The CyberPHIx Roundup: Industry News & Trends, 4/16/20

Brian Selfridge: [00:00:08] Good day and welcome to the CyberPHIx healthcare security roundup, your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices specifically for the healthcare industry. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our CyberPHIx interviews with leading healthcare security, privacy, and compliance leaders at Meditologyservices.com or on your favorite podcast hosting platform. Just search for CyberPHIx. CYBERPHIX.  

 

Brian Selfridge: [00:00:33] So let's dive into this week's episode. We've got a lot to talk about. It would be remiss of us to not start with some Covid related updates. I don't want to dominate the conversation with that. So be ready for it. But I will talk about some HIPAA exceptions that have been put in place related to the Covid-19, Coronavirus, outbreak, and related services. So the first of which is telehealth exceptions. So HHS has announced that there are permitted exceptions for video conferencing, wherein you no longer have to worry about the HIPAA compliant "nature of the video conferencing capabilities." So some of the examples that OCR and HHS provided were Apple face time, Facebook message or video chat, Google Hangouts and Skype, as examples of technologies that are appropriate, are now waived for HIPAA compliance for the near term. I'm sure they'll revoke that back at some point. 

 

Brian Selfridge: [00:01:31] But they did point out that there are some public-facing applications that are not permitted for use for telehealth. And that includes, they point out specifically, Facebook Live, Twitch, Tiktok, and other similar applications. So keep in mind that there are some boundaries to that and make sure that your teams are following that guidance accordingly. They also put in some exceptions for disclosures to first responders. So E.M.S. folks or police and personnel that will be deployed out to residences and to deal with situations. So they said it's permitted to share information that a patient or an individual may have Coronavirus so that the E.M.S. first responders can take appropriate precautions. But you can only do that on a per-call basis. You're not allowed to post a list of Covid patients in the area, either internally to the team or publicly. It's got to be on a case-by-case basis and a call-by-call basis. And they're also permitted to inform the police if they're being sent to a residence of a Covid patient, that the police can be made aware of that if they are dispatched via 911 to make sure they take appropriate precautions. 

 

Brian Selfridge: [00:02:43] Now, they've also noted that you no longer need a patient's consent to consult with family members about Covid situations. So, providers will be able to speak directly with family members without having to check with the patient first to speak about the condition of the patient or other things along those lines, if it's Covid related. They also waived the requirement for the distribution of notice of privacy practices during this time period. So if you're going to be doing telehealth or otherwise, you don't have to provide a notice of privacy practices or have that in physical, this obviously wouldn't work very well, or virtual capacity. So that requirement is waived for the near term. And then they said the HIPAA waivers are only applicable, all these waivers I guess, are only applicable for areas that are declared emergency areas or hospitals that have instituted a disaster protocol. So they said the waiver is valid for only 72 hours after the disaster protocol has been instituted. So this is not a forever waiver. These are not these are just temporary exemptions that will at some point be revoked. But important to be aware of. So we don't have security, compliance, and others holding up the care and treatment of Covid related situations. So that's a quick rundown of the HIPAA exceptions. I think, hopefully, some helpful information is there for you. If you weren't aware of all those nuances.  

 

Brian Selfridge: [00:04:06] The second issue that we're going to talk about in this quick roundup today is also around screen sharing, videoconferencing and some of these Zoom security issues that came up over the last couple of weeks, where I suspect you may you may have heard of it, but we'll talk about it in some more detail. Where Zoom, the video conference provider, was having issues called Zoom bombing, where pranksters and others were joining meetings that they were not supposed to be in just by guessing the number of the Zoom meeting or the I.D.s or joining sessions and posting nasty material or otherwise listening in or getting involved in meetings that they shouldn't. So Zoom has implemented a host of changes on the security front, both to their interface as well as their capabilities to help make securing the Zoom sessions more possible and more appropriate. So some of the things they've done are requiring meeting passwords by default and providing some capabilities for enabling waiting rooms to allow people to come in. So the general industry consensus from the clients that I've worked with and evaluated this is not to run away from Zoom at this point. I don't think it's that serious, you know, but do put in place and make use of those security protocols that are available. For example, make sure you're requiring passwords for entry to the meeting. And the passwords are often embedded in the link that you put in your invites. So it's not like everybody has to type in a password. It'll auto-click through. It's not a huge nuisance but will prevent the pranksters and random people from just jumping in if they don't have access to that password. You also want to enable the "join before host" option, which allows people to get into meetings that haven't actually been started by the host and keep that from being chewed up by unauthorized people. Also, enable the waiting room requirements, so the host has to sort of see who's coming in and say, yes, I want this person to come in, or I don't if they don't know who they are. So some pretty easy tweaks there to put some guidance out for your teams if you are using Zoom. Make sure that there is some education around turning those controls on. But, of course, do your own risk analysis and review available video conferencing applications. There's Microsoft Teams, there's Skype. There's a whole bunch of stuff out there. If for some reason, Zoom is too scary or it introduces risks, then, by all means, use something else. So I wanted to highlight that issue. But overall, I think that is not a show-stopper, as long as those controls are in place. 

