Healthcare Roundup: Top Privacy and Security Stories of 2020, Global Supply-Chain Cyberattacks, Changes to HIPAA's Privacy Rule, and More

Healthcare roundup: Top privacy and security stories of 2020, global supply-chain cyberattacks, proposed modifications to the HIPAA Privacy Rule, cybersecurity dangers of telehealth, and more

Every month, we compile the most compelling healthcare privacy and security-related news stories. Below, you’ll learn about the top privacy and security stories of 2020, the OCR warning of global supply-chain cyberattacks, HHS proposed modifications to the HIPAA Privacy Rule, cybersecurity dangers posed by telehealth, and more.

Top 10 privacy and security stories of 2020

With COVID-19 wreaking havoc at health systems worldwide, we were inclined to believe cyber crooks would ceasefire, but no, hackers and bad actors instead took advantage of the confusion and increased attacks in a new cyberpandemic that shows no signs of subsiding.

A look back at the most read Healthcare IT News stories about the privacy and security challenges faced this year includes the following:

11 hospitals and health systems report medical record snooping cases in 2020

According to Becker’s Hospital Review, 11 hospitals and health systems reported patient record breaches by employees wrongfully viewing medical records in 2020.  The reported instances of EHR snooping by employees resulted in terminations and other disciplinary actions.

Hospitals and Health Systems are required by HHS’ HIPAA privacy and security rules to invoke sanctions against staff members who violate privacy and security policies such as EHR snooping; however, it’s the responsibility of the healthcare organization to implement appropriate punishment.

Overall, 527 healthcare organizations reported to HHS more than 21 million individuals being affected by data breaches in 2020.

FBI, HHS alert to COVID-19 fraud schemes tied to the vaccine rollout

The FBI and HHS warn private sector organizations to watch out for COVID-19 vaccine fraud schemes designed to steal personal data.

According to the federal agency alert, scammers are leveraging vaccine rollout campaigns to steal personally identifiable information and for financial gain.

As evidenced by these latest attempts, cybercriminals continue to take advantage of pandemic fears, human nature, and an expanded remote workforce.

OCR warns of global supply-chain cyberattacks via SolarWinds Orion

The Office for Civil Rights urged all healthcare organizations to review an alert issued by the Department of Homeland Security that warned of ongoing global supply-chain cyberattacks. Nation-state actors trojanized previous updates to the SolarWinds Orion platform software with malware, allowing for further exploits and espionage.

The networks of the Departments of Treasury and Commerce's National Telecommunications and Information Administration (NTIA) have already been compromised by the hackers responsible.

Note: There have been no reports or indications that any solutions from Imprivata or Imprivata FairWarning, an Imprivata company, have been compromised or otherwise impacted by this breach.

Internally, we do not use any SolarWinds or FireEye products or services in our IT infrastructure, so our own ecosystem of applications, servers, and endpoints has also not been compromised or otherwise impacted by this breach. Prioritizing security, we have ensured all our key services are on the most recent approved updates and have validated that multiple layers of our security model will stop the known SolarWinds/FireEye hack threats. We are also working with our key partners and supply chain to ensure they also remain secure. Imprivata and Imprivata FairWarning Security Operations will continue to monitor Imprivata and Imprivata FairWarning-owned IT assets to ensure that neither the security or privacy of our customers or their data is compromised.

HHS proposes modifications to the HIPAA Privacy Rule

On December 10, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.

The modifications to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.

EyeMed security incident affects nearly 500K Aetna members

Aetna, which contracts with EyeMed to provide vision benefit services for members, said an EyeMed email mailbox was accessed by an unauthorized individual this year, and phishing emails were sent to email addresses contained in the mailbox’s address book.  484,157 members were affected by the email-hacking incident over the summer.  Compromised information may have included name, address, date of birth, vision insurance account number, and – in some circumstances – social security number, birth or marriage certificate, medical diagnosis and treatment information of individuals who formerly or currently receive vision-related services through EyeMed, including Aetna customers.

EyeMed took immediate steps, hiring a cybersecurity firm, to investigate the incident and enhance protections already in place.

The incident is just another in a string of recent high-profile security breaches targeting the healthcare industry.

Researchers caution telehealth poses big cybersecurity dangers

Last year during the COVID-19 pandemic, the U.S. Department of Health and Human Services lifted several restrictions on the use of communication apps, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts, Zoom, and Skype for telemedicine. While the relaxation of regulations has made it easier for patients to access virtual care, it has presented new privacy risks.

In a letter published in the Journal of the American Medical Informatics Association, a Harvard Medical School team warns of “substantial” information security concerns around telehealth.  Specifically, with the shift to telemedicine they write that new issues and risks unravel that need to be addressed in regard to information security and privacy, and ongoing work is needed to ensure our technology infrastructure provides an environment for safe and effective care delivery.

A multi-pronged approach is needed to protect against threats, including awareness, training employees, following best practice security behaviors, and transitioning from consumer video conferencing tools to healthcare-specific products.