Protect Patient Data During COVID-19 Outbreak, Federal Agencies Warn

In a special report to top officials of the armed services, the Defense Department’s assistant inspector general for the operation of cybersecurity audits culled “lessons learned” from past reports to stress the continued importance of protecting sensitive information as the department mobilizes to respond to the coronavirus pandemic.

“Because [military medical treatment facilities] use different methods to collect patient data, such as in-person and virtual triage, continuing to exercise due diligence to protect patient data is needed now more than ever,” Carol N. Gorman wrote.

The report, released Thursday, notes increased patient loads at MTFs and alternative care facilities the department is helping to build and operate.  

On Friday the FBI, along with the Cybersecurity and Infrastructure Security Agency and Health and Human Services Department, also advised improving security measures in the face of COVID-19.

“Terrorists and other violent extremists may attempt to exploit the situation or vulnerable individuals may be triggered by stressors to commit disruptive or violent acts targeted at the healthcare community,” the bulletin reads. “This is particularly concerning as Healthcare and Public Health Sector continuity-of-operation is paramount to the national response to the pandemic.”

Both the interagency bulletin and the DOD IG’s office highlight the importance of physical security.

“MTFs should implement physical safeguards to protect the integrity and confidentiality of facilities that house [personal health information] from unauthorized use and disclosure,” the DOD IG report reads. “Physical safeguards include, but are not limited to, ensuring controlled access to sensitive areas that maintain electronic and paper records containing PHI and using surveillance equipment to monitor and review access to controlled areas.”

The DOD IG’s recommendations drew from reports the office did going back to 2017 on physical security and the protection of health information and electronic health information Army, Navy and Air Force MTFs as well as an audit of DOD’s physical security controls and a Government Accountability Office report on the Centers for Medicare and Medicaid’s oversight of medicare beneficiary data.      

In addition to improving physical security, the DOD IG report recommends: using multifactor authentication and strong passwords, identifying and mitigating network vulnerabilities, limiting access to and encrypting patient health information, configuring systems to lock automatically, and reviewing user activity. 

The report warns malicious cyber actors are “attempting to take advantage of the nation’s focus on caring for the sick.” 

“As MTFs and alternate care facilities experience increased volumes of patients seeking treatment during the COVID‑19 pandemic, DoD health care leaders, MTF chief information officers, network administrators, and users alike must be vigilant to protect the confidentiality, integrity, and availability of PHI,” Gorman wrote.