Resources for Healthcare Organizations During COVID-19 Pandemic

As COVID-19 changes the way many healthcare organizations are operatingIntraprise Health has been compiling a list of resources that we think will be useful to your organization.  Our team of cybersecurity experts has been fielding questions from clients on many of these topics Links to resources such as securing your work from home force, to newly relaxed HIPAA privacy rules and guidance from the Department of Homeland Security are included. 

We hope you find this information useful and will continue to update this list as our team adds more resources.  

Top 10 Routinely Exploited Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.

Read the alert:

https://www.us-cert.gov/ncas/alerts/aa20-133a

Statement from the ONC, CMS and HHS

April 21, 2020

Today, the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare & Medicaid Services (CMS), in conjunction with the HHS Office of Inspector General (OIG) announced a policy of enforcement discretion to allow compliance flexibilities regarding the implementation of the interoperability final rules announced on March 9th in response to the coronavirus disease (COVID-19) public health emergency. ONC, CMS, and OIG will continue to monitor the implementation landscape to determine if further action is needed.

https://www.hhs.gov/about/news/2020/04/21/statements-from-onc-cms-on-interoperability-flexibilities-amid-covid19-public-health-emergency.html

 

FBI Guidance on Defending Against  VTC Hijacking and Zoom-bombing

This guidance covers emerging security issues that are being uncovered in Zoom.

https://www.us-cert.gov/ncas/current-activity/2020/04/02/fbi-releases-guidance-defending-against-vtc-hijacking-and-zoom

 

New attack on home routers sends users to spoofed sites that push malware

A recently discovered hack of home and small-office routers is redirecting users to malicious sites that pose as COVID-19 informational resources in an attempt to install malware that steals passwords and cryptocurrency credentials, researchers said on Wednesday.

https://arstechnica.com/information-technology/2020/03/new-attack-on-home-routers-sends-users-to-spoofed-sites-that-push-malware/?amp=1

Resources from SANS Security Awareness 

https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit 

 This is a kit geared towards both enterprises and end-users. There is good fact sheet for end users and for enterprises, and the kit provides a strategic step-by-step guide on how to quickly execute an awareness initiative to secure your remote workforce, including how to identify what to teach your workforce, the top risks to focus on, what departments to coordinate with and how to effectively engage and communicate to your workforce. In addition, for each risk, there is a link to a library of training material 

Relaxation of the HIPAA Privacy Rule 

HealthITSecurity Magazine’s analysis of the relaxation of the Privacy Rule: 

https://healthitsecurity.com/news/hhs-issues-limited-waiver-of-hipaa-sanctions-due-to-coronavirus?eid=CXTEL000000401567&elqCampaignId=13752&utm_source=nl&utm_medium=email&utm_campaign=newsletter&elqTrackId=df60d237f9cf4e1c8a8e442e4acc9c5a&elq=4010c87731884e2eb7c35adc5f015b31&elqaid=14444&elqat=1&elqCampaignId=13752 

The key message of what’s been relaxed from the Privacy Rule: 

Under the waiver, hospitals will not be penalized for failing to comply with HIPAA requirements found in 45 CFR: 

  • to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • the requirement to honor a request to opt out of the facility directory
  • the requirement to distribute a notice of privacy practices
  • the patient’s right to request privacy restrictions
  • the patient’s right to request confidential communications

Information on enforcement for telehealth 

https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html 

The Department of Homeland Security offers some good guidance for companies preparing remote work – or telework – here: 

https://www.us-cert.gov/ncas/alerts/aa20-073a 

Risk Management and the Coronavirus

https://www.cisa.gov/sites/default/files/publications/20_0306_cisa_insights_risk_management_for_novel_coronavirus.pdf

March 2020  

COVID-19 & HIPAA Bulletin
Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency  

https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf 

Note the following caveats: 

The waiver became effective on March 15, 2020. When the Secretary issues such a waiver, it only applies: 

(1) in the emergency area identified in the public health emergency declaration; 

(2) to hospitals that have instituted a disaster protocol; and 

(3) for up to 72 hours from the time the hospital implements its disaster protocol. 

 When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol. 

Other Resources from HHS 

The COVID-19 Public Health Emergency declaration is available at:  

https://aspr.hhs.gov/legal/PHE/Pages/default.aspx

For more information on COVID-19, please visit: https://www.coronavirus.gov  

For more information on HIPAA and Public Health, please visit: https://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/index.html  

For more information on HIPAA and Emergency Preparedness, Planning, and Response, please  

https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html  

General information on understanding the HIPAA Privacy Rule may be found at:  

https://www.hhs.gov/hipaa/for-professionals/privacy/index.html  

For information regarding how Federal civil rights laws apply in an emergency, please visit:  

https://www.hhs.gov/civil-rights/for-individuals/special-topics/emergency-preparedness/index.html