It isn’t exactly HIPAA, but because the Security Rule’s Security Management Process, 45 C.F.R. § 164.306(a), certainly requires covered entities and business associates to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic protected health information (“EPHI”) and the Evaluation Implementation Specification, 45 C.F.R. § 164.308(a)(8) requires security updates, recommendations from other sources can certainly help compliance. This notion is particularly true when “black swan” events like COVID-19 occur.
The American Medical Association (“AMA”) and the American Hospital Association (“AHA”) issued Technology Consideration for the Rest of 2020, available at Technology considerations for the rest of 2020 | AMA (ama-assn.org) because of the explosion of cyberattacks or those taking advantage of the COVID-19 pandemic. The guidance notes the increase in phishing making fake promises of retailers selling N95 masks and raising false hope for lifesaving ventilators—but instead are usually laden with malware and malicious links. It also referenced the increase in telemedicine, with its attendant risks in a larger “attack surface” for cyberattacks, and increased ransomware attacks bringing an increased risk of patient deaths in a pandemic environment.
The guidance then offered a list of questions for medical practices and hospitals to consider asking their vendors:
- Are network components or services still in place that potentially create vulnerabilities? (i.e., use of personal mobile devices or home computers, out-of-date VPN or firewall technology, etc.).
- Are you running legacy devices or systems that utilize Windows 7 as the operating system? Support for Windows 7 expired on 1/14/2020 and is out of support for security updates, unless the extended security update (ESU) service is purchased. The ESU is only available through 2022. This is an extremely critical issue as most medical devices currently in-service use Windows 7 as their base operating system and thus will be either totally out of support in 2022 or very expensive to replace.
- Do you need to maintain newly added components or services? With continuing concern of a second COVID-19 wave in the coming months, many providers are rightly reluctant to remove some of their newly adopted networks and devices. Physicians and hospitals should make sure network devices that are retained are resilient and hardened against cyberattacks.
- Many individuals, and perhaps outside parties and vendors, may have been given network access or company mobile devices during the “heat of the battle” where the priority focus was rightly on treating patients and saving lives. Do these individuals and outside parties still need access to your network or use of your mobile devices? If so, do they have the right level of access? Can it be limited to the minimum amount of access based on their current role?
- For the vendors that were provided network access, have they all signed proper business associate agreements (“BAAs”)? Consider including updated cybersecurity requirements in their BAAs to match the level of cybersecurity risk associated with the vendor’s role, the amount of data they hold, and the sensitivity of the data and/or access they have been provided. The AMA offers a sample BAA for your reference.
- Where is protected health information (“PHI”) located now? Are PHI and payment information on company or personal computers? Is it being sent using unencrypted emails, or stored in medical devices? Some medical devices and office equipment, such as imaging devices or photocopiers, can store thousands of patient records. Consider requesting that your medical device vendors review their data management policies and ensure PHI access is limited to only fulfill their roles and responsibilities. Also, when you purchase or upgrade new medical devices or office equipment, ensure that all PHI is properly removed from your older equipment by the vendor.
Under the topic of privacy, the document suggests (somewhat unnecessarily the author suggests as anyone who has not done the following a long time ago is clueless):
- Entering into BAAs with third-parties using, storing, transmitting, or otherwise managing PHI on behalf of the physician or hospital to ensure PHI is appropriately handled by the third-party
- Conduct a Security Risk Analysis to identify and evaluate what may expose PHI to inappropriate use or disclosure and take steps to address vulnerabilities.
- Develop and implement policies and procedures to help ensure proper confidentiality and security of PHI.
The guidance concludes with a discussion of how to prepare to get (back?) into compliance when the emergency ends. Other than the very basic guidance (enter into a BAA with telemedicine vendors and conduct a risk analysis of the telemedicine), it suggests:
“We also suggest asking your vendor about their privacy practices, intended data use, and security protocols. Many physicians do not realize that a telemedicine platform or application may be low-cost or free because the vendor’s business model is based on aggregating and selling patients’ data. If possible, consult with your legal team to clarify how video, audio, and other data are being captured and stored by the vendor and who has access. You can also ask whether the vendor will share results of third-party security audits, including SOC 2 or HITRUST, in addition to the results of their penetration testing.”
The AHA also suggests that providers be open with their patients about the potential privacy risks associated with use of telemedicine platforms and applications. It also recommends enabling all privacy and security tools available when using such applications and using platforms with end-to-end encryption, as using unencrypted audiovisual platforms to communicate may result in third parties’ being able to intercept the communications and “tap into” the conversation between a physician and a patient.
Alice here: On that cheerful note, Jon and I wish you a Merry Christmas and a Happy New Year! Stay safe out there!