The pandemic of 2020 tested the mettle of our nation’s healthcare system in many unexpected and profound ways. As healthcare delivery was being rapidly restructured to accommodate COVID-19 diagnosis and treatment and socially-distanced care, bad actors simultaneously began to exploit the increased number of vulnerabilities in health information systems created by telehealth platforms, patient portals and the inattention of stressed, overworked staff. The result was an unprecedented number of cyberattacks culminating in an alert from the Cybersecurity and Infrastructure Security Agency (CISA) on October 28, 2020 addressing the plague of ransomware activity targeting the healthcare and public health sector.

As the pandemic is only slowly abating, we can expect more of the same types of incidents in 2021 and healthcare providers will need to remain hyper-vigilant in their efforts to monitor and patch systems to keep out in front of cybercriminals. After all of this is done, attention can then turn to complying with some of the more “mundane” changes to privacy and security requirements which took effect in 2020 including changes to 42 CFR Part 2 (with newly revised confidentiality protections against unauthorized disclosure and use of substance-use disorder patient records to facilitate better coordination of care by federally assisted programs) and implementation of the Information Blocking protections (which proscribe unreasonable practices which are likely to interfere with, prevent or discourage access, exchange or use of electronic health information).

Finally, healthcare providers and other institutions and employers which became involved with COVID-19 testing and vaccination programs in 2020 should expect state and federal agencies to turn their gaze to information practices that were not closely monitored or enforced during the height of the pandemic. Latitude in protecting the privacy and security of information that was once accorded to the front lines combatting COVID-19 likely will no longer be given.