When Will COVID-19-Related Scams Show Up on Breach Tally?
Ransomware Attacks Recently Added to Health Data Breach Tally Predated the Virus Surge
… “I think it will be a long time before COVID-19-related incidents appear on the HHS website,” predicts Tom Walsh, president of consulting firm tw-Security. “Hospitals are trying to cope with the influx of patients, setting up tent hospitals and COVID-19 testing stations outside of the hospital building. Those efforts require IT resources. Running audit reports or investigating security alerts are a lower priority.”
… “Some people may have mistaken the ‘HIPAA waivers’ announced by HHS as a ‘hall pass,”‘ meaning that HIPAA compliance has been suspended. That’s not true,” he says.
… While OCR could potentially suspend its HIPAA enforcement efforts – such as investigations and penalties – during the crisis, “HIPAA compliance is still expected,” he adds.
Walsh adds that at a recent webinar he hosted for Kansas hospitals, the most frequently asked questions were: “Do I still have to report breaches to the OCR?” (yes), and “Do the waivers mean that we can temporarily suspend HIPAA compliance?” (no).
… “Closed practices may be at some risk for attacks,” Walsh says. “Because the practice is on ‘hiatus’ – no one is closely watching the shop. For example, staff could be doing some work from home, but may be using their personally owned equipment, which may lack the security controls typically found on the workstations within the practice.”
… For those working at home, forwarding email, printing documents and using unencrypted mobile storage devices for PHI pose risks, Walsh adds.
“Members of the same household may use the same computer/laptop as the telecommuter for online school assignments or other personal reasons,” potentially putting PHI at risk, Walsh says.