FAQ – Breach Management (COVID-19)
March 13, 2020
What should IT security professionals consider regarding the impact of COVID-19 on breach activity and the types of breaches reported to HHS in 2020?
- The number of telecommuters may result in security and privacy mistakes occurring in caregiver’s home environments. PHI may be exported to unsecured USB drives, confidential information could be unsuspectedly available to family members sharing the “work at home” computer, home networks may not be secure.
- Some healthcare workers may snoop in the electronic health/medical record to learn who has the COVID-19 virus.
- Given the current crisis, there is a good chance that close examining audit logs have become a lesser priority. Subsequent breaches may not be detected promptly.
- Stressful environments are always prone to mistakes. Emergency department (ED) staff may be exhausted. Some healthcare professionals have volunteered to help work ED and may not know proper/standard procedures.
- Hackers are increasing their activities using fake news sources, stories, and maps to find virus hot spots and dupe (stressed) workers to make a mistake and open a door for them to get inside the network/system/application.
- Makeshift tent hospital conditions should be addressed in a department/hospital policy or documented for future reference and compliance with emergency procedures.
More employees are working from home amid the COVID-19 crisis. How can healthcare entities do a better job in terms of preventing and detecting insider breaches that occur from employee’s home access to patient data?
Random audits of the daily activities of telecommuters could be informative from a data privacy/security perspective as well as from an evaluation of their productivity.
Any advice or observations in terms of preventing, detecting, responding to breaches that involve particularly sensitive patient information?
- It is imperative for organizations to conduct ongoing internal phishing campaigns to test the susceptibility of the workforce to phishing attacks and provide the necessary follow up training.
- The trend now is for ransomware to exfiltrate data first and then encrypt.
- By exfiltrating data first, the criminals can demand a ransom payment in exchange for not publishing sensitive information on the internet.
- Using SSL inspection on some outbound communications can help detect covert channels that may be used by criminals to exfiltrate data.