Cybersecurity and Working Virtually During the Pandemic

Since the beginning of the COVID-19 pandemic, practices started transitioning staff to work from home. Those now working virtually include administrators, clinical staff, schedulers and billing staff.

Have you ensured that your patient data is not at risk? Practices allowing staff to work virtually are typically using a Secure Network Connection (SSL) or Virtual Private Network (VPN) to ensure patient information is encrypted. Yet not all Secure Connections are created equally. Before the pandemic, remote technologies were required to fully comply with the requirements of the HIPAA Rules (HIPAA Privacy, Security and Breach Notification Rules).

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) recently announced that they will use discretion for enforcement of the rules and not impose penalties for noncompliance as practices provide telehealth services during this public health emergency. That discretion will be applied to practices who are assessing or treating any evaluation, not just those specifically related to COVID-19. You can find the most current information from OCR regarding telehealth and HIPAA at www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html.

With the relaxation of enforcement, practices must continue to assess their own risk for cybersecurity incidents. Hackers have identified the opportunity and are taking advantage to gain entry to your systems – from potentially posing as the CDC to get financial information or even posting links behind coronavirus tracking maps to install malware to your network.

Practices need to communicate with staff who are working virtually to take extra precautions, including reminding them to:

• Keep passwords for Secure links and VPN safe – not to leave them in cars on paper, on unlocked devices or taped to the wall behind your video screen. Staff should also use unexpected passwords and not something easily guessed like Password123.
• Not click on email attachments or links unless they are confident in the source. There have been “phishing” emails with attached COVID-19 maps circulating that have viruses contained in the attached map.
• Not move information (especially patient information) off the applicable system and on to a desktop for work. Staff need to continue to work in the encrypted environment.
• Try to make the exposure of protected health information (PHI) as limited as possible to other members of the household when performing your function in a remote setting.

Practices should also work with their IT professionals and Internet providers to ensure that you have taken all measures to lessen any threats.