Healthcare Roundup: Top Privacy and Security Stories of 2020, Global Supply-Chain Cyberattacks, Changes to HIPAA's Privacy Rule, and More
Every month, we compile the most compelling healthcare privacy and security-related news stories. Below, you’ll learn about the top privacy and security stories of 2020, the OCR warning of global supply-chain cyberattacks, HHS proposed modifications to the HIPAA Privacy Rule, cybersecurity dangers posed by telehealth, and more.
With COVID-19 wreaking havoc at health systems worldwide, we were inclined to believe cyber crooks would ceasefire, but no, hackers and bad actors instead took advantage of the confusion and increased attacks in a new cyberpandemic that shows no signs of subsiding.
A look back at the most read Healthcare IT News stories about the privacy and security challenges faced this year includes the following:
- WHO, coronavirus testing lab hit by hackers as opportunistic attacks ramp up.
- HHS floats major changes to HIPAA Privacy Rule.
- FBI, HHS warn of 'increased and imminent' cyber threat to hospitals.
- Cyberattack on Czech hospital forces tech shutdown during coronavirus outbreak.
- Cyberattacks continue to mount during COVID-19 pandemic.
- FDA issues cybersecurity alert on GE Healthcare medical devices.
- Coronavirus outbreak used by hackers to spread malware.
- As COVID-19 cases increase, so do privacy concerns about EHR snooping.
- Telehealth is biggest threat to healthcare cybersecurity, says report.
- Major security incidents are the new normal for hospitals and health systems.
According to Becker’s Hospital Review, 11 hospitals and health systems reported patient record breaches by employees wrongfully viewing medical records in 2020. The reported instances of EHR snooping by employees resulted in terminations and other disciplinary actions.
Hospitals and Health Systems are required by HHS’ HIPAA privacy and security rules to invoke sanctions against staff members who violate privacy and security policies such as EHR snooping; however, it’s the responsibility of the healthcare organization to implement appropriate punishment.
Overall, 527 healthcare organizations reported to HHS more than 21 million individuals being affected by data breaches in 2020.
The FBI and HHS warn private sector organizations to watch out for COVID-19 vaccine fraud schemes designed to steal personal data.
According to the federal agency alert, scammers are leveraging vaccine rollout campaigns to steal personally identifiable information and for financial gain.
As evidenced by these latest attempts, cybercriminals continue to take advantage of pandemic fears, human nature, and an expanded remote workforce.
The Office for Civil Rights urged all healthcare organizations to review an alert issued by the Department of Homeland Security that warned of ongoing global supply-chain cyberattacks. Nation-state actors trojanized previous updates to the SolarWinds Orion platform software with malware, allowing for further exploits and espionage.
The networks of the Departments of Treasury and Commerce's National Telecommunications and Information Administration (NTIA) have already been compromised by the hackers responsible.
Note: There have been no reports or indications that any solutions from Imprivata or Imprivata FairWarning, an Imprivata company, have been compromised or otherwise impacted by this breach.
Internally, we do not use any SolarWinds or FireEye products or services in our IT infrastructure, so our own ecosystem of applications, servers, and endpoints has also not been compromised or otherwise impacted by this breach. Prioritizing security, we have ensured all our key services are on the most recent approved updates and have validated that multiple layers of our security model will stop the known SolarWinds/FireEye hack threats. We are also working with our key partners and supply chain to ensure they also remain secure. Imprivata and Imprivata FairWarning Security Operations will continue to monitor Imprivata and Imprivata FairWarning-owned IT assets to ensure that neither the security or privacy of our customers or their data is compromised.
On December 10, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.
The modifications to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.
Aetna, which contracts with EyeMed to provide vision benefit services for members, said an EyeMed email mailbox was accessed by an unauthorized individual this year, and phishing emails were sent to email addresses contained in the mailbox’s address book. 484,157 members were affected by the email-hacking incident over the summer. Compromised information may have included name, address, date of birth, vision insurance account number, and – in some circumstances – social security number, birth or marriage certificate, medical diagnosis and treatment information of individuals who formerly or currently receive vision-related services through EyeMed, including Aetna customers.
EyeMed took immediate steps, hiring a cybersecurity firm, to investigate the incident and enhance protections already in place.
The incident is just another in a string of recent high-profile security breaches targeting the healthcare industry.
Last year during the COVID-19 pandemic, the U.S. Department of Health and Human Services lifted several restrictions on the use of communication apps, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts, Zoom, and Skype for telemedicine. While the relaxation of regulations has made it easier for patients to access virtual care, it has presented new privacy risks.
In a letter published in the Journal of the American Medical Informatics Association, a Harvard Medical School team warns of “substantial” information security concerns around telehealth. Specifically, with the shift to telemedicine they write that new issues and risks unravel that need to be addressed in regard to information security and privacy, and ongoing work is needed to ensure our technology infrastructure provides an environment for safe and effective care delivery.
A multi-pronged approach is needed to protect against threats, including awareness, training employees, following best practice security behaviors, and transitioning from consumer video conferencing tools to healthcare-specific products.