Cybersecurity During the COVID-19 Pandemic
Patients with cardiovascular disease are at an increased risk of severe illness from the COVID-19 virus (CDC, 2020). In the face of a pandemic, Americans had to change the way they live their lives by following the Centers for Disease Control and Prevention (CDC) guidelines to mitigate the spread of the virus and protect the public. The Centers for Medicare and Medicaid Services implemented changes to make telehealth more accessible during the pandemic by paying physicians the same rate for telehealth services as they do for in-person visits; the patient does not need to have an existing relationship with the telehealth physician. Physicians licensed in one state are allowed to see patients in different states (Zarefsky, 2020). These restrictions have led to an increase in the use of online services not only for shopping and day-to-day needs, but have also led to the increased use of telehealth to meet patients' needs (CDC, 2020).
Along with the increase in telehealth use, health care cybersecurity breaches increased by 50% in the first half of 2020, with 132 reported attacks on network servers, electronic medical record systems, emails and computers (Bobo, 2020). The increase in the number of cybersecurity attacks affects providers and puts patients' data at risk. Six Russian military intelligence officers conducted the costliest cyberattack in history, collecting $1 billion in ransom from the Heritage Valley Health System in PA, and two other U.S. targets (Mallain, 2020). Recently, the Cybersecurity & Infrastructure Security Agency (CISA), the Federal Bureau of Investigation & the Department of Health and Human Services (HHS) issued an alert to the health care and public health sectors regarding the increase in ransomware activities and provided them with mitigations and ransomware best practices (CISA, 2020, Oct. 28).
Among the recommended ransomware best practices: regular backup of critical data such as medical records, telehealth, and telework infrastructure; house the backups offline; use multi-factor authentication; regularly change account and network passwords and avoid reusing passwords for different accounts; set antivirus and anti-malware solutions to conduct automatic scanning and updates; avoid using passwords based on personal information; consider using longest password or passphrase when possible; use different passwords on different accounts; consider using a password manager program; avoid using public computers and public Wi-Fi to access sensitive accounts; keep the operating system, browser and software up to date; and use caution with email attachments and links. HHS (HHS, 2020) provides cybersecurity guidance for Health Insurance Portability and Accountability Act compliance. For more information about security tips please visit the CISA website. In today's technical world with the ongoing pandemic, keeping our patients safe includes routine attention to cybersecurity. Following the controls defined in the regulations increases security significantly and helps to reduce ransomware risk.
This article is authored by Heba Sadaka, RN, MSN, BSN, CNE, Assistant Professor of Nursing at the University of Arkansas at Little Rock; Elizabeth Lee, PhD, APRN, ACNS-BC, CNE, Associate Professor of Nursing at the University of Arkansas at Little Rock; and Veysel Erdag, PhD, CISM, CISA, CISSP, CCIE-Security.
Centers for Disease Control and Prevention. (2020, November 2). People with certain medical conditions. https://www.cdc.gov/coronavirus/2019-ncov/need-extra-precautions/people-with-medical-conditions.html
Zarefsky, M. (2020, August 26). 5 huge ways the pandemic has changed telemedicine. https://www.ama-assn.org/practice-management/digital/5-huge-ways-pandemic-has-changed-telemedicine
Bobo, B. (2020, October 21). COVID-19 and health care cybersecurity: How to protect practices and patient data. https://www.medicaleconomics.com/view/covid-19-and-cybersecurity-protect-practices-and-patient-data
Cybersecurity & Infrastructure Security Agency. (202, October 28). Ransomware activity targeting the healthcare and public health sector. https://us-cert.cisa.gov/ncas/alerts/aa20-302a
Cybersecurity & Infrastructure Security Agency. (2019). Security tip (ST04-002). https://us-cert.cisa.gov/ncas/tips/ST04-002#:~:text=According%20to%20NIST%20guidance%2C%20you,64%20characters)%20when%20you%20can.
Mallin, A. (2020, October 19). DOJ announces charges against 6 Russian military officers allegedly involved in hacking, malware operations: Officials called the operations "the most destructive and costly" in history. https://abcnews.go.com/Politics/doj-announces-charges-russian-gru-officers-allegedly-involved/story?id=73698190
U.S. Department of Health and Human Services. (2020, August 25). Cyber security guidance material. Retrieved December 1, 2020 from https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html