Technology Hot Topics: OCR updates, mobile health app resource, and vishing

Teleworking and telehealth have opened more doors for cybercriminals due to a lack of technical, administrative, and physical safeguards.

In the COVID-19 era, it is undeniable that both teleworking and telehealth have increased exponentially. The vulnerabilities that can be exploited by cybercriminals have exponentially increased during this time, as have the rise in the number of attacks. Additionally, many entities have and continue to outsource certain functions to persons in other countries, which includes protected health information (PHI). According to the INTERPOL Secretary General, “[c]ybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty cause by the unstable social and economic situation created by COVID-19.”

Regardless of where the creation, receipt, maintenance, or transmission of PHI that touches American soil occurs, the U.S. Department of Human Services Office for Civil Rights (OCR) has jurisdictional reach to enforce violations. This is important because many breaches of PHI originate from outside the United States.

​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​

In an effort to combat successful cyber-attacks, here are two recent items, which any person handling PHI should consider.

First, on September 1, 2020, HHS updated its Resources for Mobile Health Apps Developers. In addition to the guidance issued in 2016 regarding the Federal Trade Commission’s Mobile Health Apps Interactive Tool and HHS’s Health App Use Scenarios and HIPAA, there is additional guidance for cloud computing (yes, a Cloud Service Provider is considered a business associate in most circumstances unless de-identified data is merely being stored) and application programming interface (API). API is crucial for the implementation of the 21st Century Cures Act, as well as the related Final Rules issued by ONC and HHS. These are definitely worth the read for appreciating liability under a variety of scenarios, as well as the use of apps.

Second, in order to address an increasingly popular form of social engineering known as “vishing”, on August 20, 2020, the Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint-alert to warn the public about this particular security threat. Cyber Criminals Take Advantage of Increased Telework Through Vishing Campaign, warns persons of the increased use of vishing attacks by cyber criminals. The joint-advisory defines “vishing” as “a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward.” The most effective way to mitigate risk is to do the following: (1) adequately train workforce members on both security and privacy risks; (2) ensure that home environments adhere to basic technical, administrative, and physical safeguards; (3) restrict VPN connections solely to managed devices; and (4) send out security reminders twice a month, unless a bulletin such as the one issued by FBI-CISA is released.

Maintaining secure workstations, regardless of its location, is crucial to thwarting attacks and mitigating risk, as well as adequate training, safeguards, and policies and procedures. While OCR indicated that it will utilize its enforcement discretion during the COVID-19 pandemic, it did not say that persons who experienced breaches would not be held accountable, especially when business continuity plans should have been in place for at least fifteen (15) years. As it is said, “better late than never.”

_{About the Author}

_{Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.}