Latest HIPAA News

Guidance on Managing the Cybersecurity Tactical Response in a Pandemic

Posted by HIPAA Journal

Joint guidance on has been issued by the Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) on managing the cybersecurity tactical response in emergency situations, such as a pandemic.

Threat actors will try to exploit emergency situations to conduct attacks, which has been clearly seen during the COVID-19 pandemic. In many cases, the duration of an emergency will limit the potential for threat actors to take advantage, but in a pandemic the period of exposure is long. The SARS-CoV-2 outbreak was declared a public health emergency on January 30, 2020, giving threat actors ample time to exploit COVID-19 to conduct attacks on the healthcare sector.

The key to dealing with the increased level of cybersecurity threat during emergency situations is preparation. Without preparation, healthcare organizations will find themselves constantly fighting fires and scrambling to improve security at a time when resources are stretched thin.

The new guidance was created during the COVID-19 pandemic by HSCC’s Cybersecurity Working Group (CWG), H-ISAC, and healthcare industry and government cybersecurity experts and is intended to help healthcare organizations develop a tactical response for managing cybersecurity threats that increase during emergencies and to help them improve their level of preparedness.

During the COVID-19 crisis, cyber threat actors have conducted a range of attacks on healthcare organizations including phishing attacks, domain attacks, and malware and ransomware attacks. The attacks came at a time when healthcare organizations were attempting to provide care for highly infectious patients, deploy remote diagnostic and treatment services, and transition to teleworking to prevent the spread of COVID-19. The change in working practices significantly increased the attack surface and introduced new vulnerabilities and attack vectors.

“For each gain delivered by automation, interoperability, and data analytics, the vulnerability from malicious cyber-actors increases as well,” explained HSCC/H-ISAC in the guidance document. “To thwart these attacks before they occur, it is essential for healthcare organizations to establish, implement, and maintain current and effective cybersecurity practices.”

The guidance document can be used by healthcare organizations of all sizes to improve their cybersecurity programs and prepare for emergency situations. Smaller healthcare organizations can use the guidance to help them choose appropriate measures to improve their security posture, while larger organizations that have already planned their tactical crisis response can use the guide as a checklist to ensure nothing has been missed.

The guidance document divides techniques, practices, and activities into four main sections: Education and Outreach; Enhance Prevention Techniques; Enhance Detection and Response; and Take Care of the Team.

The cybersecurity response to a crisis is largely dependent on technical controls, but HSCC/H-ISAC explains that education and outreach play an important part in the success of the response strategy. In emergency situations, even the best laid plans can come unstuck without proper education and outreach. Organizations that communicate their plans effectively will reduce confusion, improve response times, and maximize the effectiveness of their cybersecurity plan. The guide explains how to develop a communication plan and conduct policy and procedure reviews effectively.

Preventing cyberattacks is critical. Most healthcare organizations will have implemented a range of measures to thwart cyberattacks prior to the public health emergency, but HSCC/H-ISAC suggests three practices should be reviewed: Limiting the potential attack surface, bolstering remote access, and leveraging threat intelligence feeds.

Reducing the attack surface requires effective vulnerability management, accelerated patching, securing medical devices and endpoints, and managing third party network access. The guidance document suggests some of the ways that remote access can be secured, and how to leverage threat intelligence feeds to prevent attacks and accelerate the response.

Many attacks are difficult to prevent, so it is critical for mechanisms to be developed and implemented to detect successful attacks and respond quickly. The guidance document suggests some of the steps that can be taken to enhance detection and response to attacks.

It is also important to take care of the team. In crisis situations, health, well-being, job security, and financial stability are all key concerns for healthcare employees. It is important for organizations to communicate effectively with their workers and address these concerns and share how the organization will support employees during the crisis.

You can view and download the guidance document on this link. A second guidance document was released by HSCC earlier this month that details steps healthcare organizations can take to protect trade secrets and research. The guidance document is available for download here.

The post Guidance on Managing the Cybersecurity Tactical Response in a Pandemic appeared first on HIPAA Journal.

Republicans and Democrats Introduce Competing Bills Covering COVID-19 Contact Tracing Apps

Posted by HIPAA Journal

Two privacy bills have been introduced relating to COVID-19 contact tracing apps that are now being considered by Congress. The competing bills, introduced by Republican and Democratic lawmakers, share some common ground and look to achieve similar aims.

