Developing a HIPAA Contingency Plan in the Shadow of COVID-19

We’ve received several inquiries from our colleagues in the healthcare industry related to the increased prevalence of remote work and contingency operations. Given these uncertain times, we wanted to share a few thoughts that might help as we proceed into some new and uncomfortable realities.

Business as Usual (As Much as Possible)

We recommend minimizing any deviation from standard operating procedures. While changes may be necessary, responsible attention to a disaster/contingency situation should allow only the least possible disruption to policies, practices, and standards. We would discourage any “weakening” of security controls to allow for remote work or increased efficiencies.

For example, eliminating the requirement for multi factor authentication may provide a few more seconds in a busy day, the trade-off is likely not warranted given the security implications of such a move. Allowing staff to use personal equipment is a more difficult trade-off to measure.

Ideally, corporate hardware (along with its accompanying security controls) should be provided to staff for use at home. Some solutions, however, such as virtual desktop environments can make this distinction less important. As in all things, measure risk against benefit and act accordingly.

Review Policies and Procedures

In emergency situations, it’s easy to get caught up in the moment. We’d encourage taking a moment to review and reinforce security and privacy policies. While we may be in an unfamiliar and uncomfortable situation, best practices still apply and should be followed.

Consider reviewing pertinent practices and policies with your staff to ensure they understand their roles, responsibilities, and workflows.

Watch the Perimeter

With many organizations leveraging remote access technologies such as VPNs or virtual desktop environments, we’d recommend reviewing logs for these applications to ensure appropriate use. With widespread utilization of these systems, it may be easier for an attacker to hide a brute-force or password stuffing attack.

We’d also recommend taking a preemptive look at the permissions extended to your staff to ensure they are appropriate for job role and function. Finally, continue to conduct patient chart access reviews as appropriate. A pandemic is no excuse for violating need-to-know and patient privacy.

Increase Awareness

We’re already seeing an increased level of phishing and malware attacks leveraging COVID-19 as a mechanism to increase their effectiveness. With so much misinformation and uncertainty permeating our daily lives, users are desperate for details and reassurance. Attackers understand this basic human tendency and plan their attacks accordingly. We’re asking all organizations to increase their level of caution and awareness.

Prepare and Learn

It’s likely that this situation will get worse before it gets better. And even if we’re lucky and this situation quickly abates, it’s important to take this situation as a learning experience. We recommend all organizations to continue to prepare and refine their disaster recovery and business continuity plans. Remember that human safety is the #1 goal.

Finally, when this situation is resolved (and it will), take a moment to document lessons learned. For many of us, this is the first time that emergency contingency plans have been put into place. While testing and tabletop analyses are critical, this real-world experience is invaluable for planning for the future.

As we enter uncharted waters, we ask that you take a moment to consider the long-term as well as the immediate need. We’re here for you throughout this crisis and are available to answer your questions and concerns. Stay safe, stay optimistic, and stay secure.