As they work to combat the surging COVID-19 virus, healthcare providers recently were reminded by legislators and regulators of the importance of data security and privacy protections.

On the data security front, U.S. Senators Richard Blumenthal, Tom Cotton, David Perdue, and Mark Warner recently wrote to the Director of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (“CISA”) and the commanding general of the U.S. Cyber Command to express their “profound concerns” that healthcare providers are “facing an unprecedented and perilous campaign of sophisticated hacking operations from state and criminal actors amid the coronavirus pandemic,” which “pose an alarming risk of disrupting or undermining our public health response at this time of crisis.” The Senators urged CISA and the Cyber Command to issue guidance and provide technical resources to deter these threats.

Beyond their general call for action, the Senators offered specific measures CISA and the Cyber Command should adopt to protect healthcare providers’ data security:

  1. Provide private and public cyber threat intelligence information, such as indicators of compromise (IOCs), on attacks against the healthcare, public health, and research sectors, including malware and ransomware.
  2. Coordinate with the Department of Health and Human Services, the Federal Trade Commission, and the Federal Bureau of Investigation on efforts to increase public awareness on cyberespionage, cybercrime, and disinformation targeting employees and consumers, especially as increased telework poses new risks to companies.
  3. Provide threat assessments, resources, and additional guidance to the National Guard Bureau to ensure that personnel supporting state public health departments and other local emergency management agencies are prepared to defend critical infrastructure from cybersecurity breaches.
  4. Convene and consult partners in the healthcare, public health, and research sectors, including its government and private healthcare councils, on what resources and information are needed to reinforce efforts to defend healthcare IT systems, such as vulnerability detection tools and threat hunting.
  5. Consider issuing public statements regarding hacking operations and disinformation related to the coronavirus for public awareness and to put adversaries on notice, similar to the joint statement on election inference issued on March 2nd.
  6. Evaluate further necessary action to defend forward in order to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.

On the heels of this call for action on data security, the Office for Civil Rights (“OCR”) at the U.S Department of Health and Human Services issued additional guidance reminding covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where patients’ protected health information will be accessible without the patients’ prior authorization. In this guidance, the OCR reiterated that “it is not sufficient for a covered health care provider to require the media to mask patients’ identities when airing recorded video (such as by blurring, pixelation, or voice alteration), after the fact. Prior, express authorization from the patient is always required.” While this guidance does not break new ground, it serves as a timely reminder as newscasts focus daily on the efforts of healthcare providers to treat COVID-19 patients.

These are difficult times for healthcare providers, but even as they tackle the clinical demands of the COVID-19 pandemic, the developments discussed above demonstrate the importance of continuing to be vigilant in the enforcement of data security and privacy policies.

For more on recent privacy and cybersecurity updates for healthcare providers, check out some of our past blog posts:

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael R. Bertoncini Michael R. Bertoncini

Michael R. Bertoncini is a principal in the Boston, Massachusetts, office of Jackson Lewis. He is a member of the Healthcare industry group and a member of the Higher Education group.

With a background as a former Deputy General Counsel, Michael understands first-hand…

Michael R. Bertoncini is a principal in the Boston, Massachusetts, office of Jackson Lewis. He is a member of the Healthcare industry group and a member of the Higher Education group.

With a background as a former Deputy General Counsel, Michael understands first-hand the competing demands and unique challenges faced by in-house counsel. Before joining Jackson Lewis, he was responsible for all labor and employment law matters for the largest fully integrated community care hospital system in New England. Michael provides timely, practical advice that helps clients achieve their strategic goals while ensuring compliance with legal obligations.

With deep experience in a broad range of industries, Michael has a keen interest in the healthcare, higher education, museum, and arts & music sectors. He is dedicated to supporting clients in these areas, leveraging his extensive experience to address the specific challenges faced by institutions and organizations in these fields.

Michael regularly partners with clients to establish positive employee relations. In labor relations matters, he negotiates collective bargaining agreements on behalf of organized clients, represents clients in labor arbitrations and National Labor Relations Board proceedings, and counsels clients with respect to rights and obligations under collective bargaining agreements and applicable labor and employment laws. He also has extensive experience in advising organizations responding to corporate campaigns and negotiating neutrality agreements.

Michael’s privacy and data security practice focuses on advising clients on complying with HIPAA and other state and federal privacy and data security laws. He reviews and develops policies and procedures, written information security plans and integrated compliance programs to ensure his clients meet their obligations under privacy and data security laws. Michael represents clients in investigations of alleged data breaches and advises them on reporting obligations.. He also conducts workplace training programs on HIPAA compliance and related privacy and data security topics.