The first bill, the COVID-19 Consumer Data Protection Act, was introduced by Republican senators Roger Wicker (R-Miss), John Thune (R-S.D), Jerry Moran, (R-Kan), and Marsha Blackburn (R-Tenn) last month “to protect the privacy of consumers’ personal health information, proximity data, device data, and geolocation data during the coronavirus public health crisis.”

The bill would make it illegal for personal health information, proximity data, device data, and geolocation data to be collected unless notice was given to consumers about the purpose of collecting data and consumers are required to give their consent to the collection, processing, and transfer of their data. The bill prohibits the collection, use, or transfer of data for any secondary purposes.

The allowed purposed for the collection, processing, and transfer of data is limited to tracking the spread, signs, and symptoms of COVID-19; the collection, processing and transfer of an individual’s data to measure compliance with social distancing guidelines and other requirements related to COVID-19 imposed on individuals; and the collection, processing, or transfer of data for COVID-19 contact tracing purposes.

The bill also requires companies to allow individuals to opt out, provide transparency reports describing data collection activities, establish data minimization and data security requirements, define what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to prevent re-identification; and to require companies to delete collected data when the COVID-19 public health emergency is over.

According to Senator Thune, “This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens.”

The Democratic bill, the Public Health Emergency Privacy Act, was introduced by Representatives Anna G. Eshoo (D-Calif), Jan Schakowsky (D-Ill), Suzan DelBene(D-Wash), and Senators Richard Blumenthal (D-Conn) and Mark Warner (D-Va). The aim of the bill is to ensure there is transparency over the health and location data collected by contact-tracing apps and to give Americans control over the collection and use of their data. The bill also ensures that businesses can be held to account by consumers if their data is used for any activities other than the fight against COVID-19.

The bill requires health data to only be used for public health purposes; prohibits the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising or to gate access to employment, finance, insurance, housing, or education opportunities; prevents misuse of data by government agencies that have no role in public health; ensures meaningful data security and data integrity protections are implemented; prohibits conditioning the right to vote based on a medical condition or use of contact tracing apps; and requires reports to be regularly produced on the impact of digital collection tools on civil rights.

The bill requires the public to be given control over participation in contact tracing through opt-in consent, there must be meaningful transparency, and robust private and public enforcement. The bill also calls for the destruction of data within 60 days of the end of the public health emergency. The bill would not apply to HIPAA-covered entities or their business associates, which would continue to be required to comply with HIPAA Rules.

“As we continue to respond to the devastating suffering caused by COVID-19, our country’s first and foremost public health response must be testing, testing, testing, AND manual contact tracing. Digital contact tracing can and should complement these efforts, but it is just that – complimentary. However, if we do pursue digital contact tracing, consumers need clearly-defined privacy rights and strong enforcement to safeguard these rights,” said Rep. Jan Schakowsky.

Given the similarity of both bills and their common goals, it may be possible for some consensus to be reached on the content of any new legislation and for both sides to work together to get a bill passed to protect the privacy of Americans and ensure that data collected by COVID-19 contact tracing apps is not misused.

The post Republicans and Democrats Introduce Competing Bills Covering COVID-19 Contact Tracing Apps appeared first on HIPAA Journal.

CISA and FBI Publish List of Top 10 Exploited Vulnerabilities

Posted by HIPAA Journal

On Tuesday, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint public service announcement detailing the top 10 most exploited vulnerabilities between 2016 and 2019. These vulnerabilities have been exploited by sophisticated nation state hackers to attack organizations in the public and private sectors to gain access to their networks to steal sensitive data.

The vulnerabilities included in the list have been extensively exploited by hacking groups with ties to China, Iran, Russia and North Korea with those cyber actors are still conducting attacks exploiting the vulnerabilities, even though patches have been released to address the flaws. In some cases, patches have been available for more than 5 years, but some organizations have still not applied the patches.

Exploiting the vulnerabilities in the top 10 list requires fewer resources compared to zero-day exploits, which means more attacks can be conducted. When patches are applied to address the top 10 vulnerabilities, nation state hackers will be forced to develop new exploits which will limit their ability to conduct attacks.

