DoD Issues Guidelines to Protect PHI During Pandemic
The U.S. Department of Defense is urging military medical treatment facilities to protect controlled unclassified data, like patient health information and personally identifiable information.
As the healthcare industry redoubles their efforts to combat COVID-19, the federal government is reminding those who work in military medical treatment facilities (MTFs) how critical it is to keep patient health information (PHI) protected in these unprecedented times.
The Inspector General of the Department of Defense reminded entities last week, distilling four reports issued through its own office and the Government Accountability Office, to provide guidance designed to protect sensitive and personal data collected from unauthorized access and inadvertent disclosure.
During the COVID-19 pandemic, MTFs should ensure that have measures in place to reduce the risk of unauthorized access to patient information, external threats that could exploit known system and network weaknesses, and internal threats to intentionally or unintentionally compromise networks and systems that contain patient information.
Carol N. Gorman, the department’s Assistant Inspector General for Audit, Cybersecurity Operations, points out in the guidance that several systemic weaknesses in systems can open up networks to attack.
To address weaknesses that can expose PHI, the DoD is recommending organizations implement the following best practices if they haven't already:
- Use multifactor authentication
Use strong passwords - When multifactor authentication is not available, MTFs should require strong passwords, a minimum of 15 characters, including one upper case, one lower case, one number, and one special character.
- Identify and mitigate network vulnerabilities - CIOs should take steps to mitigate vulnerabilities
- Encrypt patient health information - Encrypting data on a system can reduce the risk that PHI can be compromised if security controls are breached.
- Limit access to patient health information within a health information system - Access should be on a need to know basis
- Configure systems to lock automatically – Specifically, systems containing PHI should lock automatically after 15 minutes of inactivity.
- Review user activity - System admins should monitor and review activity for successful and failed logins and exfiltration attempts
While PHI usually refers to protected health information - under US law, it's any information about health status, provision of healthcare, or payment for healthcare - for this white paper, the DoD said it considers patient health information any information created or obtained by a health plan or health care provider, who transmits any health information for an individual related to the past, present, or future physical or mental health or condition.
To illustrate the importance of protecting PHI and securing healthcare data, the DoD cites statistics via the U.S. Department of Health and Human Services from over the last two years, highlighting that there have been 570 healthcare breaches totaling 46 million patients.
Medical providers have been hit hard in more ways than one, obviously in the wake of the COVID-19 pandemic. Last week, three weeks after it issued a public advisory that cyber actors were targeting first responders and medical facilities to steal sensitive information, the FBI issued indicators of compromise and hashes to help administrators at facilities better identify COVID-19 phishing attacks.
With the pandemic has come increased scrutiny around data protection, especially in light of talk of surveillance technology being used by the government to track the spread of the coronavirus. The DoD, like every other federal entity, is doing its due diligence to ensure the facilities it oversees are following security measures to guarantee the confidentiality, integrity, and availability of PHI going forward.
Photo of the Oklahoma National Guard via The National Guard, Flickr photostream, Creative Commons