Topic: Address Possible Security Lapses as Your Practice Returns to Normal

The pandemic threw healthcare into unknown territory in 2020. To accommodate patients and continue to provide treatment, providers early on during the COVID-19 health crisis had to quickly turn to new technologies such as telemedicine to provide care virtually. As practices return to normal, it is imperative they be mindful of possible security issues related to the devices they used to enable patients to receive care remotely.

“We are trying to remind people that they may have distributed iPads or laptops or cell phones that need to be managed,” said Laura Hoffman, assistant director of federal affairs for the American Medical Association (AUA). To assist in that effort, the AMA has released IT considerations for medical practices and hospitals.

Remote safety

Practices should consider that devices used outside of the office might not have been updated with software security patches or distributed laptops without encryption capabilities, Hoffman noted. As their in-person caseloads rebound, practices that gave healthcare providers expanded access to protected health information (PHI) during the pandemic should return to normal PHI access controls.

Hoffman urged practices to enter into a business associate agreement (BAA) with vendors who provide telehealth platforms, if such an agreement is not already in place. Some major vendors historically have not signed BAAs, but they might be more amenable to doing so now to keep the market share they gained during the pandemic.

“I will be interested to see how that plays out when the public health emergency ends,” Hoffman said. “But if they [vendors] are not willing to sign a BAA — barring regulatory changes — providers will need to find a new platform because they have a responsibility to protect patient information under HIPAA.”

In the meantime, practices need to take every security feature a telehealth vendor’s platform offers, including end-to-end encryption, Hoffman said.

Outdated technology

On top of pandemic-related threats, providers should be thinking about everyday compliance issues that could impact cybersecurity. They should be familiar with the software used in their devices and medical records systems and keep in mind that vendors can stop supporting older software. Hoffman said AMA has pushed practices to use a software bill of materials, a list of operating systems in medical devices and computers so practices know what components are in the system.

Hoffman recommends looking to a public/private partnership from the Cybersecurity Working Group of the Health Sector Coordinating Council for information. This group provides education and advocacy around cybersecurity and has a section with resources for small and large practices.

Topic Discussed: Address Possible Security Lapses as Your Practice Returns to Normal

Read Original Article