Federal regulators are alerting healthcare organizations about an array of coronavirus-themed cyberthreats. Plus, they’re advising them to avoid potential HIPAA privacy violations involving unauthorized disclosures of patient information to news outlets during the COVID-19 crisis.
On Monday, the Department of Health and Human Services’ Office for Civil Rights issued guidance compiling a list of resources to help organizations “detect, prevent, respond and recover” from a surge of coronavirus-themed cyberthreats, ranging from ransomware and other types of extortion to phishing and attacks on video conferencing technology platforms.
“Cybercriminals may take advantage of the current COVID-19 global pandemic for their own financial gain or other malicious motives,” OCR notes in a statement. With the increase in COVID-19-related malicious activity, OCR is encouraging HIPAA covered entities and business associates to review the resources.
For example, OCR highlights materials from the National Security Agency that include criteria to consider when selecting an online collaboration tool as well as information on how to use these tools securely, especially as more employees work from home.
OCR also advises entities to tap recent materials from the HHS Health Sector Cybersecurity Coordination Center, or HC3, outlining ways video conference tools, such as Zoom and Cisco WebEx, could be exploited and recommendations to mitigate these issues.
OCR’s collection of resources also includes materials from HC3 outlining other cyberthreats facing healthcare organizations during the COVID-19 crisis, including phishing scams, fake coronavirus domains and websites containing malware, ransomware, and others.
On Wednesday, OCR re-issued an announcement released earlier by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Center warning about “password spraying attacks by advanced persistent threat groups on institutions conducting COVID-19 medical research (see Alert: APT Groups Targeting COVID-19 Researchers).
Be Aware
With resources stretched during the COVID-19 crisis, healthcare organizations and their workforces are particularly vulnerable to coronavirus-themed malicious cyber activities, some experts note.
“Criminals exploit fear and uncertainty by tempting people to open phishing emails or click on pop-up ads about COVID-19,” notes independent privacy and security attorney Paul Hales.
The rise in the use of telemedicine also creates potential risks, he adds. “I worry that providers using telehealth for the first time will make inadvertent errors that expose patients and themselves to identity theft, ransomware attacks and other criminal activity,” he says.
Source: GovInfoSecurity