COVID-19 and HIPAA Enforcement Discretion Leaves Healthcare Organizations Vulnerable to Ransomware Attacks

Patient engagement is a term that has been discussed in healthcare for years. But now, it’s an urgent priority as providers work to vaccinate millions of Americans. The COVID-19 pandemic has put increased pressure on healthcare providers to ramp up digital communications with patients regarding testing, appointments, vaccines and more. But many health systems have struggled to implement a seamless patient communications strategy while also combating today’s health crisis. In addition to innovation and patient care demands, healthcare organizations have the compliance challenges that come with The Health Insurance Portability and Accountability Act (HIPAA).

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

And the complications of this rule become more apparent with hackers targeting healthcare organizations more frequently to obtain access to the most sensitive patient data.

“Exceptions were made in healthcare to keep critical organizations up and running during the pandemic,” said Rick McElroy, principal cybersecurity strategist, VMware Security Business Unit. “As we move to a post-pandemic footing, organizations must look to address these exceptions as soon as possible to eliminate risks and help remove the expanded attack surface. Healthcare organizations should learn from this pandemic to ensure the future of healthcare remains both compliant and secure.”

Cybersecurity Threats on Healthcare Before COVID-19

Pre-COVID, phishing tactics were used to deliver malicious emails, attachments and links that infected servers, while malware and ransomware took advantage of weaknesses. These attacks disrupted business at hospitals, health systems and other health care-related organizations, and impacted IT vendors that served other medical facilitates, such as dental offices and nursing homes.

Human factors have also been an element in cybersecurity weaknesses, from employees accidentally opening their companies up to threats to targeted attacks by insiders. In fact, many breaches that occur could have ultimately been avoided in scenarios such as employees not securing devices that provide access to sensitive medical data, not following security standards, or inadvertently sending protected health information (PHI) to the wrong end-users. More difficult to detect and mitigate are the intentional insider threats, which could include disgruntled staff or individuals who were coerced, recruited or bribed to steal on behalf of cybercriminals.

Lastly, a lack of investment in the appropriate technology, security platforms, or regular upgrades, has also left the healthcare sector exposed.

Threat Opportunity During COVID-19

COVID-19 has ramped up existing security threats and created new ones that have caught many healthcare organizations off guard. Attackers have expanded phishing and social engineering efforts, preying on the anxiety or fear of the coronavirus and disguised their attacks to look like trusted entities.

VMware Carbon Black released 2020 data that paints a holistic view of the threats healthcare organizations faced and should be prepared for in 2021. Researchers found that there were 239.4 million attempted attacks targeting healthcare alone in 2020.

The bigger issue centers around the industry’s overnight pivot at the start of COVID-19 to expanded remote care technologies. These technologies enabled providers to more safely attend to patients’ routine needs and address the increasing demand related to the pandemic. To facilitate telehealth offerings and meet physician needs, the Office for Civil Rights (OCR) relaxed its enforcement actions with regard to compliance with certain aspects of the HIPAA Rules in order to allow providers to better treat their patients via telehealth. This change allowed for use of new technology platforms — including some that presented higher security risks.

Additionally, with offices closed, the increase use of unsecured Wi-Fi and lack of enterprise virtual private networks (VPNs) opened the opportunity for increased cybercrime against the health care sector.

Protecting Healthcare Organization Against Cyberthreats

As the threat landscape expands, there is a real opportunity to tighten up cybersecurity protocols. COVID-19 will continue to place a strain on the healthcare system and demand innovation to treat patients. Cybersecurity is no different.

With the right defenses and protocols in place, healthcare organizations can safeguard their practice and secure their patient’s private healthcare data. To do this, organizations should consider adopting HIPAA-compliant solutions that fit into their workflow to ensure that extra layer of security and protection.

The VMware Carbon Black Cloud and VMware Workspace ONE platforms, as reviewed by Coalfire, can be effective in providing support for the requirements of the HIPAA Security Rule. Through proper implementation and integration into an organization’s greater technical infrastructure and information security management systems, the VMware Carbon Black Cloud and Workspace ONE platforms may be useful in a HIPAA- controlled environment by providing coverage for the following safeguards:

• Administrative Safeguards: Protection from malicious software, password management and response and reporting
• Physical Safeguards: Workstation use and workstation security with VMware Carbon Black Cloud and Workspace ONE HIPAA Security Rule Compliance
• Technical Safeguards: Access Control, unique user identification, automatic logoff, encryption and decryption, audit controls, person or entity authentication, transmission security, and encryption

This year, new security threats will continue to emerge as the healthcare industry continues to be targeted. It’s time for healthcare organizations to ensure they have the proper defenses in place that will protect the sensitive data belonging to their patients, staff and organization and empower their organizations to detect and stop emerging attacks.

Additional Resources:

• HIPPA Compliance Attestation by Coalfire Systems (Report)
• The State of Healthcare Cybersecurity Blog
• TAU Threat Advisory: Imminent Ransomware threat to U.S. Healthcare and Public Health Sector
• Ransomware Attacks Targeting Healthcare Surge: VMware Carbon Black experts Weigh in
• Ask the Howlers: Global Pandemic Healthcare Cyberattacks (Episode 11)
• A Look Ahead: 9 Cybersecurity Predictions for 2021
• Healthcare Cyber Heists (2019)

The post COVID-19 and HIPAA Enforcement Discretion Leaves Healthcare Organizations Vulnerable to Ransomware Attacks appeared first on VMware Carbon Black.