April 28, 2020

Health Care Data Security in the COVID-19 Era

Now, more than ever, health care operations are vital, so would-be attackers know that ransom payments are more likely to be made. Adding fuel to the fire, hospitals are pushed to (or beyond) their limits system, and administrators and service providers are tasked with protecting a substantially larger (uncontrolled) data environment. Nevertheless, providers must still use care in protecting patient data.

Two potential vulnerability points are particularly noteworthy: temporary medical facilities, and remote workers. While necessary, the rush to provide patients with access to care has naturally resulted in a lack of proper IT infrastructure. And unsecured IoT devices – smart beds, wireless monitoring devices, etc. – along with unsecured home networks only exacerbate the problem. Where two months ago, a nefarious actor had to navigate a sophisticated security environment to access a hospital network, the same access may now be available through an unpatched wireless access point in a physician’s home office or through an unsecured computer in a temporary medical facility.

The following are just a few things for physicians and IT staff to keep in mind as we all navigate through this crisis:
  • Protect home/remote network connections to the greatest extent possible. Make sure wireless access points are appropriately encrypted, by using, for example Wi-Fi Protected Access II (WPA2) with a preshared key (PSK). And never send confidential data over a public wireless network.
  • Only connect to office networks using pre-approved devices and through a virtual private network (VPN). Further, do not install any unapproved software on a device that will connect to a company VPN. Microsoft recently warned of sophisticated ransomware attacks targeting hospitals by using gateway and VPN vulnerabilities.
  • If possible, setup separate networks for your business and personal connections. Similarly, segment your network to keep IoT devices separate from other systems.
  • Setup Multifactor Authentication (MFA) whenever available.
  • When conducting virtual meetings – with patients or otherwise – use passwords and virtual “waiting rooms” to avoid eavesdropping and trolling.
  • Lock down USB ports on computers in temporary locations.
  • Check firewall and server configurations to ensure only approved ports and connection protocols are opened.
  • Make sure default passwords have been updated to strong passwords for all devices and systems, including off-site IoT devices.

And finally, nothing can replace a comprehensive business continuity and disaster recovery program. Make sure your data is backed up regularly and stored offsite in a separate and secure location. And be sure to work with your technical and legal representatives to maintain compliance with regulatory and other requirements during these trying times.

For questions or assistance relating to data privacy policies and cybersecurity, please contact a Kerr Russell attorney.

Jeffrey A. MayDetroit Legal News Jeffery May of Kerr Russell practices in the areas of general business law, intellectual property, and litigation with a focus on the increasingly important area of Cybersecurity and Data Privacy Law. He is credentialed as a Certified Information Privacy Professional/United States (CIPP/US). He has prior experience owning and operating a technology-based business. His experience and education allow him to assist clients with a wide range of business issues and litigation matters. Jeffrey helps clients identify and mitigate risks related to data security incidents and breaches. He also helps with information technology policies and practices, and data sharing arrangements with third parties.

Other posts to consider: