Getty Images
AMA Warns of Telehealth Cyber Risks, Insider Threats Tied to COVID-19
AMA sheds light on strained security resources, cyber risks, and the expanded threat landscape in the healthcare sector brought on by COVID-19, including insider threats and telehealth flaws.
Hospitals, health systems, and other providers should reassess their security posture in light of the COVID-19 pandemic, which has increased the number of cyber risks within the sector, such as telehealth flaws, insider threats, and the rise of targeted cyberattacks, according to the American Medical Association.
AMA released insights on the technology considerations these healthcare organizations should consider as the year draws to a close. Laura Hoffman, AMA assistant director of federal affairs, recently shed light on some of the biggest issues facing the sector during an AMA update on COVID-19.
As noted by a range of federal agencies and security researchers, the pandemic has burdened provider organizations, not only with patient care, but with the number of targeted cyberattacks and the expanded threat landscape brought on by telehealth and remote work.
To Hoffman, these factors have also strained security resources for a number of organizations, such as access controls and vulnerability management. As telehealth expanded, hackers also sought to take advantage of the expanded infrastructure.
“So, they see this now as an opportunity to perhaps exploit these increased use of telehealth systems and the fact that people are working in an environment that they may be less familiar with, and they are going to town in terms of trying to infiltrate different systems,” she added.
Insider threats, which have always proved problematic for the healthcare sector, have also increased during the pandemic with the rise in Ryuk ransomware attacks. As noted in a recent joint federal alert, a wave of ransomware attacks began in September and drove multiple health systems into EHR downtime procedures for extended periods of time.
The notorious Ryuk variant preys on human nature, either through an unpatched vulnerability or spear-phishing emails. The expanded workforce has amplified these cyber risks, as workforce members may be working on new-to-them technology, which may not have the same security protections as in-office equipment.
The AMA guidance is designed to support organizations, during the next wave of COVID-19 infections that will coincide with the cold and flu season.
“Cyberattacks that disrupt patient care service and pose a risk to patient safety, such as ransomware attacks, are of the greatest concern,” according to the guide. “Successful ransomware attacks can cripple a health care provider by preventing access to medical records and disabling mission critical systems, resulting in a delay of care for the patient.”
“Ransomware attacks cause an interruption and loss of revenue,” it added. “Remedying and recovering from an attack can also be very expensive. Further, attacks create legal and regulatory exposure and reputational harm.”
To AMA, the number of critical vulnerabilities found in technologies that healthcare providers are leveraging amid the pandemic response are further compounding cybersecurity risks, such as the critical flaw found in Palo Alto Virtual Private Networks (VPNs) disclosed in June.
As such, providers must improve vendor relationships and request routine updates from their health IT vendors or other security professionals to ensure the infrastructure is secure.
AMA included a list of questions for healthcare entities to ask their network security providers to bolster their cyber posture, including the use of legacy platforms, maintenance of newly added components, and the location of all protected health information within the enterprise.
Further, AMA reminded providers to ensure they’re ready to transition into full compliance with HIPAA after the Public Health Emergency declaration ends. Providers should consider entering into a business associate agreement with their telemedicine vendor, while conducting a security risk assessment of their telehealth platform, if they have not already done so.
Entities should also ask vendors about their privacy practices, including the intended data use and security protocols, while ensuring all available privacy and security tools are enabled when these platforms are in use.
“Many physicians do not realize that a telemedicine platform or application may be low-cost or free because the vendor’s business model is based on aggregating and selling patients’ data,” AMA explained. “If possible, consult with your legal team to clarify how video, audio, and other data are being captured and stored by the vendor and who has access.”
“You can also ask whether the vendor will share results of third-party security audits, including SOC 2 or HITRUST, in addition to the results of their penetration testing,” they added. “Whether you have been using telemedicine for many months or have just recently adopted the technology, we encourage you to be open with your patients about the potential privacy risks associated with use of telemedicine platforms and applications.”
The AMA previously released telework guidance in partnership with the American Hospital Association to help healthcare provider organizations bolster enterprise security amid the pandemic response.
Healthcare organizations can also review COVID-19 security insights from the H-ISAC and the Healthcare and Public Health Sector Coordinating Council, the National Security Agency, and the Department of Homeland Security for further guidance on the best ways to secure the telework, cloud, and Microsoft Office 365 environments.