the steps to be undertaken to mitigate threats and improve network security.

AMA assistant director of federal affairs, Laura Hoffman, discussed the existing threats in an AMA COVID-19 Update and introduced a new resource created by the AMA and American Hospital Association (AHA) regarding the technology that healthcare companies should consider for the rest of 2020 to have better network security and patient privacy.

The COVID-19 pandemic has created a lot of new problems for healthcare companies that are treating more patients while dealing with unfamiliar cases. The pandemic prompted a big growth of telehealth service, as many patients receive virtual care using new technology tools.

The new technologies and systems brought in vulnerabilities and widened the attack surface thus cybercriminals are taking advantage and escalating attacks on the healthcare industry. At the beginning of the pandemic, phishing attacks on this sector increased. Virtual Private Networks became popular for supporting remote employment, telehealth, and remote tracking of medical equipment, which has a greater attack surface. A number of vulnerabilities were discovered in these tools that threat actors exploit to get access to healthcare systems.

Ransomware attacks on healthcare providers also increased. Particularly, more Ryuk ransomware operators targeted the healthcare sector in recent weeks. These attacks stop access to protected health information (PHI) and deactivate mission-critical systems, resulting in delayed patient care and risk to patient safety. The AMA also noticed more insider threats throughout the pandemic. Insiders are exploiting identified security vulnerabilities for financial gain.

The new guidance is meant to help prepare for the months when practices and hospitals may have to deal with the second wave of COVID-19 infections occurring at the same time as the cold and flu season. The AMA’s recommendation tells healthcare providers to ask for regular updates from their IT vendors or security specialists. The guidance document provides a set of questions to ask providers to make sure to identify and address vulnerabilities. The questions tackle network security, legacy devices and unsupported software, systems access rights provided to third parties and vendors at the time of the pandemic, and the location of all PHI.

Besides dealing with cybersecurity risks, healthcare companies must be ready for the time when the Public Health Emergency ends. During the pandemic, the HHS’ Office for Civil Rights is exercising enforcement discretion regarding the use of telehealth technology. After the Public Health Emergency, healthcare organizations need to be in complete compliance with HIPAA.

The telehealth systems utilized at the time of the pandemic may not be acceptable for use. If used continually, there must be a business associate agreement with technology providers. It is additionally required to perform security risk checks on telehealth platforms to identify risks and vulnerabilities to PHI associated, if not yet conducted.

The AMA is telling doctors and hospitals to begin discussing with their telemedicine vendors and conducting a security risk analysis, so they will be ready when the Public Health Emergency comes to an end.

In the guidance, the AMA/AHA likewise recommends asking telemedicine vendors regarding their privacy procedures, designed data use, and security practices. Seek advice from your legal team to make clear how the vendors capture and store video, audio, and other information and could access such data. You may also ask if the vendor shares results of third-party security audits, such as SOC 2 or HITRUST, along with the penetration testing results.

It is additionally a good idea to allow all available privacy and security applications when utilizing telemedicine platforms, such as end-to-end encryption so that third-parties won’t intercept communications between patients and providers. Patients should also be made aware of the potential privacy risks involved when using telemedicine platforms and providing virtual care.