The arrival of COVID-19 has created its fair share of challenges, especially within the medical community. In addition to trying to keep up while working in overrun hospitals, doctors, nurses, and medical admins also need to protect their own safety by following social distancing protocols whenever necessary. To keep up in these rapidly changing times, many medical establishments are sending their staff home to work remotely.
In addition to administrative professionals and medical billers, this remote healthcare workforce also includes many doctors and registered nurses that are staying at home helping patients via telehealth platforms. While flexibility in healthcare is important for those in need, it also creates a fair share of risk. When working out of the office, employees tend to forget about security protocols, and thus, they can unintentionally violate confidentiality guidelines.
But it doesn’t have to be all doom and gloom. Instead, organizations and health professionals can do their part to stay compliant and protect their patients by implementing proper safety procedures.
HIPAA and Data Security
Every individual that works in the healthcare field must be aware of and follow the terms listed under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In essence, this act protects patients by preventing unlawful sharing of their personal information without their consent. In addition to the standard HIPAA act, there is also the HIPAA Security Rule, which stipulates that entities in the medical field must take all precautions necessary to prevent cybercrime or unlawful leakage of patient data.
If a medical professional were to even unknowingly violate the HIPAA act, it could be trouble for the establishment and the patient. The minimum fine for a doctor with a HIPAA violation is $50,000, plus any criminal penalties and possible jail time if this is found to be an abuse of power. The punishment is so steep because information that is not protected can be stolen by cyber thieves and used for malicious purposes. Even simple information like names and email addresses can be used to send phishing emails, and if a hacker gains access to a social security number, they can use it to take out large loans on behalf of the patient that could put them in serious debt.
While the observance of HIPAA guidelines is essential every day, the risks are even more substantial during 2020 and the COVID-19 pandemic. Hackers are aware that patients are flooding hospitals and engaging in telehealth sessions, and they are targeting medical establishments due to the growing pool of potential victims. What makes this situation worse is that many essential businesses and health care providers are now working from home, and hackers understand that their home networks are typically less secure than those at the office. Because of the risks, healthcare organizations and their employees need to do their part to keep patient data as secure as possible.
What The Organization Can Do
While each doctor, nurse, and medical worker must do their part to maintain patient security, the organization that they work for has the larger responsibility of setting the stage. The IT team at the office must take the time to educate themselves on the current cybersecurity climate and communicate regularly with the staff to tell them about potential threats and how to protect their systems.
All devices used by medical staff should be cleared by IT before going into use, and their systems should be monitored regularly. Even if a personal tablet or computer has been approved, organizations should educate the team about the risks of using them in public. Employees should be warned to never leave devices unattended and to avoid using unsecured Wi-Fi as hackers use man-in-the-middle attacks to create fake accounts that look authentic in hopes that users will unknowingly connect. When they do, the hacker has immediate access to their system.
Since telehealth is experiencing a major boom during these days of stay-at-home orders and social distancing, health organizations need to ensure that this avenue is secure. Recently, the Office for Civil Rights provided some leeway to medical organizations by letting them use public platforms like Zoom to conduct telehealth sessions. However, hackers can still access video conferencing software and use the information shared during these “private” sessions for malicious use. To mitigate this risk, health organizations should use the proper version of the video software and secure the correct license. One example of an approved program is Zoom for Healthcare, which has HIPAA-enabled compliance built it.
What The Individual Can Do
While working from home, employees in the health sector need to be uber-aware of how they secure their devices. One tactic that hackers use is the brute-force attack, which is a program in their arsenal that spams your accounts with potential passwords, hoping to guess the correct answer. Because you never want to lose patient data due to a weak password, ensure that yours has a difficult-to-guess combination of upper and lowercase letters, numbers, and special characters. You should update this password every couple of months and never share your credentials with others.
For extra protection, health organizations should encourage their staff to use multi-factor authentication, which is a second security measure in addition to the password. This could be a biometric measure like a fingerprint or a code provided by a key fob that changes every minute. The corporate office should also be aware of employee turnover, and any worker who is no longer employed should have their access revoked upon termination.
Finally, security agencies recommend that all remote workers are connected to a VPN (Virtual Private Network). This program will automatically encrypt all data that comes into your system and prevent hackers from using it should they gain access. A VPN will only remain secure if it is constantly maintained and updated when new versions and patches become available, so IT must keep a handle on this process.
The year 2020 has been a challenge for all of us, especially our healthcare workers. However, patient security is still a priority. Organizations should take a moment to implement these steps so the staff and patients can remain protected.