Getty Images

The Telehealth Security Impact: Now and Beyond the COVID-19 Pandemic

IEEE and Impact Advisor leaders share best practice policies for encryption, risk remediation, and security reviews to reduce possible telehealth security impacts beyond COVID-19.

The COVID-19 response resulted in a virtual care boom that’s expected to last well beyond the pandemic. As telehealth continues to support the shift in healthcare, ensuring a minimal security impact will be crucial in light of critical infrastructure attacks and exploits.

The Department of Health and Human Services enforcement waivers around remote tech will end with the close of the national emergency. Beforehand, providers should review existing policies and procedures to ensure the protection of patient data and their privacy.

Overall, telehealth platforms don’t necessarily pose new threats to the enterprise. Instead, the risk stems from the accelerated implementation of new technologies without adequate due diligence to prevent introducing new vulnerabilities to the network, explained Mike Garzone, vice president of Impact Advisors.

For Rebecca Herold, CEO and founder of The Privacy Professor and member of IEEE, a nonprofit technical organization, the swift deployment of new technologies may have started with insufficient planning and consideration of cybersecurity and privacy risks.

Telehealth risks include those to patient safety, health, and even the integrity of patient data, when those systems are improperly secured. Cyberattacks and ransomware, among other risks, could also lead to tech malfunctions that could further harm patients, she added.

“When physicians and other caregivers make decisions for patient care based on patient data that is not accurate, it creates the very real possibility that incorrect care will be given to the patient, resulting in harm,” Herold explained.

“Security incidents and privacy breaches damage reputation and trust, which results in people not wanting to use the healthcare facilities,” she continued. "It can also lead to large, multi-million dollar fines and associated multi-year penalties.”

With patient privacy, failing to adhere to proper compliance measures can also result in inappropriately shared patient information that can harm patients through medical identity theft, embarrassment, data extortion, reputational harm, and other damages.

To Garzone, the platforms may also have negatively impacted third-party risk management practices and the lessons learned with supply-chain risk.

Covered entities and relevant business associates primarily understand that all telehealth platforms must comply with HIPAA specifications, he added. Once those HHS waivers are gone, the expectation is that those remote platforms will be held to the same privacy and security rigor as other systems.

“Regulatory enforcement pertaining to telehealth was eased somewhat during the pandemic, but this easing will not last forever.”

But Garzone predicts there will be additional stringency for how telehealth is used.

For example, Zoom disclosed a number of privacy and security risks within its platform during the pandemic -- and amid the huge spike in its use. Though it touted encryption implementation, end-to-end encryption was not available for those who did not pay for a subscription.

Those risks were later remediated, but it spotlighted a number of security considerations for the use of non-traditional remote platforms.

“Regulatory enforcement pertaining to telehealth was eased somewhat during the pandemic, but this easing will not last forever,” Garzone explained.

Another major security concern frequently brought to light with telehealth is the insufficient security employed by IoT and smart medical devices. Herold stressed the importance of reviewing the security policies and procedures in place for all personnel and contractors tied to these devices, including online patient portals, smart home devices, and fitness devices.

Recommended Next Steps

To ensure the security of the enterprise, it’s important that providers take steps now and in the long-term to ensure the security of both rapidly deployed tech and long-standing platforms. If it’s not been done already, providers need to establish comprehensive telehealth policies and procedures, stressed Herold.

Those with established policies should review and update the procedures to address any inaccurate information, while adding new privacy and security requirements able to address new risks stemming from the pandemic and other scenarios.

Further, workforce members tasked with telehealth usage should be provided with regular training on privacy and security risks. Herold suggested the training occur at least once every quarter, but monthly would be the best option.

The sessions can be short, at just 10 to 15 minutes, but should focus on specific topics and how it relates to the entity’s telehealth policies and procedures. Herold noted that all relevant business associates should be employing the same policies and training measures.

“This way the need for security and privacy practices during daily work activities stays top of mind for workers, said Herold. Also sending out occasional short reminders about security and privacy is helpful.

“Perform a risk assessment to identify where there are still vulnerabilities within the healthcare organization and to identify non-compliance issues with HIPAA and other applicable laws, regulations, and contractual requirements for security and privacy,” she added.

Garzone provided key recommendations for reviewing both previously established and rapidly deployed telehealth tech, which include:

  • Does the telehealth provider take precautions to positively identify the patient before the telehealth encounter?
  • Is the patient the only person in the room during the call? In essence, is the encounter being conducted with the same privacy afforded as an in-person visit?
  • Has the patient received education for the security of the end-point device they are using to facilitate the telehealth encounter?

The Role of Encryption and Authentication

For Herold, encryption is a critical, necessary telehealth tool, not only for transmission pathways that deliver those services, but also for the care of remote patients and to protect patient data wherever it’s stored.

As a range of workforce members routinely need to share protected health information to support patient care, patient privacy and security is paramount. Herold stressed that much of the data sharing takes place with external actors and even internally with other providers, increasing the risk of exposure.

“Encrypting data provides some of the most effective security to prevent unauthorized access to patient data, and protection to the integrity of the data which is vital to patient care and health,” she explained. “Using encryption not only protects data from unauthorized access, and protects from privacy breaches, but it also supports a wide range of regulatory and other types of legal requirements.”

So where does encryption fit in? 

  • In storage within healthcare facilities’ computing devices and digital storage devices and media
  • Within any business associates’ computing devices and storage devices, including the cloud services used by the healthcare organizations
  • Within the pathways through which communications take place during telehealth visits with patients, using VPNs, or through secured communications portals, making sure that encryption is turned on within those portals during telehealth visits (encryption is typically not turned on by default) 
  • Within the personally owned devices that healthcare provider physicians and other staff use
  • At health data portals when collecting the data through online forms, along with from other locations

Herold added that all caregivers should recommend to patients that any PHI downloaded to their devices be encrypted, including computers, storage devices, and any cloud services.

Authentication is equally important, and as routinely recommended by federal agencies and security leaders, multi-factor authentication should be implemented wherever possible. MFA is proven to block 99.9 percent of all automated attacks and can effectively protect patient data.

Healthcare network administrators should also be logging all access to patient data and flagging any accesses and attempted accesses, particularly those from unauthorized user accounts and outside the organization, Herold explained.

Those leaders should also consistently review those logs, either manually or through an automated process, and quickly follow-up on suspicious activity.

“We contend that informed consent by the patient about the telehealth process is just as important as purely technical considerations,” Garzone explained. “In this regard, telehealth solutions should not be viewed differently than other ‘technologies’ used by a healthcare provider.” 

“The use of technology, and its application to the workflow processes around it, must be considered,” he added.

Security leaders can also review recent guidance from the Healthcare and Public Health Sector Coordinating Council, which can support the assessment of these programs and mitigation of potential risks.

Next Steps

Dig Deeper on Health data threats