Careful Compassion: How COVID-19 has Affected Regulatory Compliance

William Grove, Skybox Security, April 9th 2020

Like Comment

Working and living in a world in flux, it’s not hard to see just how much everything has changed over the last couple of months: alongside constricted ways of living and new ways of working, it’s important to ask how COVID-19 has affected regulatory compliance and what this means for businesses.

From a top-level perspective, the relaxation of some mandates (HIPAA regulations have been modified to allow for better sharing of patient data) and their enforcement (a couple of major GDPR fines have been delayed) may give businesses reason to believe that they have more freedom to pause for breath. Anyone who may be of this opinion needs to have an immediate rethink: now, more than ever, it’s important to not just meet external compliance obligations but to go a few steps further in order to contain expanded network perimeters and reduce the likelihood of successful criminal activity.

How has COVID-19 Affected Regulatory Compliance?

The loosening of HIPAA and GDPR was borne out of necessity. In a notice that was issued in mid-March, the U.S. Department of Health and Human Service (HSS) Secretary Alex Azar issued a limited waiver of some HIPAA provisions in order to, “allow patient information to be shared to assist in nationwide public health emergencies, and to assist patients in receiving the care they need.” In practice, this means that hospitals will not be penalised for non-compliance with the following HIPAA requirements:

  • To obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • The requirement to honour a request to opt-out of the facility directory
  • The requirement to distribute a notice of privacy practices
  • The patient’s right to request privacy restrictions
  • The patient’s right to request confidential communications

Since then, the U.S. Office for Civil Rights (OCR) has issued four additional notices which remove penalties for providers, business associates, first responders, telehealth organisations and community-based testing sites, thus allowing them to share protected health information more freely in an attempt to better understand how to stem the spread of the virus.

The enforcement of two landmark GDPR fines – over $225m for British Airways and $122m for Marriott International – has also been deferred. This is the second time that these fines have been delayed (the first time being in January of this year), this time in order to not place greater strain on the hard-hit firms. That the Information Commissioner’s Office (ICO) felt like it needed to do this underlines the criticality of the situation: of the 34 GDPR penalties which have been issued to date, these carry the highest monetary value by far. This show of compassion, however, shouldn’t be mistaken for weakness – the fines are still being upheld and the ICO is still keen to nail more high profile organisations. Its heavy hand is still there, albeit with a temporarily softer touch.

In both cases, it’s important to emphasize that these decisions have been made in exceptional circumstances. Both are time-limited and neither downplay the importance of maintaining compliance. HIPAA has not been thrown to one side and the need to adhere to GDPR is as present now as it was in the pre-COVID world.

Why This Isn’t a Time to Relax

The allowances given by the HSS, OCR and the ICO shouldn’t be seen as a ‘green light’ for businesses to flout regulations. During a conversation earlier this month that focused on “full and strict compliance”, Google was warned to adhere to GDPR during the development of a coronavirus tracking app, with the EU’s internal market coordinator Thierry Breton saying that although, “contact tracing apps can be useful to limit the spread of the coronavirus…their development and interoperability need to fully respect our values and privacy.”

The hard lines laid out by regulatory authorities exist because cybercriminals pose a significant and present threat to organisations. This is a threat that is increasing during the current crisis. Criminals are adapting to take advantage of the chaos and, in a number of instances, they’re succeeding.

For example, after the Italian government imposed a nationwide lockdown the GOLD BLACKBURN threat group started distributing several high-volume Italian language spam TrickBot campaigns, with Italian banks observed to have been added to TrickBot web inject configurations. Another example; an app called ‘corona live 1.1’, which deploys SpyMax spyware when it should be tracking the spread of COVID-19, has gained a foothold with its Libyan targets. And a third; one of many coronavirus-related phishing attempts, an email purporting to contain tips about how to avoid COVID-19 scams was actually found to be sharing the Gozi ISFB banking trojan.

Then consider how the rise in remote working has introduced new risk to organisations. While it’s known that a mass remote workforce improves the chance for attackers to gain access to critical corporate assets, it’s only just becoming clear how great this opportunity is for criminals.

Recent research conducted by Shodan shows that the number of devices exposing remote desktop protocol (RDP) to the internet on standard ports jumped more than 40 percent between March and April. This is a clear sign that organisations need to be working hard to ensure the security surrounding their VPNs, improve access controls and generally limit the risk associated with a remote workforce.

Maintaining Compliance is More Important Than Ever

If there was ever a time to get serious about implementing strict protocols to ensure continuous compliance, it’s now. This may involve making decisions to limit access to only the most critical functions until a stage where more resources are available – and then only to increase access to the next highest priority business functions. If this isn’t possible, security leaders could decide to put time limits on when individuals can access certain resources.

This should involve gaining full network visibility, including cloud, VPN and other virtualised networks, and the ability to execute end-to-end path analysis. And it needs to involve assurance that security and networking devices, VPNs, firewalls, cloud services and more are all properly configured.

Security teams are facing unenviable pressures right now. As they help their businesses to weather the current storm, they cannot fail to remember that maintaining compliance needs to be a top priority.

To learn more about Skybox Security's Digital Boardroom, click here.

To learn more about all our upcoming events, click here.

Global CIO Institute

Administrator, GB Intelligence Ltd

731 Contributions
1 Following