COVID-19 Update: U.S. and U.K. Issue Joint Alert Regarding COVID-19 Research Cyber Threat

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the U.K.’s National Cyber Security Centre issued a joint alert on Tuesday that advanced persistent threat groups “are actively targeting organizations involved in both national and international COVID-19 responses.”   This warning should be heeded by hospitals, health systems, pharmaceutical companies, and academic medical systems that are involved in COVID-19 research and treatment.  Specifically, the alert provides that the groups “may seek to obtain intelligence on national and international health-care policy, or acquire sensitive data on COVID-19 related research.”  The alert provides that the groups are using password spraying, which “is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password and so on.”  Mitigations and links to earlier guidance from the organizations are provided in the joint the alert.  The mitigation efforts include:

• Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations;
• Use multi-factor authentication to reduce the impact of password compromises;
• Protect the management interfaces of your critical operational systems;
• Set up a security monitoring capability;
• Review and refresh your incident management processes; and
• Use modern systems and software.

Additionally, the U.S. Department of Health and Human Services Office for Civil Rights released guidance reminding hospitals that despite the public health emergency, the restrictions on protected health information (“PHI”) to the media have not been changed.  As such, providers must first obtain “a written HIPAA authorization from each patient whose PHI would be accessible to the media.” Treatment must not be conditioned on the receipt of such an authorization from a patient.  Masking patients’ identities when airing video is not sufficient for using video that contains a patient’s PHI.

Norton Rose Fulbright attorneys will continue to provide relevant updates for the healthcare industry on the Health Law Pulse during the COVID-19 outbreak.