“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries,” explains CISA and FBI in the alert.

CISA and the FBI hope the list will help organizations to prioritize patching and are urging all organizations to invest more time and resources into patching and develop a program that will keep all system patching up to date moving forward.

Top 10 Routinely Exploited Vulnerabilities

The top 10 list of routinely exploited vulnerabilities includes flaws in Microsoft Office, Microsoft Windows, Microsoft SharePoint, Microsoft .NET Framework, Apache Struts, Adobe Flash Player, and Drupal. Out of the top ten, most nation state hacking groups have concentrated on just three vulnerabilities – CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158 – all of which concern Microsoft’s OLE technology. Microsoft’s Object Linking and Embedding (OLE) allows content from other applications to be embedded in Word Documents. The fourth most commonly exploited vulnerability – CVE-2017-5638 – is present in the web framework, Apache Struts. These vulnerabilities have been exploited to deploy a range of different malware payloads including Loki, FormBook, Pony/FAREIT, FINSPY, LATENTBOT, Dridex, JexBos, China Chopper, DOGCALL, WingBird, FinFisher, and Kitty.

Priority Vulnerability Affected Products
1 CVE-2017-11882 Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products
2 CVE-2017-0199 Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1
3 CVE-2017-5638 Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
4 CVE-2012-0158 Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0
5 CVE-2019-0604 Microsoft SharePoint
6 CVE-2017-0143 Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT
7 CVE-2018-4878 Adobe Flash Player before 28.0.0.161
8 CVE-2017-8759 Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
9 CVE-2015-1641 Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
10 CVE-2018-7600 Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1

 

A warning has also been issued about two vulnerabilities that have been exploited in attacks in 2020. These vulnerabilities both concern Virtual Private Network (VPN) solutions and have been exploited by nation state hackers and cybercriminal groups: The Citrix vulnerability CVE-2019-19781 and the Pulse Secure VPN vulnerability CVE-2019-11510.

The rush to implement cloud collaboration services such as Microsoft Office 365 to allow employees to work remotely due to COVID-19 has given hackers new options for attacking organizations. Hasty deployments of these solutions have led to oversights in security configurations which makes them vulnerable to attack. Cybersecurity weaknesses are also being targeted, such as poor employee education about phishing and social engineering. A lack of system recovery and contingency plans has also placed organizations at risk of ransomware attacks.

The post CISA and FBI Publish List of Top 10 Exploited Vulnerabilities appeared first on HIPAA Journal.

AMA Publishes Set of Privacy Principles for Non-HIPAA-Covered Entities

Posted by HIPAA Journal

The American Medical Association (AMA) has published a set of privacy principles for non-HIPAA-covered entities to help ensure that the privacy of consumers is protected, even when healthcare data is provided to data holders that do not need to comply with HIPAA Rules.

HIPAA only applies to healthcare providers, health plans, healthcare clearinghouses (covered entities) and business associates of those entities. HIPAA requires those entities to protect the privacy of patients and implement security controls to keep their healthcare data private and confidential. When the same healthcare data is shared with an entity that is not covered by HIPAA, those protections do not need to be in place. HIPAA also gives patients rights over their health data, but those rights do not apply to health data sent to a non-HIPAA-covered entity.

The Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONS) have recently published rules to prevent information blocking and improve sharing of healthcare data. One requirement is to allow patients to have their health data sent to a third-party app of their choice. In most cases, the developers of those apps are not HIPAA-covered entities.

Discussions are taking place in Congress about new federal regulations covering healthcare data provided to non-HIPAA-covered entities and several legislative acts have been proposed, although none have so far attracted sufficient support.

The new privacy principles developed by the AMA are intended to give consumers greater control over their healthcare data when it is held by a non-HIPAA-covered entity and to inform discussions about new legislation to better protect privacy when health data is shared with third-parties outside of the healthcare system.

In a recent blog post announcing the new privacy principles, the AMA explained that patients’ confidence in the privacy and security of their data has been shaken. The business models of many tech companies involve gathering extensive information about consumers personal lives, in many cases with a lack of transparency and consent. There have been many scandals over personal data which have made consumers nervous about sharing data not only with tech companies but also with their healthcare providers.

Consumers are now less willing to provide health information to physicians, as they are worried that the information may not remain private and confidential and may even be shared with tech companies. The AMA is particularly concerned that the recent CMS and ONC rule changes will make it even more likely that patients will feel that they should withhold certain healthcare data from their healthcare providers.

The privacy principles will help to ensure that guardrails are placed around healthcare data and patients are given meaningful control over their healthcare data and will be told, in clear and easy to understand language, exactly how their health data will be used and with whom that information will be shared. The privacy principles also cover data that has not historically been considered to be personally identifiable such as IP addresses and mobile phone advertising identifiers but could in fact be used to identify an individual.

The privacy principles detail rights that individuals should have over their healthcare data and protections that need to be implemented to protect against healthcare data being used to discriminate against individuals. The AMA is also attempting to shift the responsibility for privacy from individuals to data holders, who must be responsible stewards of any data provided to them. In cases where privacy is violated, the AMA is calling for tough penalties to be imposed and for there to be robust enforcement of any new national privacy legislation. Robust enforcement will help to maintain trust in digital health tools, including smartphone apps that can be used to access healthcare data.

The privacy principles establish 12 rights that individuals should have over their health data, equity factors that must be taken into account in any privacy laws, and the responsibilities of data holders to protect the privacy of consumers. Also included are a set of requirements for enforcement of new privacy regulations covering health data.

“The AMA privacy principles set a framework for national protections that provide patients with meaningful control and transparency over the access and use of their data,” said AMA President Patrice A. Harris, M.D., M.A. “Preserving patient trust is critical if digital health technologies are to facilitate an era of more accessible, coordinated, and personalized care.

You can view the AMA’s privacy principles on this link.

The post AMA Publishes Set of Privacy Principles for Non-HIPAA-Covered Entities appeared first on HIPAA Journal.

FTC Seeks Comment on Health Breach Notification Rule

Posted by HIPAA Journal

The U.S. Federal Trade Commission (FTC) is seeking comment on its breach notification requirements for non-HIPAA-covered entities that collect personally identifiable health information.

The FTC’s Health Breach Notification Rule was introduced in 2009 as part of the American Recovery and Reinvestment Act of 2009 (ARRA). The rule took effect on August 22, 2010 and the FTC started actively enforcing compliance on February 22, 2010.

Healthcare data collected, maintained, or transmitted by healthcare providers, health plans, healthcare clearinghouses (HIPAA-covered entities) and their business associates is covered by the Health Insurance Portability and Accountability Act (HIPAA) and is classed as protected health information (PHI).

The FTC’s Health Breach Notification Rule applies to personal health records (PHRs), which are electronic records containing personally identifiable health information that are managed, shared, and controlled by or primarily for the individual. The FTC rule applies to vendors of personal health records and PHR-related entities, which are companies that offer products and services through PHR websites, send information to PHRs, or access some of the information in PHRs.

All entities covered by the FTC’s Health Breach Notification Rule are required to issue notifications to affected consumers and the FTC without unreasonable delay and no later than 60 days from the date of discovery of a breach. The FTC must be notified within 10 days of discovery of a breach if it impacts 500 or more individuals. If a breach is experienced by a service provider, the service provider is required to notify the PHR company. The FTC publishes notices of data breaches affecting 500 or more individuals on its website.

The FTC routinely reviews rules every 10 years. In the 10 years since the rule was passed, only 2 breaches have been published on the FTC website, as most breaches reported to the FTC have involved fewer than 500 records. The FTC also reports that it has not needed to enforce compliance, as the entities to which the rule applies are somewhat limited.

Most PHR vendors and related entities are either HIPAA-covered entities or business associates of those entities and are therefore required to comply with the HIPAA Breach Notification Rule; however, the FTC explains that its rule may soon apply to a greater number of entities.

“As consumers turn towards direct-to-consumer technologies for health information and services (such as mobile health applications, virtual assistants, and platforms’ health tools), more companies may be covered by the FTC’s Rule.”

The COVID-19 pandemic has increased use of these communication platforms following the move by the HHS to temporarily refrain from imposing financial penalties for use of non-HIPAA-compliant platforms in relation to the provision of telehealth services. The FTC rule may therefore be more relevant today than it was 10 years ago when the rule was introduced.

The FTC is seeking answers to specific questions about its rule in relation to its effectiveness, benefits, and relevance to determine whether the rule should remain as it is, should be scrapped, or updated to increase the benefits to consumers.

Comment is being accepted for 90 days from the date of publication in the Federal Register. You can view a copy of the request for public comment on Bloomberg Law.

The post FTC Seeks Comment on Health Breach Notification Rule appeared first on HIPAA Journal.

OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has issued guidance to healthcare providers to remind them that the HIPAA Privacy Rule does not allow the media and film crews to access healthcare facilities where patients’ protected health information is accessible unless written authorization has been obtained from the patients concerned in advance. A public health emergency does not change the requirements of the HIPAA Privacy Rule, which remains in effect in emergency situations.

OCR has made this clear in the past with enforcement actions against Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital in 2018 after it was discovered they had given film crews access to their facilities without first obtaining authorization from patients. They were fined a total of $999,000 for the HIPAA violations.

OCR has issued Notices of Enforcement Discretion during the coronavirus pandemic and will not be imposing sanctions and financial penalties on HIPAA-covered entities for certain violations of HIPAA Rules. Penalties can and will be imposed on covered entities for violations of HIPAA Rules not covered by the Notices of Enforcement Discretion, such as unauthorized disclosures to the media.

In the latest guidance, OCR explains that protected health information includes written, electronic, oral, and other visual and audio forms of health information which must be protected against unauthorized access and disclosure. In all cases, HIPAA authorizations must be obtained from patients in advance, before the film crews are granted access to the facilities. It is not permissible for film crews to simply mask the identities of patients in video footage, such as blurring faces before broadcast.

The HIPAA Privacy Rule does not prohibit film crews from entering healthcare facilities. Provided HIPAA authorizations have been obtained in advance from all patients who are in or will be in the areas accessed by the film crews, filming is permitted. However, in such situations, reasonable safeguards must still be put in place to protect against unauthorized disclosures of PHI, including measures such as privacy screens on computer monitors to prevent electronic PHI from being viewed. Screens must also be used to ensure patients who have not signed HIPAA authorizations are not filmed.

“The last thing hospital patients need to worry about during the COVID-19 crisis is a film crew walking around their bed shooting ‘B-roll,’” said Roger Severino, OCR Director.  “Hospitals and health care providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn’t cut it.”

The post OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities appeared first on HIPAA Journal.

Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance

Posted by HIPAA Journal

There has been a significant improvement in compliance with the HIPAA Right of Access, according to the latest Patient Record Scorecard Report from Ciitizen.

To compile the report, Ciitizen conducted a study of 820 healthcare providers to assess how well each responded to patient requests for copies of their healthcare data. A wide range of healthcare providers were assessed for the study, from single physician practices to large, integrated healthcare delivery systems.

The HIPAA Privacy Rule gives patients the right to request a copy of their healthcare data from their providers. Request must be submitted in writing and healthcare providers are required to provide the patient with a copy of the health data in a designated record set within 30 days to the request being submitted. The data must be provided in the format requested by the patient if the PHI is readily producible in that format. In cases where data cannot be provided in the requested format, the provider should give the patient a printed copy of their healthcare data or provide the data in an alternative format, as agreed with the patient.

For each study, requests for copies of healthcare data are sent to healthcare providers by Ciitizen users. The provider then receives a rating from 1-5 based on their response. A 1-star rating represents a non-HIPAA-compliant response. 2-stars are awarded when requests are eventually resolved satisfactorily, but only after multiple escalations to supervisors. A 3-star rating is given when the request is satisfied with minimal intervention, and a 4-star rating is given to providers that are fully compliant and have a seamless response. A 5-star rating is reserved for providers with a patient-focused process who go above and beyond the requirements of HIPAA.

Previous studies revealed a majority of providers (51%) were not compliant with the HIPAA Right of Access. The latest study saw that percentage fall to 27%. The percentage of providers awarded 4 stars for their responses increased from 40% to 67%, and the percentage of providers awarded 5 stars increased from 20% to 28%.

There was further good news from this year’s study. Under HIPAA, healthcare providers are permitted to charge patients a reasonable, cost-based fee for producing the records, but only 6% of the 820 healthcare providers charged fees.

In previous studies, many healthcare providers required patients to complete a standard form, yet this year, most providers accepted any form of written request and did not require patients to complete a particular form before the request was processed.

The latest study saw a significant increase in assessments, which may have accounted, in part, for the improvements in compliance. 51 providers were assessed for the first Patient Record Scorecard report, 210 in the second, and 820 in the third. Ciitizen points out that the percentage of non-compliant providers in those studies did correlate with a separate study conducted on 3,000 providers, which suggests that the improvements made are genuine.

Ciitizen attributes the improvements in compliance to three main factors. A greater emphasis has been placed on the right of individuals to obtain copies of their healthcare data following the publication of new rules by the HHS’ Centers for Medicare and Medicaid Services and the HHS’ Office of the National Coordinator for Health IT, which make it easier for patients to obtain copies of their healthcare data.

There has also bee a positive influence of release of information (ROI) vendors. ROI vendors process patient requests on behalf of covered entities and help those entities comply with the HIPAA Right of Access. Finally, the HHS’ Office for Civil Rights launched a HIPAA Right of Access enforcement initiative last year. Under that initiative, two penalties of $85,000 were imposed on covered entities that failed to comply with requests from patients to provide copies of their PHI.

The Ciitizen Patient Record Scorecard Reports and the website sit up by Ciitizen that shows the scores of each provider may also have played a role in encouraging healthcare providers to comply with this important aspect of HIPAA.

The post Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance appeared first on HIPAA Journal.

NSA Cybersecurity Guidance for Teleworkers and Other Useful COVID-19 Threat Resources

Posted by HIPAA Journal

The National Security Agency has issued cybersecurity guidance for teleworkers to help improve security when working remotely. The guidance has been released primarily for U.S. government employees and military service members, but it is also relevant to healthcare industry workers providing telehealth services from their home computers and smartphones.

There are many consumer and enterprise-grade communication solutions available and the cybersecurity protections offered by each can differ considerably. The guidance document outlines 9 important considerations when selecting a collaboration service. By assessing each service against the 9 criteria, remote workers will be able to choose the most appropriate solution to meet their needs.

The NSA strongly recommends conducting high-level security assessments to determine how the security capabilities of each platform performs against certain security criteria. These assessments are useful for identifying risks associated with the features of each tool. The guidance document also provides information on using the collaboration services securely.

The NSA recommends the guidance should be reviewed by all employees who are now working from home to allow them to make an informed decision about the best communication and collaboration tools to use to meet their specific needs, and for workers to take the steps outlined in the guidance document to mitigate risks of cyberattacks.

The guidance document, Selecting and Securely Using Collaboration Service for Telework can be downloaded here.

Healthcare-specific guidance for remote workers has also recently been published by the American Hospital Association (AHA) /American Medical Association (AMA), which should be used in conjunction with the NSA guidance.

OCR Suggests Resources to Help Healthcare Organizations Combat COVID-19 Threats

On April 30, 2020, the HHS’ Office for Civil Rights suggested several resources covering the current threat landscape and the steps that can be taken to reduce risks to a reasonable and acceptable level, as detailed below:

The post NSA Cybersecurity Guidance for Teleworkers and Other Useful COVID-19 Threat Resources appeared first on HIPAA Journal.

EFF Warns of Privacy and Security Risks with Google and Apple’s COVID-19 Contact Tracing Technology

Posted by HIPAA Journal

The contact tracing technology being developed by Apple and Google to help track people who have come into close contact with individuals confirmed as having contracted COVID-19 could be invaluable in the fight against SARS-CoV-19; however, the Electronic Frontier Foundation (EFF) has warned that in its current form, the system could be abused by cybercriminals.

Google and Apple are working together on the technology, which is expected to be fully rolled out next month. The system will allow app developers to build contact tracing apps to help identify individuals who may have been exposed to SARS-CoV-2. When a user downloads a contact tracing app, each time they come into contact with another person with the app installed on their phone, anonymous identifier beacons called rolling proximity identifiers (RPIDs) will be exchanged via Bluetooth Low Energy.

How Does the Contact-Tracing System Work?

