Healthcare data security in the times of COVID-19

Healthcare data security in the times of COVID-19

July 2, 2020

Inga Shugalo

Healthcare Analyst

The coronavirus has hit the majority of countries, with only some island nations and well-isolated areas reporting no cases.

WHO COVID-19 statistics, June 2020

Those who suffered the pandemic’s blow gather their resources and try to manage the situation by reducing its negative effects. In this turbulent time, international cooperation has reached an impressive scale, bringing together doctors, businesses, healthcare software developers, and researchers to pursue the common goal.

To allow much needed clinical research, governments have softened the intricate data security policies and let researchers share COVID-19-related information without delays. The same goes for doctors, who can now rapidly share patient information to streamline care delivery and get better outcomes faster. That’s great, isn’t it? Well, it would be if it weren’t for malicious actors that may exploit the situation to gain profit. But first things first.

COVID-19 data privacy approaches globally

We’ve studied the COVID-19 driven data protection tactics used worldwide and identified three key approaches to data privacy accepted in different parts of the world.

Asia: common good over privacy

The first to face the outbreak, Asian countries had no second thoughts regarding privacy when it came to ensuring the health of the community. Thus, in China, authorities track geolocation via mobile phones to monitor infected people, their adherence to quarantine measures, and their contacts. The data is not anonymized, so practically this boils down to tracking people without their explicit consent. Though this use of technologies raises some ethical questions, Harvard Business Review reports that countries in East Asia did manage to slow the spread of the virus through digital contact tracing.

However, not all Asian countries took this path. There’s a different way of using geospatial tech for fighting the coronavirus in the region.

Singapore launched TraceTogether, an app that tracks and logs data about people potentially exposed to the virus within the two-meter distance. The good news is that the app doesn’t need geolocation or any other personal information. Here’s how it works:

The EU & UK: temporary privacy limits

Amid the pandemic, European countries couldn’t do without forgoing some privacy either. The key European document covering individuals’ right to privacy—the General Data Protection Regulation (GDPR)—still applies but it does allow governments and employers to access and process personal health data when it comes to the significant public interest, for example, for leveraging preventive medicine. However, the legislators state that each case when the need for personal data is in question should be revised individually. Besides, the needed data shouldn’t necessarily involve any personal information. How so?

For example, if an employee spent their vacation overseas shortly before the lockdown, the employer needs to know where they went in order to protect themselves and their staff timely. To get the needed information, they could just ask if the employee traveled to any risk zone.

However, there is another way to get reliable evidence of citizens’ location. For this matter, European governments closely cooperate with local telecom companies to get anonymized mobile data on users’ movements for further analysis and research. This approach helps keep users’ privacy intact while staying informed and ready for emergencies.

Germany took a step further and introduced their own COVID-19 Notification Regulation. To abide by this law, clinicians should report every coronavirus case to the authorities. This means they have to provide a whole set of personal and health data for the officials in charge to process and analyze it.

Though the measure above doesn’t violate users’ privacy, human rights activists and groups do express their concerns about the potential impact of advanced surveillance and tracking.

The US: privacy partly waived

With over 2.5 million detected cases and the death toll passing 125K as of June 2020, the US remains the leader in terms of recorded COVID-19 cases.

US coronavirus statistics

To stop the spread of the virus and control it, the country has implemented diverse measures. The US favors social distancing covering five levels of various severity, from restaurant operation limits and the ban of large gatherings to the stay-home order and the state of emergency. The latter was declared all across the country on March 11.

While social distancing helps limit COVID-19 transmission, it does nothing to address the needs of those already infected. Therefore, the federal government took another step and adopted the Families First Coronavirus Response Act, which guarantees COVID-19 testing and treatment with no cost sharing regardless of the insurance plan. This means that US citizens don’t need to reimburse these costs from their own pockets.

Other valuable health policy actions include expanded telehealth access in the majority of states and the nation-wide Section 1135 Waiver. This waiver permits certain non-compliance with some healthcare-specific legislation. This is how it works.

In the state of emergency, the US Secretary of Health and Human Services (HHS) may waive or modify certain requirements of the key healthcare documents and acts such as Medicare, Medicaid, Children’s Health Insurance Program (CHIP), and Health Insurance Portability and Accountability Act (HIPAA) to ensure that sufficient healthcare items and services are at hand to cover the needs of the individuals enrolled in Social Security Act (SSA) programs. The providers of such services who are unable to comply with certain statutory requirements are reimbursed and exempted from sanctions for non-compliance if they act honestly and sincerely. Obviously, this is not the case for instances of fraud or abuse; those are prosecuted.

You might wonder why policymakers go for such drastic measures given the continuous fight for healthcare data security. The reasons are simple: time and the greater good. For example, a healthcare facility is not fully compliant with HIPAA at the moment but the doctors there still have to deal with coronavirus patients. They might need to look into patients’ medical histories as well as to review the best practices applied to patients of the same demographics on a global scale. In such cases, waiting for HIPAA certification may cost lives. So doctors from HIPAA-compliant hospitals cross fingers and send the data to the non-compliant provider to help save lives. The same approach applies to information sharing for research purposes.

Learn how to protect your sensitive data

Let's talk

A pitfall to mind

Exposing location to officials is not the only concern over health-related data sharing. There is another and far more dangerous trap—malicious hackers who might wish to grab unsafely stored or processed personal health information to make a profit. According to the 2019 Trustwave Global Security Report, a single personal health record may hit $250 on the black market, which is 25 times higher than the price of credit card information.

