Resources for Healthcare Organizations During COVID-19 Pandemic

By March 20, 2020 April 7th, 2020 Articles, Home Page Recent

As COVID-19 changes the way many healthcare organizations are operatingIntraprise Health has begun compiling a list of resources that we think may be useful to your organization as our team of cybersecurity experts has been fielding questions from clients on many of these topics Links to resources such as securing your (in many cases) newly organized work from home force, to newly relaxed HIPAA privacy rules and guidance from the Department of Homeland Security are included. 

We hope you find this information useful and will continue to update this list as our team adds more resources.  

FBI Guidance on Defending Against  VTC Hijacking and Zoom-bombing

This guidance covers emerging security issues that are being uncovered in Zoom.

https://www.us-cert.gov/ncas/current-activity/2020/04/02/fbi-releases-guidance-defending-against-vtc-hijacking-and-zoom

 

New attack on home routers sends users to spoofed sites that push malware

A recently discovered hack of home and small-office routers is redirecting users to malicious sites that pose as COVID-19 informational resources in an attempt to install malware that steals passwords and cryptocurrency credentials, researchers said on Wednesday.

https://arstechnica.com/information-technology/2020/03/new-attack-on-home-routers-sends-users-to-spoofed-sites-that-push-malware/?amp=1

Resources from SANS Security Awareness 

https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit 

 This is a kit geared towards both enterprises and end-users. There is good fact sheet for end users and for enterprises, and the kit provides a strategic step-by-step guide on how to quickly execute an awareness initiative to secure your remote workforce, including how to identify what to teach your workforce, the top risks to focus on, what departments to coordinate with and how to effectively engage and communicate to your workforce. In addition, for each risk, there is a link to a library of training material 

Relaxation of the HIPAA Privacy Rule 

HealthITSecurity Magazine’s analysis of the relaxation of the Privacy Rule: 

https://healthitsecurity.com/news/hhs-issues-limited-waiver-of-hipaa-sanctions-due-to-coronavirus?eid=CXTEL000000401567&elqCampaignId=13752&utm_source=nl&utm_medium=email&utm_campaign=newsletter&elqTrackId=df60d237f9cf4e1c8a8e442e4acc9c5a&elq=4010c87731884e2eb7c35adc5f015b31&elqaid=14444&elqat=1&elqCampaignId=13752 

The key message of what’s been relaxed from the Privacy Rule: 

Under the waiver, hospitals will not be penalized for failing to comply with HIPAA requirements found in 45 CFR: 

  • to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • the requirement to honor a request to opt out of the facility directory
  • the requirement to distribute a notice of privacy practices
  • the patient’s right to request privacy restrictions
  • the patient’s right to request confidential communications

Information on enforcement for telehealth 

https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html 

The Department of Homeland Security offers some good guidance for companies preparing remote work – or telework – here: 

https://www.us-cert.gov/ncas/alerts/aa20-073a 

Risk Management and the Coronavirus

https://www.cisa.gov/sites/default/files/publications/20_0306_cisa_insights_risk_management_for_novel_coronavirus.pdf

March 2020  

COVID-19 & HIPAA Bulletin
Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency  

https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf 

Note the following caveats: 

The waiver became effective on March 15, 2020. When the Secretary issues such a waiver, it only applies: 

(1) in the emergency area identified in the public health emergency declaration; 

(2) to hospitals that have instituted a disaster protocol; and 

(3) for up to 72 hours from the time the hospital implements its disaster protocol. 

 When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol. 

Other Resources from HHS 

The COVID-19 Public Health Emergency declaration is available at:  

https://www.phe.gov/emergency/news/healthactions/phe/Pages/default.aspx
For more information on COVID-19, please visit: https://www.coronavirus.gov  

For more information on HIPAA and Public Health, please visit: https://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/index.html  

For more information on HIPAA and Emergency Preparedness, Planning, and Response, please  

https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html  

General information on understanding the HIPAA Privacy Rule may be found at:  

https://www.hhs.gov/hipaa/for-professionals/privacy/index.html  

For information regarding how Federal civil rights laws apply in an emergency, please visit:  

https://www.hhs.gov/civil-rights/for-individuals/special-topics/emergency-preparedness/index.html