Regulation of Medicine
Cyberthreats during the Coronavirus (COVID-19) Pandemic
By Matthew Baker, Director of Information Security
March 20, 2020
Disclaimer: As this situation is evolving daily, MagMutual recommends reviewing the latest guidelines for the most current information. Visit the MagMutual COVID-19 Resource Center to learn more.
Cybercriminals will leverage almost any major news item to further their schemes, and the coronavirus pandemic is no different. In fact, the immense scope of this event may give rise to an unprecedented wave of cyberattacks, fraud attempts, ransomware and data thefts. The last thing any healthcare provider needs at this time is to divert focus to cybersecurity-related matters, or to be impacted by them. Thankfully, understanding the form the new threats are likely to take and applying long-standing and commonsense security protocols can keep you and your organization protected. Here are some things to watch for.
Decoy coronavirus websites. In recent days, well over 1,500 new website names containing the terms "coronavirus" or "covid-19" have been created. While many of these may be legitimate, some are being created for use in illicit schemes. Be wary of unsolicited emails with links to sites that claim to be geared towards helping those impacted medically or economically by COVID-19, vendors with surplus PPE, claims of therapeutic breakthroughs, and the like. It is important to focus on information being disseminated by only the most well-established, trusted organizations and authorities, such as federal and state health agencies, medical associations, the CDC, etc. Stick to what you know and trust.
Telework/telehealth scams. In the coming weeks, you may receive emails containing links that claim to be related to joining valid virtual meetings or telehealth sessions, but are in fact dangerous. You and your staff should remain vigilant for this threat, which can be very hard to spot. Generally, if a meeting link (revealed by hovering before clicking) is very long or otherwise looks different than what you are accustomed to, it may be bad. You should give heavy preference to the links that are already contained within meeting invites on your calendar, or are established directly from your telehealth software, instead of using anything that arrives via email.
Personal device security. The flight to quarantine has driven many healthcare professionals to use personal resources such as home networks, personal computers or home printers to perform their job duties. The Department of Health and Humans Services, Office of Civil Rights recently relaxed requirements for telehealth sessions, and they may yet go further to balance the need for patient privacy against the need to quickly and efficiently deliver health services. Regardless, patient privacy must remain a primary concern, and your staff should take care not to take any actions that risk violating a patient's privacy. Staff should use work-issued equipment whenever possible. If that is not possible, perform a quick, commonsense review before using personal devices for patient care or business operations (e.g., "is my staff connected directly via secure web connection to my cloud-based EMR, and are they advised not to save any patient data locally to their personal machine?"). Any materials printed at home should be disposed of in the same secure manner as in the office.
This is a highly turbulent and uncertain time. Your focus, as always, must be on providing effective, quality care for your patients. Despite the likelihood of an increase in cyberthreats, you and your staff can remain secure if you are skeptical of unusual emails or texts, and if you remain mindful of patient privacy.
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.