However, securing data transmission is not enough, as there are other potential entry points that hackers may use. One of them is corporate email. This is a classic door for phishing and spoofing as well as ransomware attacks. Zscaler, an infosec company, reported a 30,000% increase in these attacks in March-May 2020. What’s more, 85% of phishing attacks targeted employees working remotely. Another disturbing fact is that according to the IBM 2019 Cost of Data Breach report, healthcare makes the most expensive industry in this regard, with breach costs climbing up to $6.45 million.

So are there any data security tips to follow?

Fighting cyber threats during the pandemic

To fight the cyber threats successfully, you’ll need to take a multi-lateral approach covering three key areas: employees, your digital environment, and outer threats. We’ll start with employees.

Securing the perimeter

According to the 2020 Cost of Insider Threats Global Report by Ponemon Institute, 62% of security threats happen due to employee negligence, and only 14% of them are committed by malicious actors. This data suggest two clear routes for preventing insider threats:

  • Training employees to curb negligence. This doesn’t involve any complex infosec training but is more like teaching good practices about timely software updates, safe storage of credentials, and careful email management. Being vigilant about incoming emails may help your medical and administrative staff detect phishing and spoofing. Every suspicious email should be reported to the system administrators. It may also be a good idea to run a mock phishing attack and check if the employees learned the lesson.
  • Practicing emergency response. Employees should have a clear-cut plan for dealing with cyber-emergencies, and orchestrating their response is a worthy effort. You can practice a mock attack with infosec practitioners. Here is a typical action plan if the attack happens: the first ones to face it should try to contain the infection disabling the network. If the malware has got in and breaks out in your digital environment, the employees should disable the network and disconnect all devices from the infected machines. In any case, the employees should immediately contact the assigned IT specialists who will run the recovery operation. The backup and restore algorithms should also be prepared in advance.

Securing communication channels

Given that sharing confidential information is standard practice in a healthcare setting, ensuring data security is a top priority. However, with softer data protection policies in place, healthcare facilities try to provide care as urgently as possible, without due preparations security-wise. Sadly, the consequences can be bitter.

This was the case with using Zoom, a globally recognized teleconferencing tool, as a telehealth solution. It was discovered that the platform had troubling security issues, such as unreliable encryption, the ability to share data with untrusted third parties, and other. Besides, using common-purpose tools for telehealth is not the only way to deploy the technology fast.

Augusta University Health (AU Health), a university clinic from Georgia, quickly refocused its direct-to-consumer platform launched in March 2020 and transformed it into a virtual screening tool that became a key element in their COVID-19 response strategy. This tool help AU Health extend their reach covering Georgia and South Carolina in their entirety.

Striving to ensure seamless and safe communication between medical professionals and patients, you don’t need to limit yourself to telemedicine. Just take a look at mobile healthcare solutions ensuring quality doctor-patient and employee-to-employee communication, or the use of blockchain in healthcare. With smart contracts, data transmission security can be enhanced significantly.

Securing IoMT devices

Healthcare IoT powers remote patient monitoring, facilitates chronic condition management, and helps save lives in case some indexes fall or rise to their recognized limit values. At the same time, IoMT devices need to be monitored and protected from malware and vicious actors, both outsiders and insiders.

Unfortunately, IoMT devices are very vulnerable, as healthcare facility staff rarely perceives them as electronic devices that might store PHI. In their report Clinical Connectivity: Just the Facts, CyberMDX states that over 60% of these devices are exposed to some risks. What are they?

First of all, medical devices don’t require any authorization, which means that virtually any person can access the device and take out personally identifiable information (PII) or health information (PHI) either by accident or intentionally.

What’s more, not many hospitals provide network segmentation. IoMT tools usually connect to hospital Wi-Fi, just like any doctor, patient, or visitor. Besides, if a vicious actor connects to the network with their device, the damage may spread over all connected digital systems within the organization.

In addition, medical devices rely on legacy systems, which complicates patching and updates. In their 2020 Vision report, CyberMDX notes that 22% of all typical Windows devices found in hospitals are vulnerable to BlueKeep, a Microsoft Remote Desktop Protocol hazard, because of the lack of relevant patching. If we extrapolate the data to all medical devices running on Windows, the percentage only increases.

Regular security testing and timely updates, and all other practices of enterprise network management are the answers to this imminent threat. IoMT devices need vulnerability assessments for access controls and unauthorized use of data stored on devices or transmitted to an external recipient.

Protection from outer threats

No matter how well-trained and loyal employees are, some security threats are just out of their reach as managing them well requires advanced training. To shield your systems from external threats, you need to employ cybersecurity consultants.

They not only assess your digital environment for vulnerabilities but also continuously monitor the latest security trends, data breaches, and viruses. Besides, they offer penetration testing when their ethical hackers try to break into the system. They also draft actionable recommendations for patching vulnerabilities. All of the above allows you to address the discovered vulnerabilities and seal potential entry points in advance, thus preventing actual attacks.

To crown it all

In the times of a global pandemic, nothing is more important than human life and wellbeing. The security of healthcare data is an integral part of both, so governments all across the globe try to ensure it in one way or another. However, in extreme situations, individuals’ privacy is often forgone for the good of the majority. Exploiting this opportunity, malicious actors won’t hesitate to attack healthcare practices and research facilities, steal patient data, and demand ransom.

In this case, healthcare facilities have to take data protection in their own hands. We hope our recommendations on fighting cyber threats in a healthcare setting will be of help.