Ensuring Data Privacy and Cybersecurity Meet the Needs of Current and Future Crises

During the coronavirus pandemic, there has been an increasing international adoption of digital health solutions, including telehealth and cloud computing creating concerns about data privacy and cybersecurity. The third strategic action in the HIMSS COVID-19 Global Policy Call to Action Report highlights this issue by addressing the multifaceted reality of data privacy and cybersecurity. No doubt maintaining robust data privacy and cybersecurity policies can help mitigate cyberattacks. However, during times of crisis, like the current pandemic, it may be beneficial to support appropriate information sharing, such as to advance population health. The following examples highlight how various governments have sought to protect personal health information.

With the coronavirus pandemic prompting technological interventions to keep vital operations running, the world saw an increase in cyberattacks with the healthcare sector a constant target. The United States, as an example, saw the number of attacks that were reported to the Department of Health and Human Services (HHS) was 132, between February and May in 2020, an increase of about 50% during the same time the year prior. Common motives for these attacks include gathering the financial or personal information of individuals affiliated with targeted organizations. This information can then be held as a hostage unless provided with monetary benefits, or to constitute identity theft. However, an attack’s initial harm can spread to innocent bystanders, such as the patients of a targeted healthcare organization. While healthcare organizations can be targeted directly, software vendors and cloud computing providers were common targets throughout the year. As these companies most likely require some sort of technological bridge to their clients and constituents, hackers can gain potential access to multiple organizations by one attack. As becoming more reliant on technology to serve patients increases the risk incurred, many healthcare organizations are worried their vendors may also experience an attack, compromising the data privacy of patients.

In response to the vulnerability experienced during the COVID-19 pandemic, the U.S.’s Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and HHS, together released a cybersecurity advisory document. While this document served as a warning to healthcare providers of the legitimate potential of ransomware attacks, it also offered details for how these attacks may be perpetrated, therefore providing organizations with the foundation from which to construct a proactive defense. A similar document was released by the Canadian Center for Cybersecurity, warning Canadian healthcare providers of the probable risk of cyberattack and providing resources that can be used to mount a defense.

As increased telehealth utilization spreads around the world, so is the confrontation of cybersecurity needs. Like the United States, Singapore has seen an increase in attacks targeting the technological infrastructure of healthcare organizations. An amendment was proposed to the country’s Personal Data Protection Act (PDPA). Initially passed in 2012, the PDPA granted foundational individual protection for the use of their information. The amendment, passed in 2020, implements stricter punishments against organizations that mishandle the data of their customers or experience data breaches. Essentially, this amendment acts as a push for organizations to reexamine how they handle their data, potentially adding deterrents for cyberattackers.

Legislation such as Singapore’s amendment to the PDPA can be effective in deterring cyberattacks. However, during times of crisis, such as the COVID-19 pandemic, the benefits of being flexible and permitting data sharing may usurp the risk of cyberattacks. This perspective is visible in the United States Office of Civil Rights (OCR). The OCR released HIE guidelines which stated that, during the pandemic, punishments will not be enforced for violators of the HIPAA Privacy Rule if protected health information is provided to public health authorities without the approval of the individual whose information is being relayed. This perspective is even evident within Singapore’s amendment, maintaining an expectation of punishments in special situations where an organization can share information without the individual’s consent if the benefit from sharing information supersedes the risk to the individual or if the information provides a clear public benefit. Even with this exception, though, organizations would be required to formally assess the risk on the individual and disclose the situation that requires them to share information and endanger data privacy.

In Canada, the PIPEDA and the Privacy Act are the leading federal legislation protecting personal information and data privacy. While both policies discuss the exchange of information, the PIPEDA applies to exchange taken between private entities, which the Privacy Act concerns the federal government and related agencies. An overview of both policies was released, clarifying how their rigidity lessens during times of public health crises. Specifically, the PIPEDA will allow private entities to exchange and hold information without the consent of the individual if required by law relating to a public health crisis. Similarly, the Privacy Act allows the same right to the government if there is an understanding that the public benefit of disclosing information without consent outweighs the cost of doing so. This clarification essentially maintains the same perspective as the OCR guidelines and Singapore’s amendment, that despite the risk of disclosing or exchanging information without strict precaution, there is an advantage in allowing such transactions to take place during times of public health crises.