By Christopher Strand
Chief Compliance Officer, IntSights
As measures are implemented to deal with the COVID-19 pandemic, companies need to remain vigilant to new security threats targeting the personal health information (PHI) of customers and employees. In addition, with the rollout of new vaccines triggering an accelerated opening of the general economy and with many jurisdictions emerging from lockdown, there are a host of new and existing guidelines and regulations that companies may be required to follow during the transition period to a post-COVID world.
In many cases, businesses may find themselves collecting personal health information on customers or employees for the first time ever. These organizations may not be aware of the regulatory requirements associated with the many data protection laws and privacy regulations in place to protect patient health data such as the United States’ federal Health Insurance Portability and Accountability Act (HIPAA) law. While HIPAA is not formalized in Asia, healthcare organizations and governments look to the HIPAA for its guidelines when re-evaluating their security measures and data protection strategies. The HIPAA includes data protection rules that cover healthcare organizations as well as their business associates (including third-party vendors) to cover the grounds for potential channels for breaches.
As air travel begins to resume for some countries in ASEAN, passengers who are traveling are subjected to a Polymerase Chain Reaction (PCR) test, and test results will have to be submitted through government institutions and airlines. with the reopening of non-essential services in the region, premise owners, example those in Singapore, are encouraged to collect customer and employee data to enhance contact tracing efforts. While the efforts are good for battling the virus, it exposes more targeted data breaches for businesses.
As employees return to the corporate office after months of working from home, employers in some industries are engaging in a variety of activities that involve the collection of health data, whether that means requiring a negative test prior to returning to work, making employees answer pre-entry health-related questionnaires, or conducting at-work testing, screening or temperature checks.
As part of a coordinated exit strategy from the pandemic, the ASEAN Comprehensive Recovery Framework details one of its broad strategy as accelerating inclusive digital transformation. This strategy aims for businesses to adapt and embrace digital tools to boost productivity, efficiency and quality of goods and services. However, the increasing use of digital technology does not come without challenges, and businesses must always stay vigilant as these are the gateways for attackers with malicious intent to infiltrate into its systems.
PHI Data on the Move Creates Vulnerabilities
Another area of concern centres around employees who might have protected health information (PHI) on their devices as part of their job. In this scenario, hackers attack the home network and steal the data that’s on the device. Or they hack into an employee’s remote office and use that beachhead to launch attacks on the corporate network.
When employees shifted to a work-from-home scenario since last March, cybercriminals took notice. The rise in remote work provided cybercriminals with a greater opportunity to hack into networks via phishing, guessing or stealing log-in credentials.
According to researchers at ESET, there was a nearly 800% increase in Remote Desktop Protocol (RDP) attacks in 2020, as cybercriminals attempted to exploit remote workers. RDP attacks target the Microsoft protocol that enables users to gain remote access to Windows machines. These attacks can be used to infiltrate corporate networks to steal sensitive data, and to deploy ransomware attacks.
Now, companies are moving to a model where employees shift back and forth between home office and corporate office. This hybrid situation creates additional security concerns. There is now more PHI data on the move between different locations. And that data is now on multiple devices, including personal systems. For example, an employee could bring an infected machine from home into the office and connect to the corporate network.
This increased portability can lead to more options for cybercriminals to stage attacks such as RDP and VNC (Virtual Network Computing) exploits; data ransomware attacks in which criminals both steal PHI data for re-sale and use PHI data to increase business liability and force ransomware payments; and data spoofing, where data requests are created in bulk based on user information obtained on the dark web.
The Bottom Line
With non-healthcare businesses collecting PHI related data for the first time, there is more valuable PHI data available to hackers than ever before, as well as more opportunities to access and consolidate PHI data from different sources. With the increase of data breaches in the health sector, governments are implementing more penalties on companies who fail to comply with industry standards.
This means companies need to get up to speed on the regulatory implications of collecting PHI data, they need to factor in PHI protection when formulating rules regarding the testing of employees as they return to the corporate office; they need to identify the security threats associated with employees returning to the office and they need to make sure to protect against these new threats.
ABOUT THE AUTHOR
Christopher Strand is the Chief Compliance Officer at IntSights. As CCO, he is responsible for leading the global security risk and compliance business, helping companies bridge the gap between cybersecurity and regulatory cyber-compliance. Chris has more than 20 years of subject matter expertise in information technology and security audit assessment and he specializes in developing enterprise security platforms and markets within hyper-growth organizations. Prior to joining IntSights, Chris launched and led the cyber-compliance business at Carbon Black (acquired by VMWare), and has held leadership and compliance specialist roles at other flagship security companies such as RSA, Trustwave, and Tripwire.