Thursday, March 19, 2020

Keeping Regulated Data Secure during the COVID-19 Outbreak

The social distancing measures against COVID-19 have resulted in a massive shift of the workforce to home offices. While this has allowed work to continue, it has caused concern among some organizations, especially those without regulatory expertise or resources, who are collecting COVID-19 data or handling other types of regulated research data. We are therefore providing the following guidance to help organizations stay compliant with privacy and security regulations that impact research data, irrespective of whether it is COVID-19 related or other types of data.

[Note: You can also check out our earlier blog post titled “Recommendations for reducing cybersecurity risk while working remotely”.]

1. HIPAA (Health Insurance Portability and Accountability Act) 

First of all, determine if HIPAA is applicable. Not all personally identifiable health information is protected by HIPAA, only protected health information (PHI) created, received, maintained, and transmitted by covered entities (CE) and their business associates (BA). If you are neither, HIPAA may not apply to health data you collect, even if it is personally identifiable. That said, you should still consider it sensitive data and protect it using applicable safeguards below.

Collecting and processing PHI:
  1. Only use tools institutionally approved for PHI. 
  2. Do not use a vendor with whom your institution does not have a HIPAA business associate agreement (BAA). Here is a list of some vendors you might consider if you do not have HIPAA approved systems: 
    1. Qualtrics for surveys 
    2. SFax for e-faxing 
    3. Zoom for teleconferencing 
    4. Box for Healthcare for file sharing 
  3. Protect your workstations and mobile devices as described below. 
Protecting PHI when working from home:
  1. Follow institutional telework and IT policies and procedures. 
  2. Work with your IT professionals. 
  3. Secure your workstation (laptop/desktop). 
    1.  Use a workstation provided and secured by your institution. 
    2.  If you must use a shared workstation (e.g., a home PC), ensure you take the following security measures: 
      1. Do not use the workstation if it has an old and insecure operating system installed (e.g. Windows XP). 
      2. Create a separate account for yourself and password protect it. Access PHI only while logged into this account. 
      3. Do not share the account password. 
      4. Do not download PHI to the workstation. 
      5. Enable and password protect the screen saver. 
      6. Ensure that the firewall and antivirus are enabled. 
      7. Apply the latest patches. 
      8. Connect only to trusted, work-related websites. 
      9. Turn off the “Remember Password” feature in browsers/decline to store passwords to sensitive sites. 
      10. Do not backup the device to your personal cloud storage (e.g. Google or Apple) account. 
      11. Delete the account after you are back at work. 
    3. Secure your mobile device (smartphone/tablet). 
      1. Use a mobile device provided/secured by your institution. 
      2. If you must use a personally owned mobile device, take the following security measures:
        1. Follow your institutional policies/procedures regarding use of personal mobile devices for PHI. 
        2.  Do not download PHI to the device. 
        3.  Enable screen lock or PIN. 
        4. Do not backup the device to your personal cloud storage (e.g. Google or Apple) account. 
    4. Ensure encryption at rest and in transit. 
      1. Ensure that your home WiFi network is using encryption. 
      2. Ensure that the workstation/mobile device is full-disk encrypted.
      3.  Ensure that the URL for sites you visit begins with an https://. 
      4. Use a VPN, especially when using an untrusted network. 
      5. Use institutionally approved, encrypted communication tools for remote meetings. However, as of March 17th, US Dept. of Health and Human Services’ Office for Civil Rights (responsible for enforcing HIPAA) is allowing video chat tools such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype for COVID-19 response. Public facing apps such as Facebook Live, Tiktok, etc. are not allowed. 
      6. Do not record meeting sessions. 
      7. If you are backing up to external media, e.g., a USB disk, ensure that it is encrypted.
    5. Ensure physical security. 
      1. Keep your device and any connected media in a physically secure location. 
      2. Keep conversations private by restricting physical access to the home office space to others during meetings where PHI may be disclosed.  
Breach Notification:
  1. If you suspect an incident or a breach of PHI, immediately follow your institutional incident response process.
For the strictly privacy aspects of HIPAA, please refer to Dept. of Health and Human Service's guidance on HIPAA privacy and coronavirus.

2. GDPR (General Data Protection Regulation) 

COVID-19 related data on European Economic Area (EEA) persons falls under a “special category of personal data” under GDPR. 
  1. Processing this data requires consent from the subject. 
  2. Processing must be necessary for one or more of the following. 
    1. Allow an employer to function. 
    2. Protect the interest of the subject. 
    3. Reasons of substantial public interest. 
    4. Purposes of preventing or occupational medicine. 
    5. Reasons for public interest in the area of public health. 
  3. Records of data processing must be kept. 
3. DFARS 252.204-7012 (Defense Federal Acquisition Regulation Supplement) 

Protecting CUI while working from home: 
  1. Secure your workstation (laptop/desktop). 
    1. Work with your IT professionals. 
    2. If your institution provides it, use a web- or remote desktop-accessible virtual desktop interface (VDI) and a remote CUI enclave. 
    3. Use an institutionally provided and secured workstation. 
    4. Do not use a shared workstation such as a home PC. 
    5. Ensure both the firewall and antivirus are enabled. 
    6. Access CUI only while logged into your own user account. 
    7. Use a strong password. 
    8. Do not share the password. 
    9. Enable 2-factor authentication (e.g., fingerprint sensor) if possible. 
    10. Do not download CUI. 
  2. Mobile devices: 
    1.  Do not use mobile devices to access, store, or process CUI. 
  3. Ensure encryption at rest and in transit. 
    1. Ensure that your home WiFi network is using encryption.
    2. Ensure the workstation has full disk encryption. 
    3. Always use a VPN.
  4. Ensure physical security. 
    1. Keep your device and any connected media in a physically secure location. 
    2. Keep conversations private.  Restrict physical access to the home office space to others during meetings where CUI may be disclosed.  
Breach notification:
  1. If you suspect an incident or a breach, immediately follow your institutional incident response process. 
For more guidance, contact your Contracting Officer.
COVID-19 Phishing, Scams, and Fake News 
  1. Beware of COVID-19 phishing tactics and scams
  2. Avoid COVID-19 fake news and misinformation
Contact us if you need additional help or information.