The Healthcare Sector's Struggle with Data Privacy Compliance in the Age of COVID-19
May 20th, 2020
Subscribe to our blog and stay up to date
Critical healthcare facilities and business are having their resilience tested as they attempt to counteract threats that stand to disrupt their systems while under extreme pressure. Bad actors have been increasing their focus targeting valuable PHI and critical data taking advantage of the COVID-19 pandemic. Conversely, the digital footprint of the data that healthcare entities use to conduct business continues to grow in conjunction with the many new approaches evolving in the fight to counter the pandemic.
Proposed tracing and ID applications pose additional complexity and risk to private data and PII that previously didn’t exist. This adds additional stress to overwhelmed security resources across all types of healthcare entities, from hospitals to insurance providers and payment providers. When it comes to cybersecurity, all businesses in this industry need to find quick solutions that can get them in front of the problem while providing measure of their security policies with minimal steps and processes. There are a few considerations that healthcare entities may take to counter the situation, providing advantage to both existing data security processes and available intelligence that can add clarity for next steps and near-term results, giving them some much needed breathing space.
IntSights recently released a comprehensive report on the state of data privacy in the healthcare sector, looking at how emerging threats compromise organizations' ability to remain compliant with various regulations amidst the world's worst health crisis in a century. Download the full report here. Keep reading for recommendations on how to stay abreast of the increasingly complicated data privacy climate.
Conduct Internal Data Security Assessments
One measure healthcare organizations can address in short order is to revisit data security practices that are already in motion or implemented as dictated by the privacy requirements they fall under. Established IT data security and audit practices can provide immediate feedback on the status of existing controls that have been put in place to protect PHI data. A standard audit practice that is required across the board within most security frameworks is to assess the IT estate for security hygiene. This is found in the asset management section of NIST and HIPAA.
Addressing the threat surface to determine the severity of the risk to critical data and determining the required compensating security controls that need to be implemented in order to keep the security policy in check is a good start. Aging and budget-starved healthcare systems have a long-standing issue with un-patchable and end of service systems (i.e. EOL systems that no longer have critical security patches). Two major Windows operating systems (Windows 7, Windows 2008 Server) quietly went end-of-life this past January while the world was distracted. Having a current inventory and assessment of such systems can be invaluable to ensure extra measures are taken while healthcare systems are at an unprecedented level of risk.
Since the early days of the COVID-19 pandemic, threat intelligence has shown an increased volume and resurgence of activity around exploits targeting zero-day and negative zero-day vulnerabilities associated with older systems that haven’t been used in years. Any healthcare entity that still relies on business processes associated with these older systems needs to give their data security controls or compensating control an increased amount of scrutiny.
Evaluate Third-Party Risk Throughout the Supply Chain
Extensive third-party contracts making up the supply chain are commonplace within Healthcare. Most critical healthcare entities are dealing with multiple BA (Business Associate) contracts that are critical to delivering healthcare essential services, as well as reactively adding many new BAs into the mix during their frenzy to prepare for resource demands. Third-party contracts can often span the globe, introducing risk associated with data privacy in multiple jurisdictions and exposure to multiple data privacy laws.
The recent threat environment presents security implications that could threaten, disrupt, and damage existing and new BA contracts with healthcare providers across the entire vertical. It could also impact security controls around technology, jeopardizing both physical and information security. Moreover, at a time of heightened security threats many third-party contracts in place have not been scrutinized to the degree necessary and healthcare entities need to understand the extended supply chain to determine if any of the administrative, business, or technical controls protecting them are at risk.
A quick security audit of existing third-party and BA contracts helps ensure healthcare organizations have basic security controls in place to counter the increased threats. Reviewing the HIPAA Security Rule and noting the cybersecurity recommendations will provide initial guidance on how effective those controls are and provide a sense of the overall security posture of a provider's extended business. Many of these third-party businesses, such as information providers, may have resources that are now home-based as the world economy operates remotely, providing another factor to take into account when auditing the threat surface. Regulatory and data privacy concerns need to be acknowledged and addressed to ensure the business is not accepting increased data liability without knowing it.
Understand Potential Liability Against Data Privacy Laws
Take a second look at your risk or potential liability against existing data privacy and regulatory laws. People are working from home in record numbers and in order to do their job they may be required or choose, to transfer IP, PII, and PHI data to be stored on local drives to be processed on their private computers. This, in and of itself, has a number of possible implications to multiple data security regulations (HIPAA, PCI DSS) as well as jurisdictional privacy laws, most notably the GDPR and the CCPA.
The HHS OCR (the governing body of the HIPAA HITRUST healthcare regulation) has relaxed a few measures pertaining to the security rule during the pandemic, but hasn’t abandoned enforcement of the requirement by any stretch. With that, there is still a very pressing need to ensure security protection of critical data such as PHI. Even with the increased pressure, we can’t afford to relax regulatory requirements around data privacy. Shoring up the business against any data security standard or framework to get a temperature reading on data security and existing controls could help to ensure that the organization is still poised well to combat the increased threats and resource requirements in this pressing time.
To learn more about the state of data privacy in the healthcare sector as the COVID-19 pandemic increases risk, download our report, Health Scare: Data Privacy Concerns in the Age of COVID-19.
Christopher Strand is the Chief Compliance Officer at IntSights. As CCO, he is responsible for leading the global security risk and compliance business, helping companies bridge the gap between cybersecurity and regulatory cyber-compliance. Chris has more than 20 years of subject matter expertise in information technology and security audit assessment and he specializes in developing enterprise security platforms and markets within hyper-growth organizations. Prior to joining Intsights, Chris launched and led the cyber-compliance business at Carbon Black (acquired by VMWare), and has held leadership and compliance specialist roles at other flagship security companies such as RSA, Trustwave, and Tripwire.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.