[BreachExchange] 5 things for CISOs to know amid COVID-19 pandemic

Destry Winant destry at riskbasedsecurity.com
Fri Apr 10 10:21:30 EDT 2020


Hospital executives are working day and night keep staff safe and
update operations to combat the COVID-19 pandemic, including chief
information security officers.

Here are five things for CISOs to know:

1. The explosion of telehealth has put a strain on remote access
technologies, Mitch Parker, CISO of Indianapolis-based Indiana
University Health, told InfoRisk Today. CISOs must also pay close
attention to emerging medical device securities issues, including new
ventilators being put into stockpiles. Privacy and security challenges
may also emerge as hospitals transition to paper records in field

2. Microsoft has warned dozens of hospitals of a vulnerability
allowing a hacker to exploit their networks in a ransomware attack.
The vulnerabilities are within virtual private networks that hospitals
are using as some of their staff work remotely. Additionally, popular
videoconferencing platform Zoom is struggling to manage the dramatic
influx in users and privacy issues as the COVID-19 pandemic drives
more people to work remotely. The FBI has issued a warning on
videoconferencing hijacking, prompted by incidents on the Zoom

3. Many COVID-19 cyberattacks have been targeting hospitals and
consumers. HHS alerted hospitals and health systems of someone posing
as an Office for Civil Rights investigator to get patient health
information. The Internal Revenue Service is warning consumers of a
spike in phishing scams related to the coronavirus stimulus payments.
According to the agency, hackers are emailing taxpayers asking for
their financial information and Social Security numbers in order to
send them their "stimulus check". Phony websites that claim to be
selling COVID-19 vaccines have also popped up along with phishing
attacks with malicious links to COVID-19 maps.

4. President Donald Trump announced March 17 that his administration
would be relaxing HIPAA guidelines. Under the relaxed HIPAA
regulations, hospitals don't need to obtain a patient's permission to
speak with family members or friends involved in the patient's care.
Additionally, hospitals do not need to comply with the requirement to
honor a request to opt out of the facility directory. Hospitals and
other HIPAA-covered entities should only share COVID-19 information
for public health and health oversight activities. HHS has also said
it would not enforce HIPAA penalties for potential violations.

5. With the relaxed HIPAA guidelines, the Office for Civil Rights of
HHS announced April 2 that it would not penalize hospitals or their
business associations for disclosing COVID-19 related protected health
information. Hospitals are also permitted share a limited amount of
protected health information about patients who have been diagnosed or
exposed to COVID-19 with law enforcement, paramedics and other first

More information about the BreachExchange mailing list