The practice of medicine is changing across the majority of specialties in response to the COVID-19 pandemic, shifting to a model based on virtual appointments and digital care. Telemedicine solutions are encouraged whenever possible to minimize exposure risk and virus spread; although this has allowed greater flexibility and the ability for many practices to remain operational, the resulting rapid expansion of telehealth services carries its own set of risks. The novel coronavirus outbreak has led a drastic increase in cybersecurity threats, including data privacy and online patient safety concerns, as many emerging telemedicine solutions are entering the market without adequate prior testing or proven safety records.
The new workflows and technologies being introduced to meet rapidly rising demand require information technology professionals to develop rapid-response risk-analysis capabilities, according to Chief Information Security Officer at Penn Medicine, Dan Costantino’s interview with Healthcare IT News. Although cybersecurity concerns have surrounded digital medical services since their emergence, they are heightened now as more patients readily exchange their privacy for immediate care and an increasing number of telemedical solutions are forced to enter the market as soon as possible.
Data Privacy Regulations and Concerns
To make providing digital care easier, federal regulations have temporarily lessened HIPAA restrictions for the duration of the outbreak, now allowing practitioners to utilize popular telecommunication software, such as Zoom and Skype. However, while these services may allow easy patient-provider communication, they also present potential data privacy concerns. Recently, a growing number of reports has emerged concerning hackers hackers targeting Zoom domains and other applications used in the telehealth space. In addition, there has been an increase of warnings pertaining to COVID-19 fraud schemes and supply chain attacks as cyber criminals have been taking advantage of the pandemic situation. Practitioners must remain alert and aware of the existing cybersecurity risks pertaining to the telemedical practice in order to protect both themselves and their patients.
Telehealth Cybersecurity Best Practices
Increased cybersecurity risks in the telehealth space have been tied to extended lists of users accessing networks and telecommunication platforms, as well as the rush of untested technologies – all of which can exacerbate online security, data privacy, and compliance concerns. Although complete cybersecurity is difficult to guarantee in the current technological environment, as many providers are now working from home devices and networks, the following best practices can help protect telemedicine providers and their patients from many forms of cybercrime.
Invest in Cyber Insurance
Before beginning a telehealth practice, providers should consult their malpractice insurer to determine whether digital services will be covered under their current policy. In addition, practices may want to purchase cyber protection alongside their business insurance package, which can help cover the significant financial repercussions of a data breach.
“This includes costs associated with forensics, notification and call center costs, credit monitoring fees, public relations fees and legal fees. However, cyber insurance provides much more than just risk transfer,” David Line, CFO of VitalSkin Dermatology told Dermatology Times in an interview. “Good cyber policies also help prevent a breach in the first place. They provide password protection software, employee training, and incident response support. It should be an integral part of every medical practice’s risk mitigation solution.”
Ensure VPN Security
Virtual private networks (VPNs) are a priority for cyber-safety; as the most important elements of protected communications, they allow users to connect to enterprise networks remotely. Using VPNs can ensure data is encrypted properly and passes through corporate resources before being disseminated through internet-hosted software. According to data reported by Health IT Security, virtual private network (VPN) usage has increased by 124% in the U.S. within the past two weeks alone. This surge is contributing to growing concerns over network safety.
Although VPN use is one of most secure methods of online communication, organizations have been failing to patch core vulnerabilities leading to rising numbers of cases of exploitation of VPNs; Health IT Security reports, “As of January 2020, thousands of organizations still had not updated the flaws with the latest patches.”
Practitioners providing online care and healthcare organizations with telehealth services must ensure VPN software is up to date and eliminate potential VPN vulnerabilities to protect sensitive patient data.
Manage and Encrypt Mobile Devices
Allowing practitioners to access protected health information (PHI) and telemedicine software from their personal devices permits rapid virtual care more easily than distributing corporate devices for home use at this time. However, to protect themselves against cybersecurity risks, providers and healthcare organizations must employ appropriate mobile device management tools before embracing the bring-your-own-device (BYOD) strategy. This includes the segregation of personal devices and applications from healthcare apps and data – which can significantly reduce the risk of data leaks – as well as the encryption of all devices.
