canjoena - stock.adobe.com
Report: COVID-19 Telehealth Risks and Best Practice Privacy, Security
A report published in JAMIA spotlights both the cybersecurity risks associated with telehealth use amid COVID-19 and best practice privacy and security measures needed in response.
Highlighting the risks posed by lifted restrictions on communication apps amid the COVID-19 pandemic, new research published in the Journal of the American Medical Informatics Association urged healthcare organizations to take steps to bolster telehealth privacy and cybersecurity measures.
In March, the Department of Health and Human Services announced it would lift penalties around a range of telehealth uses to help support the response to the national crisis, including an expanded list of platforms permitted for use that would fall outside of those deemed compliant by the HIPAA rule under normal circumstances.
Simultaneously, federal agencies and security researchers increased the rate of reports, alerts, threat insights, and guidance to support providers as they rapidly increased the scope of these platforms, in addition to the rapid adoption of remote work and temporary care sites.
In fact, phishing campaigns tied to COVID-19 and nation-state hacking efforts targeting the healthcare sector have dominated the threat landscape, even up to this week.
To privacy and security leaders Mohammad Jalali, PhD, William Gordon, MD, and Adam Landman, MD from Harvard Medical School and Brigham and Women's Hospital, a host of new cybersecurity risks were introduced by new telemedicine app implementations, which have been amplified by onslaught of ransomware attacks.
“Despite the numerous barriers to telemedicine, such as educating staff, cost, reimbursement, access to broadband, and patient digital literacy, telemedicine has flourished during the pandemic, forcing implementations that may have taken years without such a catalyst,” researchers wrote.
“As we continue this shift to telemedicine, new issues and risks unravel that need to be addressed, particularly in regard to information security and privacy, and ongoing work is needed to ensure that our technology infrastructure provides an environment for safe and effective care delivery,” they added.
Zoom, in particular, has rapidly expanded the threat landscape, given a host of security issues that include a lack of adequate encryption of communications and the ability of unauthorized users to interrupt video calls in an effort previously dubbed 'zoombombing’.
The researchers also spotlighted the recent death of a patient in Germany, brought on by an ambulance diversion amid a ransomware-induced EHR outage. Cyberattacks also notoriously spur delays in patient care, economic loss, and negative impacts on business operations.
The most recent EHR downtimes in the US were brought on by ransomware attacks at Universal Health Services, Sky Lakes Medical Center, the University of Vermont Health Network, St. Lawrence Health System, and Sonoma Valley Hospital, which is still recovering its EHR and network more than two months after a ransomware attack.
These risks are heightened by the massive number of phishing campaigns targeting the sector and that prey on human nature.
In light of these threats, the researchers released a number of recommended best practice privacy and security measures needed to ensure the security of the healthcare infrastructure.
To start, healthcare organizations should ensure they have the right processes in place to drive awareness across the enterprise, including education, training, and even simulated cyberattacks.
Hospitals may also consider reducing the number of announcements sent to employees, as research shows that employees’ workload has the biggest effect on the rate of clicking malicious links.
Administrators should ensure they’ve implemented best practice security measures, including data encryption, prompt software updates, antivirus software, two-factor authentication, and employing local cybersecurity recommendations or regulations.
Further, while it may have been necessary to leverage consumer-based video conferencing tools at the start of the pandemic response, covered entities should transition to an enterprise-grade, healthcare-specific product as soon as they’re able as the platforms will typically offer better security features.
“Protection against these threats to secure telemedicine platforms is complex, and requires a multi-disciplinary, multi-stakeholder approach,” researchers explained. “Healthcare organizations need to enhance (if not revolutionize) their cybersecurity infrastructure by developing stronger prevention and detection protocols, both administrative and technological.”
“Executives need to be willing to invest fully in cybersecurity throughout the organization,” they added. “Emerging fields, such as AI, IoT, and blockchain can also be employed as prevention and detection tools to combat cyber threats more effectively.”
To accomplish these larger tasks, healthcare organizations should partner with both cybersecurity and telemedicine vendors to understand the best ways to implement these technologies onto the network.
Lastly, despite having strong cybersecurity measures, hackers will often find ways to gain access to networks. And as such, providers must ensure they have both developed and practiced their cyber response plans to ensure they can maintain patient care in the event of a cyberattack.
“Unfortunately, response plans are often ignored or they are not considered as prevention and detection strategies,” researchers concluded. “Response plans that are tested and practiced are required to minimize the negative consequences of an incident and ensure the provision of safe, secure, and reliable health care operations.”
“Ultimately, while healthcare systems should allocate significant resources towards improving telemedicine capabilities, it is up to healthcare delivery organizations to ensure that these new capabilities are safe, secure, and protect patient privacy,” they added.
Healthcare organizations can also find further telehealth and remote work security resources from the American Medical Association, the NSA, and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency.