The coronavirus has hit the globe, with only some island nations and well-isolated areas reporting no cases. In this turbulent time, international cooperation has reached an impressive scale, bringing together doctors, businesses, healthcare software developers, and researchers to pursue a common goal.

To allow much-needed clinical research, governments have softened the intricate data security policies and let researchers share COVID-19-related information without delays. So what are the accepted privacy practices?

COVID-19 data privacy approaches globally

We’ve studied the COVID-19-driven data protection tactics and identified three key approaches to data privacy, accepted in different parts of the world.

Asia: common good over privacy

The first to face the outbreak, Asian countries had no second thoughts regarding privacy when ensuring community health. Thus, in China, authorities tracked geolocation via mobile phones to monitor infected people, their adherence to quarantine measures, and their contacts. The data was not anonymized, so practically, it boiled down to tracking people without explicit consent.

However, not all Asian countries took this path. Singapore launched TraceTogether, an app that tracks and logs data about people potentially exposed to the virus within a two-meter distance. The good news is that the app doesn’t need geolocation or any other personal information.

The EU and UK: temporary privacy limits

Amid the pandemic, European countries couldn’t do without forgoing some privacy either. The General Data Protection Regulation (GDPR) still applied, but allowed governments and employers to access and process personal health data in case of significant public interest, for example, for leveraging preventive medicine. However, the legislators stated that each case when the need for personal data was in question should have been revised individually.

The US: privacy partly waived

To stop the spread of the virus and control it, the country implemented several measures. The US favored social distancing covering five levels of various severity, from restaurant operation limits and the ban of large gatherings to the stay-home order and the state of emergency. The latter was introduced across the country on March 11, 2020.

Other valuable health policy actions included expanded telehealth access in most states and the nationwide Section 1135 Waiver. This waiver permitted certain non-compliance with some healthcare-specific legislation. The providers unable to comply with certain statutory requirements were reimbursed and exempted from sanctions for non-compliance if they acted honestly and sincerely. That was not the case for instances of fraud or abuse; those were prosecuted.

A pitfall to mind

Exposing location to officials is not the only concern over health-related data sharing. There is another, and far more dangerous, trap—malicious hackers who might wish to grab unsafely stored or processed personal health information to make a profit.

According to the Trustwave Global Security Report, a single personal health record may hit $250 on the black market, which is 25 times higher than the price of credit card information.

However, securing data transmission is not enough, as there are other potential entry points that hackers may use. One of them is corporate email. It is a classic door for phishing, spoofing, and ransomware attacks.

Another disturbing fact is that according to the IBM Cost of Data Breach report, healthcare makes the most expensive industry in this regard, with breach costs climbing up to $10.1 million. IBM tracked data breaches from March 2021 to March 2022, which was 9.4% up from the same period a year earlier.

According to IBM, healthcare has experienced the highest breach-related financial damages for the last 12 years in a row. So are there any data security tips to follow?

Fighting cybersecurity threats

To fight cyber threats successfully, you’ll need to take a multilateral approach covering three key areas: employees, your digital environment, and outer threats. We’ll start with employees.

Securing the perimeter

According to the 2022 Cost of Insider Threats Global Report by Ponemon Institute, 56% of security threats happen due to employee negligence, and only 26% of them are committed by malicious actors. This data suggest two clear routes for preventing insider threats:

• Training employees to curb negligence. This involves teaching good practices about timely software updates, safe storage of credentials, and careful email management. Being vigilant about incoming emails may help your medical and administrative staff detect phishing and spoofing. Every suspicious email should be reported to the system administrators. It may also be a good idea to run a mock phishing attack and check if the employees learned the lesson.
• Practicing emergency response. Employees should have a clear-cut plan for dealing with cyber-emergencies, and orchestrating their response is a worthy effort. You can practice a mock attack with infosec practitioners. Here is a typical action plan if the attack happens: the first ones to face it should try to contain the infection by disabling the network. If the malware has got in and breaks out in your digital environment, the employees should disable the network and disconnect all devices from the infected machines. The employees should immediately contact the assigned IT specialists who will run the recovery operation. The backup and restore algorithms should also be prepared in advance.

Securing communication channels

Given that sharing confidential information is standard practice in a healthcare setting, ensuring data security is a top priority. Striving to ensure seamless and safe communication between medical professionals and patients, you don’t need to limit yourself to telemedicine. Look at mobile healthcare solutions, ensuring quality doctor-patient and employee-to-employee communication, or the use of blockchain in healthcare. Smart-contracts can significantly enhance data transmission security..

Securing IoMT devices

Healthcare IoT powers remote patient monitoring, facilitates chronic condition management and helps save lives in case some indexes fall or rise to their recognized limit values. At the same time, Internet of Medical Things ( IoMT) devices need to be monitored and protected from malware and malicious actors, both outsiders and insiders. According to a 2022 security report by Cynerio, 53% of hospital IoT devices have a critical vulnerability.

Regular security testing and timely updates, and all other practices of enterprise network management, are the answers to this imminent threat. IoMT devices need vulnerability assessments for access controls and unauthorized use of data stored on devices or transmitted to an external recipient.

Protection from outer threats

No matter how well-trained and loyal employees are, some security threats are just out of their reach. To shield your systems from external threats, you need to employ cybersecurity consultants.

They not only assess your digital environment for vulnerabilities but also continuously monitor the latest security trends, data breaches, and viruses. Besides, they offer penetration testing when their ethical hackers try to break into the system. They also draft actionable recommendations for patching vulnerabilities. All of the above allows you to address the discovered vulnerabilities and seal potential entry points in advance, thus preventing actual attacks.

To crown it all

In times of a global pandemic, nothing is more important than human life and well-being. The security of healthcare data is an integral part of both, so governments all across the globe try to ensure it in one way or another.

However, in extreme situations, individuals’ privacy is often forgotten for the good of the majority. Exploiting this opportunity, malicious actors won’t hesitate to attack healthcare practices and research facilities, steal patient data, and demand ransom.

In this case, healthcare facilities should take data protection into their own hands. We hope our recommendations on fighting cyber threats in a healthcare setting will help.