Lost or stolen devices – mobile phones, desktop computers, laptops, and USB drives – are the leading cause of data breaches. While HIPAA regulations provide some protection for the loss or theft of encrypted data, the vast majority of electronic PHI breaches result from access to unsecured devices. Medical practices and providers are urged to ensure that all mobile devices, software, communication systems, and stored data are encrypted.
According to recommendations from Health IT Security, providers should also employ a tiered system which grants devices access to data based on their security levels. In this way, organization-owned laptops and other top-tier controlled devices would have the most access, while personal or BYOD mobile devices would have minimal access to sensitive data.
Establish Telehealth Guidelines
Employee access may prove to be one of the most difficult risk factors to manage for protecting cybersecurity. Recently, an IBM study reported that nearly 95% of all data breaches were caused by employee errors resulting in lost or stolen devices, sharing of information with incorrect recipients, sending sensitive data unencrypted, or falling victim to phishing or ransomware attacks.
To ensure optimal cybersecurity, all staff members should be trained on practice policies and procedures regarding online care, HIPAA compliance, data handling, and PHI protection. Telemedicine security policies should be put into place to help define virtual care, remote access, as well as BYOD requirements for clinicians; they should also educate clinicians and other staff members on protection against ransomware, phishing attempts, and other targeted scam activities.
Use Approved and Reputable Software
The rapid rise of telemedicine services has prompted the emergence of new platforms and applications, many of which have not yet been adequately vetted. Providers are urged to download applications only from reputable sources and utilize only approved and safe telecommunications platforms. Healthcare organizations may already have such systems in place, although providers should check with their HR department to ensure they have the right information before downloading and connecting to any new platforms.
Understand How Platforms Manage Data
To ensure compliance, patient safety, and data privacy, providers utilizing any online services should have a robust understanding of the data collection, storage, and destruction policies of each platform. The majority of reputable telecommunications providers feature codes of conduct and information about their data use practices, as well as their levels of compliance with HIPAA regulations. Both patients and providers should aim to disclose personal information when absolutely necessary to prevent the misuse or mishandling of sensitive data.
Protect Passwords and Use Identity Authentication
One of the most common ways hackers obtain access to electronic protected health information is by capturing or guessing passwords; preventing password theft and unapproved logins requires the use of password best practices, including identity authentication. Director of Information Technology for VitalSkin Dermatology, JD Norcross highlights the following tips for developing and protecting a secure password in Dermatology Times: “They should include at least eight characters: numbers, capital letters and special characters. Do not use dictionary words, and consider using pass phrases. Change passwords every 60 days, do not post passwords in plain sight, use multi-factor authentication, lock users out after three failed attempts, consider using a password database, and limit user access to the most sensitive databases to only those who need it to perform their job.”
As Norcross underscores, healthcare institutions should ensure their software and telemedicine platforms are equipped with appropriate identity authentication systems, which are critical to online safety. The most common method is the use of multi-factor authentication, reported to block 99.9% of all automated cyberattacks. As a security enhancement, multi-factor authentication allows users to log in and access their accounts after they present two or more pieces of evidence confirming their identity, thereby greatly reducing cybersecurity threats.
With the majority of non-emergency patient-provider interactions occurring via telehealth platforms at this time, cybersecurity threats are at an all-time high. Telemedicine technologies have been necessary to help relieve an over-stressed healthcare system and their growing use has significantly benefited the sector, yet the safety of patient data and privacy remains a concern. While many of these technologies are still new to most users, cyber criminals have already begun to locate and target network and software vulnerabilities, using the broad expansion of telemedicine as a platform for attack. As the number of telehealth encounters continues to increase, medical professionals and organizations must prioritize the cybersecurity and network safety of all online interactions. Employing the above cybersecurity best practices and proactive data protections strategies can help protect a medical practice from data breaches, online fraud, and other cybercrime.
