EXECUTIVE SUMMARY

Online threats to patient privacy are increasing as healthcare organizations rely more on technology to interact with patients. Scammers are looking for new opportunities.

  • The learning curve for using new technology creates opportunities for hackers.
  • Increased use of geolocation services also creates a risk.
  • Risk managers should remind employees of best practices for online security.

Scammers are using the COVID-19 pandemic as cover for increased online threats to patient privacy. Covered entities and business associates should pay more attention to the technological threats that could lead to a Health Insurance Portability and Accountability Act (HIPAA) breach.

There is a higher risk of online threats to privacy while the healthcare industry responds to COVID-19, says Gonzalo Raposo, technology manager at Globant, a digital security consulting company in San Diego.

“Due to the nature of this virus, providers and professionals, in general, are relying more on technology in order to keep their businesses running. For many of them, this will be a new experience with an associated learning curve, which can be used as a target for online threats,” he says. “Unfortunately, we’ve already seen popular conferencing applications suffer from online threats and be banned by some companies as a tool for their internal communication, as a way of preventing a security breach.”

There is another threat that can be exploited and is related to geolocation information collected from mobile devices, Raposo says. Information about people’s location can be shared and distributed without explicit consent to obtain precise information for epidemiological models that could help make better decisions around resources, social distancing, mandatory quarantine, and related concerns.

“In the rush of having solutions implemented in record time, mistakes can be made and security holes can be found that can lead to accessing private information,” he says. “An example of that kind of threat may arise from the recent collaboration project that two major mobile companies just announced. Aiming to help to minimize contagions and keep infected or exposed people isolated, they are creating a solution to automatically — without user consent — interchange private information through Bluetooth technology to be notified when the person has been physically exposed to someone who has been tested positive for the virus.”

Alert Employees to Risk

Risk managers should remind employees that malicious actors are using this pandemic as an opportunity to exploit people and systems, says Madeline H. Gitomer, JD, senior associate with Hogan Lovells in Washington, DC. Covered entities should remain vigilant in identifying these types of attacks and educate their workforce to ensure they are aware of the most common types of attacks, she says.

In addition, as covered entities approach the provision of care in new ways, they should continue to evaluate the privacy and security practices of their vendors and appropriately train their employees on how to use new technologies and services.

“Covered entities are facing two related challenges: being strapped for resources and providing care in new ways. We’ve heard from covered entities that privacy- and security-focused professionals are overextended as they address emerging threats and serve in additional roles during the pandemic,” she says. “Other covered entities are conducting business remotely, which introduces new challenges.”

Many covered entities are being asked to share information in ways they have not shared before, such as for public health oversight, she says. “All of these changes can affect how a covered entity approaches HIPAA compliance,” she says. “This may mean putting in place new processes to account for these new practices.”

Any time the internet is used, the risk of threats to patient privacy is increased, says Gevik Nalbandian, vice president of software engineering with NextGate, a technology consulting company in Monrovia, CA. There is no doubt that healthcare organizations are using the internet more.

“These risks can be mitigated and in many cases eliminated if the appropriate tools and procedures are used. In certain cases, covered entities may have to educate their patients on safe internet use practices,” he says. “Allowing doctors and physicians to use widely available and often free software to conduct virtual visits reveals just how ill-founded the restrictions are and vastly expands the number of practices that can incorporate telemedicine.”

SOURCES

  • Madeline H. Gitomer, JD, Senior Associate, Hogan Lovells, Washington, DC. Phone: (202) 637-3625. Email: madeline.gitomer@hoganlovells.com.
  • Gevik Nalbandian, Vice President, Software Engineering, NextGate, Monrovia, CA. Phone: (626) 376-4100.
  • Gonzalo Raposo, Technology Manager, Globant, San Diego. Phone: (877) 215-5230.