 

Brian Selfridge: [00:06:37] The last set of topics I'm going to talk about, I guess you could think of it that way, is some of the conversations we're having with our clients around, how do we make sure that the information security function is continuing to move forward and maintain continuity in the middle of the Covid crisis. So while everyone's sort of appropriately stopping and putting out the fires and taking the time to have that sort of all hands on deck, especially in provider settings, to make sure that remote access is working and telehealth is secure and all those things that the security team is going to go around and deal with. There's still sort of the day job that we have here in the information security risk programs to take care of protecting patient information, protecting the organization. And the bad guys have not slowed down. I could do a whole segment on this, but in the interest of time, I won't. Essentially, there's been an uptick in malicious attacks, both from a phishing perspective, ransomware perspective. Now, some of the ransomware folks groups said when this first broke, the Covid stuff, they said we're not going to attack healthcare providers. We're gonna take a break and make sure that the global healthcare system is able to focus on treating the pandemic. That would seem very kind and chivalrous of the bad guys. Turns out they didn't do that. The same group that issued a statement is out attacking people again this week and even going specifically after hospitals that are in high-impact zones. So, so much for the chivalry and honor of thieves not panning out so much. So the attacks are increasing. They're not letting up. The regulators are still here. They're providing some laxity in some areas. We talked about that a second ago, but still gotta get your HIPAA risk analysis done. Right. Still got to work on remediation. Still have to do things like maintaining security certifications if that's applicable for you. Those requirements don't go away. And the potential for a breach event is just as real, if not more than it ever has been. 

 

Brian Selfridge: [00:08:37] So some of the suggestions that we have for organizations that are trying to figure out how to maintain balance, they say a foot and two boats, right, you're just sort of balancing the Covid stuff and then your day job. One recommendation is to leverage managed services. So a lot of the managed services providers, whether it's SOC/NOC, Network Security Operations Providers, are still humming along just as usual. They're built for these types of remote, large-scale situations. That's how the businesses work. Or firms like our sister company, Coral Technologies, that ties vendor security risk management, managed services are still plugging along, high-octane going right along. So if you have any MSSPs or managed service providers, tap into them and get them working on your behalf. If you can either increase the scope of what they're doing or just keep them moving or basically give them more stuff to do while you're focused on coping, you can potentially get some more support without having your team have to spend as much time doing some of these things. Also, we're seeing organizations look to leverage staff augmentation, bringing in some temporary remote workers and specialists that can help move some of the remediation and projects along that might be not getting the attention right now, especially projects that don't require things like interface with the I.T. and the network teams and stakeholders that are going to be super busy right now. But for example, standing up your cloud security assessment models or cloud security program or doing things that are a little more strategic in nature or things along those lines can be done, while getting some extra arms and legs and help to do that in the near term, while your team is busy with other things.  

 

Brian Selfridge: [00:10:22] Another thing is to make sure not to lose sight of enterprise risk assessments. The HHS and OCR still have expectations that you could be doing. Your annual enterprise risk assessments. You're going to be following up on risk analysis and remediation activities. If you're going to be tracking those and just make sure that you have a plan to chip away at some of that and have a defensible position heading into later in the year, next year, when Covid stuff relaxes and all of a sudden we haven't made progress and we have some exposure there. Also, organizations are looking at their incident response capabilities a little harder. So while we're all in the middle of a very big incident response situation, the likelihood of us having a security incident is still very high, a ransomware attack, malware incidents hacker attack is all very possible, if not probable. So make sure that you're able to think through scenarios of how would we deal with incident response during Covid, while everybody is running different places, while everybody's at home and working remotely. So running through some tabletop exercises; can take a couple of hours or a half a day. Well worth the investment to figure out if you're prepared to deal with a cybersecurity incident in conjunction with the Covid stuff. I'm not sure everybody has a handle on that. We've seen a lot of organizations trying to figure that out. And then, investing in your team, making sure that you know, the stress levels that are high right now, that the team is not getting overloaded and able to have support like forums, communication activities, educational resources to help them manage their stress and well-being, so that not only during the crisis, that they can continue to function effectively, but also following it, that they'll be firing on all cylinders and able to keep up with all of the work that will be necessary when things get back to "normal." There's going to be a lot of work to do and a lot of stuff that's been sitting idle that's going to need to ramp up. It's going to be stressful just to be playing catch up. So making sure we take care of our people is really important during this time. 

 

Brian Selfridge: [00:12:26] And then the last point is just the security certifications, SOC 2, certain attestations and certifications, and HITRUST certifications. While HITRUST has put out some extensions and some leniency for delaying some of the submission of HITRUST certification materials and requirements, it's not really substantive to the point where you can really sort of let those projects slide. So if those are in scope for you, make sure to pay attention to those and continue remediation, as well as just keeping your eye on any overall enterprise remediation. So those are some areas that organizations are looking at during this mess. We'll keep providing updates every week or two on how this is moving. I know it changes day to day, so we'll try to keep you posted. 

 

Brian Selfridge: [00:13:13] But that's all for this session of the CyberPHIx healthcare security roundup. Hopefully, this has been informative, and we want to hear from you if you want to talk about any of this or if you have any questions or have any comments related to the stuff we've covered here. Just reach out to us at [email protected]. So long and thanks for everything you do to keep our healthcare systems and organizations safe.