RPIDs will be exchanged only if an individual moves within a predefined range – 6 feet – and stays in close contact for a set period of time. Range can be determined by strength of the pings sent out by users’ smartphones. Should a person be diagnosed with COVID-19 and enters the information into the app, all individuals that the person has come into contact with over the previous 14 days will be sent an electronic notification.

The data sent is anonymously, so notifications will not provide any information about the person that has contracted COVID-19. The RPIDs will change every 10-20 minutes, which will prevent a person from being tracked and data will be stored on smartphones rather than being sent to a central server and RPIDs will only be retained for 14 days. Permission is also required from a user before a public health authority can share the user’s temporary exposure key that confirms the individual has contracted COVID-19, which will prevent false alarms.

When a COVID-19 diagnosis is confirmed, a diagnosis key will be logged in a public registry which will be accessible by all app users and will be used for generating alerts. The diagnosis keys contain all of the RPIDs for a particular user to allow all individuals who have been in contact with them to be notified.

Electronic Frontier Foundation Concerned About Privacy and Security Risks

The public registry is one of the problems with the system, as EFF’s Bennett Cypher and Gennie Gebhart explained in a recent blog post, “any proximity tracking system that checks a public database of diagnosis keys against RPIDs on a user’s device—as the Apple-Google proposal does—leaves open the possibility that the contacts of an infected person will figure out which of the people they encountered is infected.”

Each day, users of the apps will share their diagnosis keys, which opens up the possibility of linkage attacks. It would be possible for a threat actor to collect RPIDs from many different places simultaneously through the use of static Bluetooth beacons in public places. This would only provide information about where pings occurred and would not allow an individual to be tracked. However, when the diagnosis keys are broadcast, an attacker could link the RPIDs together and determine a person’s daily routine from their RPIDs. Since a person’s movements would be unique, it would potentially be possible to identify that individual and discover their movements and where they live and work. EFF suggests that risk could be reduced by sending diagnosis keys more frequently, such as every hour rather than once a day.

Another problem with the system in its current form is there is currently no way of verifying that a device sending contact-tracing data is the device that generated the RPID. This means a malicious actor could intercept RPIDs and rebroadcast them.

“Imagine a network of Bluetooth beacons set up on busy street corners that rebroadcast all the RPIDs they observe,” explained. “Anyone who passes by a ‘bad’ beacon would log the RPIDs of everyone else who was near any one of the beacons. This would lead to a lot of false positives, which might undermine public trust in proximity-tracing apps—or worse, in the public-health system as a whole.”

Concern has also been raised about the potential for developers to centralize the data collected by the apps, which EFF warns could expose people to more risk. EFF recommends developers stick to the proposal outlined by Apple and Google and keep users’ data on their phones rather than in a central repository. EFF also says it is important to limit the data sent out over the internet as far as possible and to only send data that is absolutely necessary.

Echoing the advice of more than 300 scientists who recently signed an open letter about the privacy and security risks of contact-tracing technology, EFF said it is also essential for the program to sunset once the COVID-19 public health emergency is over to ensure there will be no secondary uses that could impact personal privacy in the future. They also recommend that app developers must operate with complete transparency and clearly explain to users what data is collected, and should allow users to stop pings should they wish and also access the RPIDs they have received and delete data from their contact history.

Further, any app must be extensively tested to ensure it functions as it should and does not have any vulnerabilities that can be exploited. Post-release, testing will need to continue to find vulnerabilities and patches and updates will need to be developed and rolled out rapidly to correct flaws that are discovered. In order for the system to work as it should, a high percentage of the population will need to be using the system, which would likely make it an attractive target for cybercriminals and nation state hacking groups. The latter are already conducting campaigns spreading disinformation about COVID-19 and are conducting cyberattacks to disrupt the COVID-19 response.

No contact tracing system is likely to be free of privacy risks, as there must be a trade-off to perform this type of contact tracing, but EFF says that steps must be taken to reduce those privacy risks as far as possible. The whole system is based on trust and, if trust is undermined, the system will not be able to achieve its aims.

The post EFF Warns of Privacy and Security Risks with Google and Apple’s COVID-19 Contact Tracing Technology appeared first on HIPAA Journal.