HIPAA Journal – Cybersecurity guidance for physicians working from home

Highlights from the HIPAA Journal

From the April 13th Newsletter

The American Medical Association (AMA) and the American Hospital Association (AHA) have issued joint cybersecurity guidance for physicians working from home due to the COVID-19 pandemic to help them secure their computers, mobile devices, and home networks and safely provide remote care to patients.

  • Physicians are able to access patient health information through their mobile devices but must be aware of the potential cyber threats that can occur.
  • The AMA and AHA both recommend using a virtual private network (VPN) when accessing their Electronic Health Record (EHR) system and other data repositories.

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are attempting to steal money from state agencies and healthcare industry buyers that are trying to purchase personal protective equipment (PPE) and medical supplies.

  • In these scams, brokers and vendors of goods and services are impersonated. The scammers use email addresses that are nearly identical to the legitimate broker or seller and request wire transfer payments for the goods and services. Usually, these email addresses will have one or two different letters from the original email that is familiar to the individual.
  • The FBI has received reports of several cases of advance fee scams, where government agencies and healthcare industry buyers have wired funds to brokers and sellers of PPE and medical equipment, only to discover the suppliers were fake.

Ransomware gangs are concentrating their attacks on smaller healthcare providers and clinics, according to a new report from RiskIQ.

  • Healthcare providers with fewer than 500 employees are key targets for the gangs, with these organizations accounting for 70% of all successful healthcare ransomware attacks since 2016.
  • Ransom payments are more likely to be paid to avoid the costly downtime that is often caused by an attack. It can often take several weeks for an organization to fully recover when the ransom is not paid.
  • 16% of healthcare victims have reported they paid the ransom to obtain the keys to unlock their files. The report suggests the average ransom payment in those attacks was $59,000.

Recent cyber/ransomware attacks related to the Healthcare industry

  • Washington University School of Medicine is notifying 14,795 oncology patients that some of their protected health information was stored in an email account that was breached in January 2020.
    • An unauthorized individual gained access to the email account of a research supervisor in the Division of Oncology as a result of a response to a phishing email.
  • The Sparks, NV orthodontics practice, Andrews Braces, has experienced a ransomware attack that resulted in the encryption of patient data.
    • The practice regularly backed up patient data and stored its backups securely, so it was possible to restore the encrypted files without paying the ransom.
  • The Saint Francis Ministries health system has announced that the email account of one of its employees was accessed by an unauthorized individual, who may have obtained patient information.
    • It was not possible to tell if the attacker accessed emails containing patient information or downloaded any email data, but no reports have been received to suggest any patient information has been misused.
  • Hartford Healthcare, a healthcare network serving patients in Connecticut and Rhode Island, announced on April 13, 2020 that it has been the victim of a phishing attack.
    • Hartford Healthcare said 2,651 patients have been affected and are now being notified.

We understand the unique and challenging aspects of IT in the Healthcare space