Getty Images

AMA, AHA Share COVID-19 Telework Guidance for Hospitals, Providers

Given the rapid increase in telework and a spike in cyber threats related to COVID-19, AMA and AHA released joint cybersecurity guidance to protect hospital and provider networks.

The American Medical Association and the American Hospital Association developed guidance for hospitals and providers on best practice cybersecurity for the remote work environment, in response to the rapid increase in cyber threats tied to the COVID-19 pandemic exploiting telework technologies.

The FBI, Microsoft, the Department of Homeland Security, and other security researchers have released a steady stream of alerts over the last month on an increase in COVID-19 fraud scams, targeted business email compromise attempts, hacking attempts of DNS routers, and a host of other threats.

The joint cybersecurity guidance from AMA and AHA is designed to help hospitals and providers strengthen their security measures to better defend against these threats that could disrupt patient care.

Ransomware attacks on the healthcare sector during the second half of 2019, forced many hospitals, dental providers, nursing facilities, and other providers offline for several days. During the Coronavirus crisis, downtime could seriously impede care.

Two COVID-19-related research firms and the website of the Champaign-Urbana Public Health District in Illinois have already been targeted with the encrypting malware in the past month.

“Amid increased reports of malicious cyber activity, some physicians and care teams are working from their homes and relying on technologies to support physical distancing measures while ensuring availability of care to those who need it,” AMA President Patrice A. Harris, MD, said in a statement.

“For physicians helping patients from their homes and using personal computers and mobile devices, the AMA and AHA have moved quickly to provide a resource with important steps to help keep a home office as resilient to viruses, malware and hackers as a medical practice or hospital,” she added.

The guidance provides insights into best practice security for home computers, including a security checklist of actions that need to be immediately taken to ensure providers’ home networks are secure.

Remote users are also encouraged to employ a Virtual Private Network (VPN): one of the most common, secure ways to remotely connect to an enterprise network. However, many popular platforms have known vulnerabilities, which many organizations have failed to patch.

Organizations should reach out to their electronic health record vendor or telehealth service provider for recommendations on VPN use or other cloud-based technologies. The guide also recommends providers employ strong authentication, limit remote access to only necessary data and systems, and ensure they’ve patched the VPN with the latest security updates.

The guidance also focuses on policy and tech measures that should be put into place to keep these systems secure, such as implementing multi-factor authentication on all personal and business accounts. Providers can also learn how to flag external emails, password policies, and enhanced email security protocols.

Providers can also find insights around defending against ransomware, which mirrors similar guidance released last month by Microsoft.

Organizations should also “establish verbal authentication procedures with a known person for any email request to change payment instructions, direct deposit information or requests for batches of sensitive data such as patient information, payment information, or W-2 information.”

“If your business is hit with fraud and a misdirected payment has occurred, you should notify your financial institution immediately,” according to the guide. “There’s a high probability of electronic fund recovery if you notify your institution within 72 hours.”

“Also, if you have cybersecurity insurance, review coverage and understand any limitations,” it continues. “Prior to suffering an incident, consider reaching out to your insurance company for references to forensics firms which may help you recover your data if needed.”

Fraud incidents should also be reported to the FBI, which will work with other agencies like DHS to help assist with the recovery process and investigation.

The guidance also focuses on phone and tablet security measures when connecting to the enterprise EHR through device apps, including settings that should be checked to ensure devices are up to date. Organizations should also check with their EHR vendor to ensure clinicians are downloading the right EHR and telemedicine apps for their environment.

Lastly, organizations will find step-by-step directions on ensuring best practice home network security, which includes a section dedicated to working with medical devices.

“Medical devices can introduce additional and significant cybersecurity risk to a physician practice or hospital— risk that must be managed because of the possible threat to patient care and patient safety,” the guide reads.

“Phishing emails can contain malware which may exploit the cyber vulnerabilities of medical devices, it adds. “Medical device cyber vulnerabilities are often exploited by cyber adversaries to launch high impact ransomware and malware attacks against physicians and hospitals.”

Organizations looking for support security documents can also turn to COVID-19 ransomware insights from Microsoft, cyber scam advice from the Office for Civil Rights, VPN cybersecurity best practices from DHS, and details on current fraud schemes from the FBI.

Next Steps

Dig Deeper on Cybersecurity strategies