Sikov - stock.adobe.com

OCR Shares COVID-19 Privacy and Security Threat Resources

In response to the increase in COVID-19-related cyber threats, OCR released a list of privacy and security resources to help providers bolster their defenses and prevent HIPAA violations.

The Office for Civil Rights issued a list of COVID-19-related cyber threat resources for covered healthcare providers to help the sector best prevent, detect, respond, and recover from privacy and security threats.

In the past few months, there’s been an increase in targeted attacks against the healthcare sector, with threat actors taking advantage of the pandemic and the increase in remote work. From targeting Virtual Private Networks (VPNs) and personal protective equipment (PPE) procurement, to leveraging human-operated ransomware and fraud schemes, providers are at a heightened risk for attack amid the crisis.

For OCR, it’s imperative healthcare providers lean on free resources and guidance, as “cybercriminals may take advantage of the current COVID-19 global pandemic for their own financial gain or other malicious motives.”

To start, organizations should review OCR guidance released following the massive WannaCry cyberattack in 2017. The insights provide step-by-step instructions for responding to a successful ransomware attack or other malicious cyberattacks.

These steps include launching response and mitigation procedures and other contingency plans, reporting incidents to law enforcement agencies, sharing cyber threat indicators with federal and information-sharing and analysis organizations (ISAOs), and reporting breaches to OCR.

Healthcare organizations should also review FBI phishing insights for the healthcare sector. Released in April, the agency warned cybercriminals are targeting medical providers with targeted phishing attacks amid the crisis.

The FBI insights include the need for reinforce phishing education with staff, updating and patching all software, and other security necessities, such as turning off the option to automatically download attachments in email platforms.

The agency’s Internet Crime Complaint Center also shed light on a spike in extortion scams tied to the Coronavirus. The insights review ways hackers are modifying phishing lures “because large swaths of the population are staying at home and likely using the computer more than usual, scammers may use this opportunity to find new victims and pressure them into sending money.”

Organizations are also urged to review National Security Agency telework guidance, which includes assessments of the various videoconferencing platforms and related security measures.

Given the Department of Health and Human Services expanded the use of acceptable telehealth platforms during the COVID-19 crisis, providers will need to ensure these temporary measures are secured from unwanted access.

OCR also recommends the review of a recent HHS Health Sector Cybersecurity Coordination Center (HC3) white paper on threats to videoconferencing and online collaboration tools. Use of these platforms has skyrocketed amid the crisis, leading to an increase in malicious activity.

Organizations can find and overview of threats and successful exploitations, as well as recommended mitigations and remediations.

“The existing threats to videoconference technologies creates many potential issues when left unresolved,” researchers wrote. “Disruption of real-time communications can affect telemedicine and telehealth services as well as prevent collaboration of medical expertise in a timely manner.”

“Several mitigations are necessary for healthcare and public health organizations to protect their stakeholders from harm while using these critically important applications,” they continued.

HC3 also released insights into COVID-19-related cyber threats, including Coronavirus-related domains, fake Coronavirus maps and watering hole attacks, and nation-state disinformation campaigns. OCR released similar insights following the an increase in phishing attacks impersonating the World Health Organization.

Lastly, organizations should review a complete list of OCR cybersecurity guidance material, which includes a list of potential HIPAA violations amid the pandemic, ransomware guidance, the NIST cybersecurity framework, and access to OCR’s cyber awareness newsletters.

The American Medical Association and the American Hospital Association have also released telework guidance in recent weeks, while the Department of Homeland Security provided cloud and Microsoft O365 insights, in response to the increased cyber threats sparked by COVID-19.

Next Steps

Dig Deeper on Cybersecurity strategies