Cybersecurity and Health Information Privacy During the COVID-19 Pandemic
In following CDC guidelines to effectively navigate the spread of COVID-19, many employers are closing their doors for a period of time and requiring or encouraging employees to work remotely. But cyberattackers, who (strangely) don’t care much for CDC guidelines, are working around the clock to hack into vulnerable computer systems during the current pandemic.
For example, attackers reportedly launched a malicious online map appearing as a credible source showing the viral outbreak of COVID-19 across the globe. The map has the ability to steal payment card information, credentials and sensitive internet browser data. The malware takes screenshots and gathers information about the victim’s operating system, architecture, username and hostname.
Even the Department of Health and Human Services suffered a recent system compromise aimed at slowing down or completely paralyzing the Department’s critical functions. Other government officials are also on high alert that attackers are capitalizing on general uncertainty during the pandemic.
Companies should take this time to assess their security posture closely. The assessment should include, at minimum, the following:
- Maximizing the use of multifactor authentication;
- Ensuring that sensitive information is encrypted at rest and in transit where possible (e.g., requiring the use of VPN tunnels for remote workers);
- Using strong passwords for remote access and changing those passwords regularly;
- Paying heightened attention to phishing attempts and implementing a process by which an employee can verify with IT whether a specific email is legitimate before opening it;
- Ensuring that companies are securely backing up all important data in case of a ransomware attack (i.e., the data is backed up in a separate, off-site system that is less likely to be impacted by a ransomware attack);
- Reviewing and updating an incident response plan; and
- Ensuring that an organization has insurance coverage for business interruption, theft/ransom and first- and third-party costs suffered as a result of an attack.
For more useful tips, check out Shook’s Privacy & Data Security Alerts for an array of topics that will assist organizations in keeping critical data safe.
What Can Employers Ask and Share Relating to Employee Health Information?
COVID-19 has also presented privacy concerns for employers, including those covered by HIPAA. Common questions that in-house legal departments may have about employee privacy during the COVID-19 pandemic include:
Can we make our own diagnosis regarding whether an employee is experiencing COVID-19 in our workplace?
CDC advises that employers should refrain from diagnosing employees with COVID-19 on their own. Employers should use CDC’s guidance to determine the risk of COVID-19. They should not make determinations of risk based on race or country of origin and should maintain the confidentiality of employees with confirmed cases of COVID-19.
Although the Americans with Disabilities Act generally prohibits employers from asking health-related questions, the EEOC makes clear in published guidance for employers on COVID-19 that the ADA allows employers to measure employee body temperatures because of the acknowledged spread of the coronavirus. Employers should note that not everyone with COVID-19 will have a fever.
What health information can we gather from an employee who has been diagnosed with COVID-19?
Aside from measuring body temperatures, the ADA allows employers to inquire about cold-like symptoms such as coughing, chills, shortness of breath or sore throat.
What health information can we share with other employees or third parties about an employee who is diagnosed with COVID-19?
Pursuant to the ADA and CDC, confidentiality relating to medical information is a must in the workplace, and employers should not disclose the name of any employee who has or is suspected of having COVID-19. CDC’s guidance provides the following: “If an employee is confirmed to have COVID-19, employers should inform fellow employees of their possible exposure to COVID-19 in the workplace but maintain confidentiality as required by the Americans with Disabilities Act (ADA).”
What health information should we refrain from gathering from all employees whether or not they’ve been diagnosed with COVID-19?
The ADA prohibits any disability-related inquiries. If employees are not showing any symptoms of the coronavirus like those listed above, employers may not inquire as to whether the employee has contracted COVID-19 or any other medical condition.
What can we instruct employees to do if they’ve been in close contact with someone affected by COVID-19?
Employers should keep employees updated about any confirmed cases of COVID-19. CDC also recommends encouraging employees to conduct risk assessments to determine their own level of exposure.
HIPAA’s Application to COVID-19
The same obligations imposed on covered entities and business associates before COVID-19 apply now. Aside from adhering to HIPAA’s Minimum Necessary Rule and continuing to safeguard protected health information, covered entities should reaffirm their compliance strategy with HIPAA’s Privacy, Security and Breach Notification Rules.
The Office for Civil Rights (OCR) has released a bulletin that provides guidance on which disclosures of protected health information in a public-health crisis require individual authorizations and which do not.
During a public-health crisis, circumstances may arise where health information must be disclosed without an individual’s authorization. OCR’s bulletin reminds covered entities that the HIPAA Privacy Rule permits such disclosures without an individual authorization in at least the following instances:
- To a public-health authority, like CDC, that is responsible for public-health matters as part of its official mandate;
- At the direction of a public-health authority to a foreign government agency;
- To persons at risk of contracting or spreading the disease or condition, as long as state and local laws authorize notification to such persons; and
- To prevent a serious and imminent threat—taking other federal, state and local law into consideration, covered entities may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
Disclosures to family, friends and others involved in the individual’s case and disclosures to the media or others not involved in the patient’s care would require individual authorizations.
Selected Bench Guides
Georgia Pandemic Bench Guide
[Co-Authored by Shook Partner Josh Becker]
Preparing for a Pandemic: An Emergency Response Benchbook and Operational Guidebook for State Court Judges and Administrators
[National Center for State Courts]
Additional State Public Health Bench Books
[Ccnters for Disease Control and Prevention]
Association of Corporate Counsel COVID-19 Resource Center
Bain & Co. Coronavirus Economic Impact Report
Law360 Court Status and Closures List
National Center for State Courts: Court News Updates
WestLaw Global Coronavirus Toolkit
[MarketWatch - March 17, 2020] Entire industries are hurting and hoping for help from the U.S. government, as Americans cancel travel plans and avoid stores and restaurants because of the coronavirus causing the COVID-19 pandemic. The Trump administration has been pitching a stimulus package of potentially $1 trillion or more that involves aid for hard-hit sectors such as the airline industry... »
[TechCrunch - March 18, 2020] Based on results of clinical trials conducted with affected patients in both Wuhan and Shenzhen by Chinese medical authorities, Japanese-made flu drug favipiravir (also known as Avigan) has been shown to be effective in both reducing the duration of the COVID-19 virus in patients and to have improved the lung conditions of those who received treatment with the drug... »
[NBC News - March 18, 2020] Federal health officials say they could use anonymous, aggregated user data collected by the tech companies to map the spread of the virus... »
[ZDNet - March 18, 2020] DHS, SANS, NJCCIC, and Radware warn companies about securing enterprise VPN servers in the midst of the coronavirus outbreak and when a vast majority of employees are working from home... »
[Harvard Business Review - March 18, 2020] In response to the uncertainties presented by Covid-19, many companies and universities have asked their employees to work remotely. While close to a quarter of the U.S. workforce already works from home at least part of the time, the new policies leave many employees — and their managers — working out of the office and separated from each other for the first time... »