In response to the COVID-19 pandemic, many health care organizations have turned to telehealth and other video-teleconferencing (VTC) platforms. VTC helps provide remote services while protecting patients and health care workers and ensuring social distancing.
The use of telehealth and VTC platforms has been recognized by the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) as a way to protect individuals during the pandemic.
As a result, HHS won’t impose penalties for Health Insurance Portability and Accountability Act (HIPAA) noncompliance when it comes to the use of VTC platforms for purposes of telehealth services.
However, the increased use of VTC platforms in telehealth has also lead to an increase in cyberattacks.
Learn more about the notice from the OCR, best practices for using VTC platforms, and how your organization can manage the cyberrisk associated with telehealth.
Notification from the OCR
The OCR released a notice allowing health care organizations to use audio and video technology to provide services during the pandemic.
Under the notice, health care providers may now use nonpublic-facing applications or video communication products including:
- Skype for Business and Microsoft Teams
- Zoom for Healthcare
- Google G Suite Hangouts Meet
- Cisco Webex Meetings and Webex Teams
- Amazon Chime
- Health Care Messenger
The vendors above have stated they will provide HIPAA-compliant video communication products and enter into a HIPAA business associate agreement (BAA).
Public-facing applications such as Slack, Facebook Live, Twitch, TikTok, and similar platforms are still disallowed because they’re designed to allow indiscriminate access to the communication.
VTC Best Practices
The following are some VTC best practices noted by the OCR:
- Notify patients that use of the application or VTC may introduce some privacy risks.
- Ensure the platform has enabled end-to-end encryption capabilities and privacy modes.
- Use vendors that provide a nonpublic-facing product, so only the intended parties are allowed to participate in the communication.
- Use a vendor that is considered HIPAA-compliant.
- Don’t use services without a BAA in place.
While the OCR won’t impose penalties if a BAA isn’t in place during the pandemic, it’s still good practice to ensure the vendor will protect electronic patient health information (ePHI) that traverses the system.
Due to the increased use of VTC platforms, cybercriminals are changing their attack methods and seeking innovative ways to focus on telehealth and the increased number of remote workers.
The Cybersecurity and Infrastructure Security Agency (CISA)—an operational component of the US Department of Homeland Security (DHS)—and the United Kingdom’s National Cyber Security Centre (NCSC) released Alert (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors on April 8, 2020. The alert notes the growing use of COVID-19-related themes to exploit and breach organizations. There has been an increase in phishing, malware, remote access, and teleworking infrastructure attacks.
A Bitdefender report published on March 20, 2020, showed healthcare, government, and other verticals are increasingly being targeted with malware related to the pandemic. The company detected five times more COVID-19-themed malware reports during the month of March 2020—a 475% increase in malicious COVID-19 reports from the previous month.
For more details, please see COVID-19 Can Lead to Cybersecurity Risks—Protect Your Organization and a Cybersecurity Checklist for Remote Work.
Domain Registration Increase
Cyberattackers are using new domain names to lure people into visting a site to install malware that appears to be a VTC application. For VTC platforms, researchers have found examples of new domains that include the name of a VTC vendor. For example, researchers at Check Point have seen a substantial increase in new domain registration names that include the term Zoom.
Since the beginning of the year, there have been more than 1,700 new register domains, and 25% were utilized during the last week of March.
VTC hijacking has also increased. Often, an unauthorized individual will access a meeting in-progress to troll, shock, and spread hateful messages due to use of improper settings within the VTC platform.
The FBI released a warning about the number of reported attacks and followed up with guidance on defending against them.
With the increased use of VTC, it’s important to have a BAA in place with your vendors and sound cybersecurity practices in place to help mitigate the risks accompanied by the use of these platforms.
Below are a number of steps organizations could use to ensure use of these platforms is secure and privacy is maintained:
- Don’t make meetings public.
- Require a meeting password or use the waiting room feature and control the admittance of guests.
- If possible, require multi-factor authentication when accessing the system.
- Manage screen-sharing options.
- Ensure users have the most up-to-date version of the VTC application.
- Use end-to-end encryption during communications; please note, this isn’t offered in most free versions of the software.
- Provide the link directly to the meeting invites and not on social media.
Ensure employees have been trained and cybersecurity awareness training is updated to include instructions on how to use the VTC software in addition to precautions concerning:
- Emails and files received from unknown senders
- Opening unknown attachments or clicking on links within emails
- Lookalike domains and spelling errors in emails and websites
- Sharing teleconference links on unrestricted, publicly available social media posts
Ensure that your organization’s telework policy addresses requirements for physical and information security.
We’re Here to Help
If you have any questions or concerns about telehealth cybersecurity risks, please reach out to your Moss Adams professional.
For regulatory updates, strategies to help cope with subsequent risk, and possible steps to bolster your workforce and organization, please see the following resources: