Coalition Formed to Address COVID-19 CrisisObservers Warn That Privacy, Security Must Be Adequately Addressed
More than two dozen healthcare organizations and technology firms - including Mayo Clinic, Intermountain Healthcare, Microsoft and Amazon Web Services - have formed a coalition to help address the COVID-19 crisis by using secure information sharing and data analysis. But observers warn the group must ensure it devotes enough attention to privacy and security issues.
Former healthcare CIO David Finn, an executive vice president at security consulting firm CynergisTek, says he's disappointed the new group did not specifically name security and privacy in its list of guiding principles.
"Until we actually integrate privacy and security into any discussion, planning and operations involving sharing data, we have effectively relegated them to the backburner," he says. "Addressing privacy and security after the fact is always more difficult, more costly and in some cases, it may be too late."
But former healthcare CISO Mark Johnson, principal consultant with LBMC Information Security, says the participants "have world-class cyber and privacy programs. I know, having worked with several of these organizations, that they will bring all the best, including their cyber expertise, to these efforts. I'm very hopeful we can learn from them."
The coalition did not respond to an Information Security Media Group request for details about the group's data security and privacy plans.
The COVID-19 Healthcare Coalition says its mission is to help save lives by providing real-time insights to aid healthcare delivery and help protect Americans.
"Each coalition member is bringing its unique assets, sharing resources and plans, and working together to support those on the front lines in responding to COVID-19," the organization says.
MITRE, a Bedford, Mass.-based nonprofit, federally funded research and development firm, will help the coalition "coordinate the private sector response and serve as an independent party to facilitate communication, aggregate de-identified data - from clinical insights to resource requirements like beds and ventilators - and coordinate the response across a range of organizations," the coalition says.
In a blog post about the launch of the group, former healthcare CIO and coalition member John Halmaka, M.D., president of Mayo Clinic Platform, writes that the coalition has already begun efforts to increase COVID-19 testing capacity for the country, coordinate early therapies and accelerate vaccine development.
"We're moving fast to support technology and policy innovations," he writes. "Pandemics thrive in confusion and wither against a united, clear-eyed attack. Let's shut down COVID-19 together."
In a statement, the coalition says: "The global expansion of the COVID-19 pandemic poses complex challenges and requires speed, along with bold and vigilant action responsive to this dynamic situation. This private sector coalition represents a vast resource of data, expertise, capabilities and insights and will complement federal, state, and local government actions, securely and in compliance with applicable laws and guidelines."
The coalition says it will attempt to connect suppliers of personal protective equipment and ventilators to healthcare organizations that need them; collect and share best protocols for treating COVID-19; accelerate capabilities related to telehealth and other options to reduce the load on hospitals; and connect top resources for information from around the world to provide data analytics and insights.
Even before the COVID-19 crisis hit, "widespread sharing of patients' health information has long been hoped to serve as a catalyst for investment in data analysis processes that would provide deeper insight into population health," says privacy attorney David Holtzman at CynergisTek.
Meanwhile, the latest efforts by the federal government "to ease the compliance burden during an unprecedented health emergency changes how healthcare organizations approach the privacy and security of patient information," Holtzman says. He was referring to recent moves by the Department of Health and Human Services to issue certain HIPAA privacy waivers related to COVID-19, as well as expanding telehealth services that are reimbursable by Medicare and Medicaid during the crisis.
"But organizations joining the fight against COVID-19 through sharing of patient information in an innovative collaborative industry response must be on guard against the introduction of new threats and vulnerabilities to their enterprise information systems," adds Holtzman, a former senior adviser at HHS OCR.
The healthcare sector could face escalating cyberthreats as it focuses on fighting COVID-19.
"Unfortunately, things have already gotten worse in regard to cybersecurity in healthcare," Finn says.
"We've seen tremendous growth in phishing and malware attacks. The 'bad guys' are very opportunistic and, sadly, quite clever, so lots of attacks leverage COVID-19 topics that range from helping someone with it to how to protect yourself to false maps of its spread that download malware."
Johnson notes that hackers are more successful "when people are stressed, under pressure and extremely busy. Who, currently, is under more pressure or busier than healthcare?"
In crisis situations, privacy and security always takes a back seat to efforts to deliver timely treatment, Finn says. "And that seems appropriate. However, what every CIO, CISO and patient should be thinking about is what they need to go back and re-assess or fix as the crisis begins to abate," he says.
"When we do things quickly, we tend to skip steps, and that may be alright to get the work done, but at some point privacy and security will need to be addressed. If we don't do that in a timely way, we may not be able to get back to reasonable levels of privacy and security without a lot of damage and increased risk."