Keep up security at home. With more staff working from home during the COVID-19 pandemic, adhering to patient privacy rules requires vigilance to keep information safe and secure in your lab. Know the Problem Healthcare cyber attacks have not tapered off during the pandemic. In fact, hackers’ attempts to target the healthcare industry are on the rise, according to a joint advisory alert from Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This rising threat is happening while many providers are struggling mightily with the fiscal impact of the public health emergency (PHE) and conducting the lion’s share of their daily business remotely due to coronavirus concerns. “The alert notes that responding to this threat will be particularly challenging for healthcare organizations during the COVID-19 pandemic,” explains attorney Elizabeth F. Hodge with Akerman LLP in a blog post. “Most healthcare organizations were completely unprepared to work from home securely when the pandemic hit,” says Jen Stone, MCIS, CISSP, CISA, QSA, principal security analyst with Security Metrics in Orem, Utah. “Most made valiant attempts to make do with what they had, engaging in an emergency mode that probably wasn’t prepared for extensive remote work. However, with lockdowns dragging on and working from home continuing for the foreseeable future, we can’t continue to cross our fingers and hope that a breach won’t happen.” Use CISA Tool To the rescue comes a new CISA bulletin, “Cybersecurity Challenges to the Healthcare Sector, Independent of and Due to COVID-19.” The bulletin suggests the following factors that make remote workers more vulnerable to data security incidents: These remote work challenges have made securing protected health information (PHI) during the time of COVID-19 even more difficult. In addition, “PHI is estimated to be worth 10-20 times the value of credit card data on the Dark Web, and is sought after by criminals and nation-states alike,” CISA warns in the release. Do this: “It’s critical for healthcare organizations to protect their remote staff with the same rigor as in the office,” says Stone. “This means using company-issued laptops for work only, extending the existing protected network (e.g., through use of a VPN), ensuring that endpoint security controls such as antivirus, patching, logging, etc., are centrally managed so that IT personnel can ensure updates are happening,” she says. If HIPAA breach settlements have taught covered entities (CEs) anything over the past year, it’s the importance of assessing, analyzing, and managing risks as outlined in the HIPAA Security Rule. Key: Now more than ever, your lab should be following the Security Rule. “Every year, healthcare organizations should be conducting a meaningful risk assessment and re-evaluating contingency planning,” Stone advises. “This year offers a unique opportunity to leverage these activities in a way that ensures the confidentiality, integrity, and availability of protected health information in any situation.” Resources: See the CISA bulletin at www.cisa.gov/sites/default/files/publications/202012220800_Graphic_Challenges_to_Healthcare.pdf. See the joint advisory at https://us-cert.cisa.gov/ncas/alerts/aa20-302a.