Cybersecurity During COVID-19

Health Care Industry Targeted in Cyberattacks

Hackers are taking advantage of the COVID-19 pandemic’s increased burden on the healthcare system and the increased focus on providing telehealth services; your ophthalmic practice’s IT system may be vulnerable.

Health care organizations, including hospital systems, were targeted with cyberattacks as the Trump administration released the COVID-19 emergency declaration:

• Health and Human Services Secretary Alex Azar reported that hackers attempted to access the federal agency’s network on March 15, even as workers struggled to respond to the coronavirus pandemic. The attack overloaded the agency’s servers with millions of hits over several hours but did not succeed in breaching the system, according to agency officials.
• Health and Human Services also issued a warning (PDF) last week to avoid a malicious website about a fake live map for COVID-19. When users visited the website, it infected their computers and systems with a program that can steal sensitive data. Here is the link to the real John's Hopkins University coronavirus (COVID-19) outbreak map. 
• There are also phishing scams claiming to be COVID-19 updates from prominent medical institutions and employers. They fool users into clicking on a link, which then steals your data from fake login screens that capture user credentials.
• Hackers also succeeded in infecting the Illinois-based Champaign-Urbana Public Health District’s website with ransomware.

With the increased focus on providing telehealth services, your ophthalmic practice’s IT system may also be vulnerable. Practices need to monitor who has access to sensitive data on their internal and external electronic health record systems.

Exercise caution when opening emails from outside organizations even if they may seem reputable. Information on how to identify e-mail phishing and ransomware attacks can be found in the Health Industry Cybersecurity Practices (PDF) guidelines provided by the Department of Health and Human Services.

The Academy advises training your staff on how to spot suspicious electronic communications and doing an annual security risk analysis of electronic health records and other secure systems.

Remember, do not install multiple anti-virus applications because it can slow down the system and reduce the effectiveness of the software.

Cybersecurity Overview

Viruses, malware and hackers pose a threat to patients and physician practices. The Academy has curated resources and has tips for physicians and health care staff to protect patient health records and other data from cyberattacks. The HIPAA Security Rule requires practices to conduct a security risk analysis and mediate any identified risks.

Prepare for Cyberthreats

• Securing Your Wireless Network. Federal Trade Commission
• Security Risk Analysis, American Academy of Ophthalmology
• Health Industry Cybersecurity Practices (PDF). Overview of threats and 10 cybersecurity recommendations. Department of Health & Human Services.
• Health Industry Cybersecurity Practices, Technical Volume 1: Cybersecurity Recommendations for Small Health Care Organizations (PDF). How to implement cybersecurity recommendations. HHS.
• Cybersecurity Tips, Jeffrey Daigrepont, senior vice president of the Coker Group.
  

Respond to Cyberattacks

• My entity just experienced a cyber-attack! What do we do now? (PDF) HHS Office of Civil Rights
• Cyber-Attack Quick Response Infographic, HHS Office of Civil Rights

Anti-Virus Software

Anti-virus protection is important to protecting your practice’s data. The Academy has curated a list of trusted products below.

Important: Do NOT install multiple anti-viruses. Most products (like Windows Defender) will stop running when another product is installed. Others may still run but will slow down the system and reduce the effectiveness of each anti-virus product.

Mac:

• Kaspersky Security Cloud Free
• Bitdefender Antivirus Free Edition

PC:

• Kaspersky Security Cloud Free
• Bitdefender Antivirus Free Edition
• Windows Defender (built-in with Windows 10)
• PCMag: The Best Free Antivirus Protection for 2020 (free versions)
• PCMag: The Best Antivirus Protection for 2020 (paid versions)

Train Yourself and Your Staff

The Academy has identified a few free cybersecurity training options below.

• HIPAA TV, Healthcare Cybersecurity Training
• HHS Cybersecurity Awareness Training
  Description: Cybersecurity awareness training leveraged by HHS employees, contractors, interns, and others.
• HHS, Your Mobile Device and Health Information Privacy and Security 

Videos From the Academy

• Cybersecurity and Ways to Protect Your Practice, Jeffery Daigrepont and Marissa Maldonado discuss risks and ways to protect the practice.
• Protect Patients, Practice, and Profits from Ransomware, By Renee C Bovelle MD, Lee A Snyder MD
• Ransomware 101—Hackers Are Trying to Take Your Practice Data Hostage, Written counterpart. Leslie Burling-Phillips, Contributing Writer, interviewing Janet A. Betchkal MD, Jeffery Daigrepont, EFMP, CMPE, and Ravi D. Goel, MD
• Cybersecurity 101: Protecting Your Medical Records, video of Ravi D. Goel, MD

Cyber Liability

Ophthalmology Mutual Insurance Co.

• Cyber Liability Resources (some resources require an OMIC password)

Info From the AMA - Physician Cybersecurity Resources

The AMA has also developed tips and advice on protecting your computers and network to keep your patient health records and other data safe from cyberattacks.

Download and share with your staff and IT:

• How to improve your cybersecurity practices (PDF)
• Cybersecurity checklist for office computers (PDF)
• Protect your practice and your patients from cybersecurity threats (PDF)