Connect with us

Hi, what are you looking for?

HEADLINES

The post-COVID economy: Data protection concerns and vulnerabilities

In many cases, businesses may find themselves collecting personal health information on customers or employees for the first time ever. These organisations may not be aware of the regulatory requirements associated with the many data protection laws and privacy regulations in place to protect patient health data.

By Christopher Strand
Chief Compliance Officer, IntSights

As measures are implemented to deal with the COVID-19 pandemic, companies need to remain vigilant to new security threats targeting the personal health information (PHI) of customers and employees. In addition, with the rollout of new vaccines triggering an accelerated opening of the general economy and with many jurisdictions emerging from lockdown, there are a host of new and existing guidelines and regulations that companies may be required to follow during the transition period to a post-COVID world.

In many cases, businesses may find themselves collecting personal health information on customers or employees for the first time ever. These organizations may not be aware of the regulatory requirements associated with the many data protection laws and privacy regulations in place to protect patient health data such as the United States’ federal Health Insurance Portability and Accountability Act (HIPAA) law. While HIPAA is not formalized in Asia, healthcare organizations and governments look to the HIPAA for its guidelines when re-evaluating their security measures and data protection strategies. The HIPAA includes data protection rules that cover healthcare organizations as well as their business associates (including third-party vendors) to cover the grounds for potential channels for breaches.

As air travel begins to resume for some countries in ASEAN, passengers who are traveling are subjected to a Polymerase Chain Reaction (PCR) test, and test results will have to be submitted through government institutions and airlines. with the reopening of non-essential services in the region, premise owners, example those in Singapore, are encouraged to collect customer and employee data to enhance contact tracing efforts. While the efforts are good for battling the virus, it exposes more targeted data breaches for businesses.

Advertisement. Scroll to continue reading.

As employees return to the corporate office after months of working from home, employers in some industries are engaging in a variety of activities that involve the collection of health data, whether that means requiring a negative test prior to returning to work, making employees answer pre-entry health-related questionnaires, or conducting at-work testing, screening or temperature checks.

As part of a coordinated exit strategy from the pandemic, the ASEAN Comprehensive Recovery Framework details one of its broad strategy as accelerating inclusive digital transformation. This strategy aims for businesses to adapt and embrace digital tools to boost productivity, efficiency and quality of goods and services. However, the increasing use of digital technology does not come without challenges, and businesses must always stay vigilant as these are the gateways for attackers with malicious intent to infiltrate into its systems.

PHI Data on the Move Creates Vulnerabilities

Another area of concern centres around employees who might have protected health information (PHI) on their devices as part of their job. In this scenario, hackers attack the home network and steal the data that’s on the device. Or they hack into an employee’s remote office and use that beachhead to launch attacks on the corporate network.

When employees shifted to a work-from-home scenario since last March, cybercriminals took notice. The rise in remote work provided cybercriminals with a greater opportunity to hack into networks via phishing, guessing or stealing log-in credentials.

According to researchers at ESET, there was a nearly 800% increase in Remote Desktop Protocol (RDP) attacks in 2020, as cybercriminals attempted to exploit remote workers. RDP attacks target the Microsoft protocol that enables users to gain remote access to Windows machines. These attacks can be used to infiltrate corporate networks to steal sensitive data, and to deploy ransomware attacks.

Advertisement. Scroll to continue reading.

Now, companies are moving to a model where employees shift back and forth between home office and corporate office. This hybrid situation creates additional security concerns. There is now more PHI data on the move between different locations. And that data is now on multiple devices, including personal systems. For example, an employee could bring an infected machine from home into the office and connect to the corporate network.

This increased portability can lead to more options for cybercriminals to stage attacks such as RDP and VNC (Virtual Network Computing) exploits; data ransomware attacks in which criminals both steal PHI data for re-sale and use PHI data to increase business liability and force ransomware payments; and data spoofing, where data requests are created in bulk based on user information obtained on the dark web.

The Bottom Line

With non-healthcare businesses collecting PHI related data for the first time, there is more valuable PHI data available to hackers than ever before, as well as more opportunities to access and consolidate PHI data from different sources. With the increase of data breaches in the health sector, governments are implementing more penalties on companies who fail to comply with industry standards.

This means companies need to get up to speed on the regulatory implications of collecting PHI data, they need to factor in PHI protection when formulating rules regarding the testing of employees as they return to the corporate office; they need to identify the security threats associated with employees returning to the office and they need to make sure to protect against these new threats.

ABOUT THE AUTHOR
Christopher Strand is the Chief Compliance Officer at IntSights. As CCO, he is responsible for leading the global security risk and compliance business, helping companies bridge the gap between cybersecurity and regulatory cyber-compliance. Chris has more than 20 years of subject matter expertise in information technology and security audit assessment and he specializes in developing enterprise security platforms and markets within hyper-growth organizations. Prior to joining IntSights, Chris launched and led the cyber-compliance business at Carbon Black (acquired by VMWare), and has held leadership and compliance specialist roles at other flagship security companies such as RSA, Trustwave, and Tripwire.

Advertisement. Scroll to continue reading.

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

MOBILE PRODUCTS

While G-SHOCK is usually known for its rubber strap watches, this collection spotlights all-steel timepieces to merge the brand’s trademark toughness with a sleek,...

HEADLINES

Through a simple three-step application process—browsing the product catalog, selecting “Order Now” on the desired product, and completing a short order form—customers can enjoy...

APPS

SEA countries lead globally in the install share of Chinese apps, with Indonesia (22%), the Philippines (21%), Malaysia, Thailand (both 19%), Vietnam, and Singapore...

HEADLINES

With the launch of DITO’s free Wi-Fi at Clark International Airport, passengers can experience secure, seamless, and optimized use of fast internet access, letting...

HEADLINES

Converge ICT is the first broadband operator-member of FNC APAC from the Philippines and they are a prime example of what fiber transformation can...

HEADLINES

The partnership was formalized recently in a contract signing, where Lenovo and MEC committed to delivering high-quality software solutions that meet the evolving needs...

HEADLINES

Malayan Insurance has recently launched its own Lazada store making shopping for peace of mind easier. With their products like Family Relief, Travel Master,...

HEADLINES

This collaboration marks a significant step toward advancing renewable energy adoption in the region, beginning with the installation of a 729-kilowatt peak (kWp) solar...

Advertisement