General Surgery Coding Alert

HIPAA:

Keep Remote Work Secure During Pandemic

Don’t let patient privacy lapse.

You need to keep patient protected health information (PHI) safe even as more staff is working from home during the COVID-19 pandemic. Read on for some expert tips about securing remote working teams for your general surgery practice.

Identify the Problem

Healthcare cyber attacks have not tapered off during the pandemic. In fact, hackers’ attempts to target the healthcare industry are on the rise, according to a joint advisory alert from Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS).

This rising threat is happening while many providers are struggling mightily with the fiscal impact of the public health emergency (PHE) and conducting the lion’s share of their daily business remotely due to coronavirus concerns. “The alert notes that responding to this threat will be particularly challenging for healthcare organizations during the COVID-19 pandemic,” explains attorney Elizabeth F. Hodge with Akerman LLP in a blog post.

“Most healthcare organizations were completely unprepared to work from home securely when the pandemic hit,” says Jen Stone, MCIS, CISSP, CISA, QSA, principal security analyst with Security Metrics in Orem, Utah. “Most made valiant attempts to make do with what they had, engaging in an emergency mode that probably wasn’t prepared for extensive remote work. However, with lockdowns dragging on and working from home continuing for the foreseeable future, we can’t continue to cross our fingers and hope that a breach won’t happen.”

Don’t Miss CISA Tool

To the rescue comes a new CISA bulletin, “Cybersecurity Challenges to the Healthcare Sector, Independent of and Due to COVID-19.”

The bulletin suggests the following factors that make remote workers more vulnerable to data security incidents:

  • Staff training: Remote workers lack the necessary skill set to identify IT issues.
  • Update snafus: Staff likely don’t know how to manage software updates, cloud technologies, or other programs necessary to work at home.
  • Incident response: If employees weren’t properly trained to recognize a malware, phishing, or vishing attack before they started working from home, it’s likely that they don’t know how to respond to or address a remote hack.
  • Endpoint security: In an office, staff rely on IT management to secure and protect computer networks. At home, the compliance is up to the remote worker — and this heightens the chance of a breach.

These remote work challenges have made securing PHI during the time of COVID-19 even more difficult. In addition, “PHI is estimated to be worth 10-20 times the value of credit card data on the Dark Web, and is sought after by criminals and nation-states alike,” CISA warns in the release.

Do this: “It’s critical for healthcare organizations to protect their remote staff with the same rigor as in the office,” says Stone. “This means using company-issued laptops for work only, extending the existing protected network (e.g., through use of a VPN), ensuring that endpoint security controls such as antivirus, patching, logging, etc., are centrally managed so that IT personnel can ensure updates are happening,” she says.

If HIPAA breach settlements have taught covered entities (CEs) anything over the past year, it’s the importance of assessing, analyzing, and managing risks as outlined in the HIPAA Security Rule.

Key: Now, more than ever, your surgery practice should be following the Security Rule. “Every year, healthcare organizations should be conducting a meaningful risk assessment and re-evaluating contingency planning,” Stone advises. “This year offers a unique opportunity to leverage these activities in a way that ensures the confidentiality, integrity, and availability of protected health information in any situation.”

Resources: See the CISA bulletin at www.cisa.gov/sites/default/files/publications/202012220800_Graphic_Challenges_to_Healthcare.pdf. See the joint advisory at https://us-cert.cisa.gov/ncas/alerts/aa20-302a.