There’s no question that the convenience of telecommunication in healthcare, or telehealth, is vital to patient care at this time. Keeping healthcare workers safe and healthy while still being able to do their jobs is the highest priority for healthcare organizations across the globe. The convenience of connecting providers with patients through telehealth also introduces significant security and privacy risks. In this post we’ll go over some of the security and privacy risks patients may be subject to that telehealth providers should be aware of, what telemedicine companies are doing to prevent these risks, and how Virtru can help ensure you’re staying safe.
What Cybersecurity Concerns are Associated with Telemedicine?
Although video conferencing apps and other telehealth devices are great for doctors, nurses, and patients to be in communication without having to put anyone at unnecessary risk for communicable diseases, there are both security and privacy risks that we should all be aware of.
1. Patients are not in control of their own data
Iot and connected devices are prevalent in healthcare because of the ability to monitor a patient’s health in real-time. Although these devices are crucial to keeping many patients safe, it’s very important to secure the data that these devices are transmitting. For example, when patients agree to having medical devices implanted, or are set up with fall sensors in their home, not only are these devices and sensors picking up signals of a fall or other necessary medical information like they’re supposed to, but they’re collecting other non-medical activities and data as well. These devices and sensors can tell when the patient is home, pick up interactions with family, or detect other activities the patient is participating in, all of which may be information the patient would rather keep private. The data collected from these medical devices can be stored by the device or app manufacturer, not just the healthcare provider. This data could then be sold to third parties and used for targeted advertising or even medical fraud. Although patients give consent to this collection and storage of data, privacy policies are often not read or understood by patients before agreeing, allowing for weaker privacy protections. Collection of data that is not medically necessary violates the HIPAA Privacy Rule which is in place to ensure individuals (or patients) have the ability to control their own protected health information (PHI). This rule sets the standard for who has access to PHI.
2. Video conferencing apps are not necessarily HIPAA compliant
The rise in telemedicine happened very quickly in 2020. The CDC reports that “the number of telehealth visits increased by 50%, compared with the same period in 2019, with a 154% increase in visits noted in surveillance week 13 in 2020, compared with the same period in 2019”. This quick increase in usage caused telehealth platforms to develop at rapid speeds and this fast development sometimes led security and privacy to fall by the wayside. Additionally, the rapid speed of development of telehealth apps, specifically in the wake of the COVID-19 pandemic, means that security is not given the attention it deserves.
Video chatting platforms are not ideal for HIPAA compliance due to the HIPAA Privacy Rule as mentioned above, however, on March 8th 2020 the office for Civil Rights announced it would not impose penalties for HIPAA noncompliance against providers leveraging telehealth platforms that may not comply with the privacy regulation during the pandemic. This change allows providers to use conventional, easy to access video conferencing programs like Zoom and Skype as long as the communication platforms are not public-facing such as Facebook Live. While helpful for patient engagement, the loosening of HIPAA regulations puts individual’s PHI at risk of being collected by, or sold to, third parties without additional layers of security in place.
3. Bring Your Own Device (BYOD)
BYOD is when organizations allow their employees to use personal devices for work purposes. Although these devices only access healthcare systems and patient records through a VPN, that alone is not enough to keep endpoints secure. Forbes states that BYOD adoption is accelerating in healthcare likely due to healthcare professionals and providers who are now working from home—including clinicians, administrative teams, financial teams, and IT departments. These professionals are using a wide array of devices such as tablets, computers, and cell phones for patient communication and various other job requirements, which increases the risk of data breaches. Healthcare professionals need to be hyper vigilant to ensure no PHI is saved on devices and that each device has the ability to be wiped clean remotely in case it is stolen or misplaced. Since the device, application, or program may not belong to the provider directly, security measures are hard to keep track of. There may also be a delay of security updates, insecure connections or a lack of transparency in public networks that could make health systems susceptible to attacks.
4. Working from home presents security risks
Employees and contractors are also accessing the network remotely while working from home. The more people that are accessing the network, the harder it is to keep track of all users and be alert to a fraudulent or unauthorized user. To stay as secure as possible, it’s important to keep these working from home security tips in mind.
Consider these tips:
- Avoid connecting to public Wi-Fi
- Keep work only on your work computer
- Encrypt sensitive data when sharing via email or in the cloud
- Ensure all employees keep up with security training
- Have a remote work policy as part of your data security strategy
What Security Measures Should Telehealth Providers Have in Place to Prevent a Breach?
Implementing multi-factor authentication or single sign on (SSO) for all users will help prevent unauthorized third-party access from bots or other malware. Along with authentication, there should be consistent monitoring of devices and infected devices should be removed to prevent further infection of other devices.
Another step to ensure security is to review third-party contracts to confirm all vendor partners are also using the appropriate security measures to meet compliance requirements and offer privacy for patients. Telemedicine providers need to be aware of risks and define their expectations with third-party device vendors to be sure devices will be up to their standards and be sure to have discussions about the strategies for responding to any threat that may arise.
Your security strategy is only as strong as your employees are aware. Increased training for staff on technology solutions and staying up-to-date on common cyber-attacks and risks within the healthcare industry are both critical for a successful cybersecurity program. Continuing education on how to use programs and devices effectively and safely ensures broad user adoption.
Although there are many benefits to utilizing telehealth and telemedicine, oftentimes, layered security is needed in order to meet HIPAA compliance requirements and continue to collaborate with other providers, staff, and patients throughout the course of care. To learn more about encryption’s role in your security and HIPAA compliance programs, download a copy of our HIPAA Guide for Email and File Protection.