As COVID-19 changes the way many healthcare organizations are operating, Intraprise Health has been compiling a list of resources that we think will be useful to your organization. Our team of cybersecurity experts has been fielding questions from clients on many of these topics. Links to resources such as securing your work from home force, to newly relaxed HIPAA privacy rules and guidance from the Department of Homeland Security are included.
We hope you find this information useful and will continue to update this list as our team adds more resources.
Top 10 Routinely Exploited Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.
Read the alert:
https://www.us-cert.gov/ncas/alerts/aa20-133a
Statement from the ONC, CMS and HHS
April 21, 2020
Today, the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare & Medicaid Services (CMS), in conjunction with the HHS Office of Inspector General (OIG) announced a policy of enforcement discretion to allow compliance flexibilities regarding the implementation of the interoperability final rules announced on March 9th in response to the coronavirus disease (COVID-19) public health emergency. ONC, CMS, and OIG will continue to monitor the implementation landscape to determine if further action is needed.
https://www.hhs.gov/about/news/2020/04/21/statements-from-onc-cms-on-interoperability-flexibilities-amid-covid19-public-health-emergency.html
FBI Guidance on Defending Against VTC Hijacking and Zoom-bombing
This guidance covers emerging security issues that are being uncovered in Zoom.
https://www.us-cert.gov/ncas/current-activity/2020/04/02/fbi-releases-guidance-defending-against-vtc-hijacking-and-zoom
New attack on home routers sends users to spoofed sites that push malware
A recently discovered hack of home and small-office routers is redirecting users to malicious sites that pose as COVID-19 informational resources in an attempt to install malware that steals passwords and cryptocurrency credentials, researchers said on Wednesday.
Resources from SANS Security Awareness
https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit
This is a kit geared towards both enterprises and end-users. There is good fact sheet for end users and for enterprises, and the kit provides a strategic step-by-step guide on how to quickly execute an awareness initiative to secure your remote workforce, including how to identify what to teach your workforce, the top risks to focus on, what departments to coordinate with and how to effectively engage and communicate to your workforce. In addition, for each risk, there is a link to a library of training material
Relaxation of the HIPAA Privacy Rule
HealthITSecurity Magazine’s analysis of the relaxation of the Privacy Rule:
The key message of what’s been relaxed from the Privacy Rule:
Under the waiver, hospitals will not be penalized for failing to comply with HIPAA requirements found in 45 CFR:
- to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
- the requirement to honor a request to opt out of the facility directory
- the requirement to distribute a notice of privacy practices
- the patient’s right to request privacy restrictions
- the patient’s right to request confidential communications
Information on enforcement for telehealth
The Department of Homeland Security offers some good guidance for companies preparing remote work – or telework – here:
https://www.us-cert.gov/ncas/alerts/aa20-073a
Risk Management and the Coronavirus
March 2020
COVID-19 & HIPAA Bulletin
Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency
https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf
Note the following caveats:
The waiver became effective on March 15, 2020. When the Secretary issues such a waiver, it only applies:
(1) in the emergency area identified in the public health emergency declaration;
(2) to hospitals that have instituted a disaster protocol; and
(3) for up to 72 hours from the time the hospital implements its disaster protocol.
When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.
Other Resources from HHS
The COVID-19 Public Health Emergency declaration is available at:
https://aspr.hhs.gov/legal/PHE/Pages/default.aspx
For more information on COVID-19, please visit: https://www.coronavirus.gov
For more information on HIPAA and Public Health, please visit: https://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/index.html
For more information on HIPAA and Emergency Preparedness, Planning, and Response, please
https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html
General information on understanding the HIPAA Privacy Rule may be found at:
https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
For information regarding how Federal civil rights laws apply in an emergency, please visit:
https://www.hhs.gov/civil-rights/for-individuals/special-topics/emergency-preparedness/index.html
