Healthcare Breaches Rise Amid COVID-19
With the rapid increase in providers that offer telehealth, the healthcare industry has shown a dramatic rise in healthcare breaches. A recent report released by McAfee found that the increase of businesses using cloud services (i.e. Zoom, Microsoft Teams, Slack) among the COVID-19 pandemic has led to a 630% increase in cloud service breaches. With many healthcare organizations relying on cloud services to provide telehealth to patients, providers must be vigilant in their efforts to secure patient data.
Identity industry expert Eve Maler stated, “The data is, unfortunately, getting worse for the first quarter of 2020, and the healthcare industry is once again a big target. Over 50 percent of the data breaches so far in 2020 have been for the healthcare industry.”
Further stating, “Healthcare records are so attractive to cybercriminals because, if you think about it, it’s physical data. It’s digital data. It’s data about your body. It’s data about where you live. It’s your date of birth — very valuable information.”
How to Prevent Healthcare Breaches
With the increase in healthcare breaches, the National Security Agency (NSA) has released cybersecurity guidance for telehealth providers.
The NSA recommends that telehealth providers consider the following before choosing a cloud platform to use for their practice:
- Does the service implement end-to-end encryption (E2EE)? E2EE enables data to be encrypted from sender to recipient, making data unreadable by unauthorized individuals. It is important that the cloud services that are used offer true E2EE to secure protected health information (PHI). With the increase in the use of Zoom, it was discovered that they were using a loose definition of E2EE. Although data was not viewable to outside parties, the company still had access to data.
- Does the service use multi-factor authentication (MFA) for user authentication? The use of multi-factor authentication can prevent weak or stolen passwords from being used to access user accounts. MFA uses a username and password in combination with another unique login credential (i.e., security questions, one-time PIN).
- Are sessions password protected? The service should allow organizers to limit access to sessions to only those who are invited by prompting patients to provide a password to access a telehealth session.
- Can users securely delete data from the service? Users should use a service that affords them the opportunity to delete content such as shared files and chat sessions. The service should allow users to permanently remove accounts that are no longer used.
- Have employees been trained on the proper use of cloud platforms? A major contributing factor to healthcare breaches is the lack of employee training. Employees must be trained on the proper use of cloud platforms before they use the platforms.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.