The healthcare industry reports that video hijacking, or teleconference hijacking, emergence on the rise as telehealth appointments replace typical in-person ones during the COVID-19 crisis. The FBI has received multiple reports of conferences being disrupted by pornographic images, hate images and threatening language. Yet another reason that, even though OCR has indicated it will not enforce prohibitions on the use of non-HIPAA compliant video conferencing platforms like FaceTime and Skype, covered entities and business associates still need to exercise due diligence to avoid breaches of electronic protected health information (ePHI).
[Read our article on PHI during COVID-19]
Although the press release from the FBI mentions Boston and the New England area, the threat is nationwide. The FBI recommends applying due diligence and caution to cybersecurity efforts. They also provide smart steps that can be taken to mitigate teleconference hijacking threats, per below.
5 Steps to Help Reduce Video Hijacking Risks
- Do not make meetings or telehealth appointments public. If you are using Zoom, there are two options to make a meeting private: require a password or use the waiting room feature and control the admittance of patients or clients.
- Do not share a link to a teleconference or telehealth appointment on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Manage screen-sharing options. In Zoom, change screen-sharing to “Host Only.”
- Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
- Ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
Look at this situation as an ideal opportunity to educate your workforce – or remind them – about the how-tos of solid privacy and security practices that can protect your organization, patients, or clients. The greatest risk is not associated with the technology. The risk lies with the people. That’s where solid, and ongoing, education comes in.
There’s another thing to look at while you’re distributing security reminders about how to stay cyber safe. Double-check that your telehealth and telework policies are clear, concise, up-to-date and communicated. We’ve run across a few clients who have a telework policy in place but it’s not been clearly communicated to staff. In some cases, the telework policy includes requirements that aren’t being enforced. To avoid this recipe for an ePHI breach disaster, update your telework policy and get it out to your workforce ASAP.
Extensive remote working situations are exposing more risks than many companies previously realized. Not the least being how to be sure your policies and procedures cover this situation properly. Are you not quite sure where to start with updates? We can help. Whether you’re updating current policies and procedures, or you’ve never finished the “work from home” ones. Give us a call at 503-384-2538 to get things moving.
