OCR Shares Resources to Help Providers Prevent COVID-19 Security and Privacy Threats

The Office of Civil Rights (OCR) recently released a list of privacy and security resources to help healthcare organizations secure their systems and prevent HIPAA violations. These resources detect, respond, and prevent security threats.

Ever since the coronavirus outbreak, there has been an increase in the number of cybersecurity threats in the healthcare sector. Cybercriminals are taking advantage of the pandemic and the increase in work-at-home orders to target VPNs (Virtual Private Networks) and PPE (personal protective equipment) procurement for financial gain and other malicious intent.

They’re also leveraging fraud schemes and human-operated ransomware to attack providers. For OCR, healthcare providers must utilize free guidance and resources to protect themselves against these attacks.

Steps to take to prevent cyberattacks

First, healthcare providers need to review the 2017 OCR guidance released after the WannaCry massive cyberattack. It provides a detailed description of how to respond to malicious cyberattacks such as ransomware.

Some of the steps mentioned in the guidance are:

• Reporting any cybersecurity incidents to law enforcement agencies
• Launching mitigation and response procedures among other contingency plans
• Reporting any breaches to OCR
• Sharing cybersecurity threat indicators with information-sharing and analysis organizations

Second, organizations need to review FBI phishing insights released in April. The agency had warned medical providers that cybercriminals are targeting organizations using phishing attacks amid the pandemic.

Some of the insights available include:

• Updating and patching software, e.g., medical transcription software
• Training and educating staff on phishing attacks
• Reinforcing security measures, e.g., turning off automatic downloads for email attachments

The FBI’s Internet Crime Complaint Center also gave insights on the rise in extortion scams in the past few months. These scams prey on new victims to send money, as more people are using computers due to the shelter-in-place orders.

Third, healthcare providers should also check out the National Security agency telework guidance for assessments of videoconferencing platforms and other related security precautions. During the coronavirus crisis, the Department of Health and Human Services has expanded the use of acceptable telehealth platforms. Hence, organizations need to secure these temporary measures from access.

Reviewing HC3 white paper guidelines

OCR recommends all healthcare organizations review HHS Health Sector Cybersecurity Coordination Center for threats to online collaboration tools, medical transcription and videoconferencing as their use has increased amid the COVID-19 crisis. This has lead to an increase in cyberattacks.

HC3 can help organizations identify successful exploitations and threats and ways to mitigate and recover from them. Research shows that healthcare providers can’t ignore cyberattacks on online tools as they can adversely affect telehealth and telemedicine services.

COVID-19 related cyber threats

Due to the spike in cybersecurity attacks amid the crisis, HC3 also released insights on COVID-19 related cyber threats. These include fake coronavirus maps, WHO impersonation phishing attacks, nation-state disinformation campaigns, and coronavirus-related domains.

Lastly, providers should review OCR cybersecurity guidance, including potential ransomware and HIPAA violations. In response to the increase in cyber threats, The American Hospital Association and American Medical Association also released telework guidance.