Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), the agency enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, obtained two large breach-related settlements: one from a HIPAA Covered Entity and one from a HIPAA Business Associate. These enforcement actions signal that despite COVID-19 related challenges, organizations continue to face rampant data breaches and ensuing HIPAA enforcement.
While businesses and their employees continue to operate in the “new frontier” of working-from-home during the COVID-19 pandemic and the gradual reopening of the economy, a serious risk continues to present itself: the threat of cybercrime. The increased use of remote access to work systems and related applications has made businesses a prime target for those unscrupulous individuals seeking to encroach on companies’ cyber-landscape. Flaws in VPNs, firewalls, and videoconferencing, for example, have exposed many companies’ electronic infrastructures to these incursions. Similarly, the at-home workforce has increasingly been subjected to social engineering attacks often cloaked as communications purporting to provide information about pandemic-related issues.
Addressing Data Privacy and Security Provisions in COVID-19 Related Service Provider Agreements and Beyond
Employers’ engagement and use of various types of vendors has expanded recently, to include vendors who assist with office re-entry screening and contact tracing as employees return to work during the COVID-19 pandemic. The service agreements that are negotiated and executed for this purpose should sufficiently address data privacy and security considerations related to employee personally identifiable information (PII). This is necessary for any service provider or vendor agreement. In the absence of a federal law governing data security and breach notification of employee PII, employers must comply with increasing state and local legal requirements to ensure the protection of employee PII which employers obtain in the normal course of employment. Many states have breach reporting laws that apply to data held by employers, such as employee social security numbers. Other states, such as New York, have laws encompassing PII breach reporting and mandating certain data protections. For example, the New York Stop Hacks and Improve Electronic Data Security Act (“Shield Act”) requires employers to implement a cybersecurity program providing protective measures for New York resident-employees’ PII.
Employees returning to the office after weeks of remote work creates data privacy and cybersecurity challenges that businesses need to confront head on. These considerations are especially critical as many states and regulators are requiring employers to collect COVID-19 related health information. Below are 10 ways to combat potential cyber risks and stay #CyberSavvy while employees are returning to work.
Many more millions of employees have been working remotely as a result of the devastating COVID-19 virus than ever before. There is likely no going back. Employers have been relying on a remote workforce by necessity in the short term and are realizing that in the long term they can operate efficiently and productively with their staff largely out of the office. The public health risks will, for the foreseeable future, be the driver both on employers’ need for a remote workforce to achieve continuity of operations and employees’ demand for a safer work location. The increased numbers of remote workers will no doubt be lasting. But with this anticipated restructuring of work must come a comprehensive evaluation of the corresponding cybersecurity risks over the long term and how best to address them. As employers look forward to the future of securing remote work in their organizations, they should review the following top ten considerations as part of their defense in depth.
As featured in #WorkforceWednesday: With all the challenges businesses are facing, it is hard to stay focused on data security. Hackers see the newly remote workforce as an opportunity, and phishing attacks are on the rise. Employers can fight back in a few ways:
- Educate employees.
- Update training materials and work-from-home policies.
- Get security patches to employee devices quickly.
- Update your data breach response plan and communicate it.
- Remind your employees to help keep data secure by password-protecting devices with strong passwords and protecting sensitive information from others near their remote working location.
In March 2020, as professionals worked from home due to COVID-19, Zoom video conferences surged in popularity while, conversely, lawyers cast weary glances at the Alexa device in their home office, wondering if it was recording confidential communications. While society struggles with its relationship with ubiquitous communication devices, here is advice on properly configuring Zoom and Alexa privacy settings. READ MORE
As organizations and employees work from home, we can expect cyber criminals to attempt to profit off of the confusion. We have tips organizations should consider to protect themselves from cybercriminals during this unique “work from home” time. READ MORE
Even before the current pandemic, as enterprises have adopted techniques and practices such as digital transformation, cloud and mobility, they have faced an increased risk from a range of established and emerging cybersecurity threats, such phishing attacks which seek to introduce malware capable of compromising sensitive business information, ransomware and other fraud campaigns. The risk of huge fines under the GDPR means that cyber security has become a board-level issue, as well as a focus for regulators. Read more…
Benefits Guidance in the time of COVID-19: Additional Cybersecurity Concerns as Employees “Work-From-Home”
As the United States and the rest of the world hunker down in their homes to slow the spread of the novel coronavirus (COVID-19), many organizations have implemented “working-from-home” procedures that are designed to protect the health of the employees. Working-from-home, however, presents heightened threats to the cybersecurity of benefit plans, including the plan’s assets and employee data that is collected, transmitted, and stored with regard to employee benefit plans. Plan sponsors and fiduciaries have asked about the particular risks that working-from-home might present to the protection of sensitive data and whether there are additional proactive measures they can take to reduce those risks.