The Coronavirus pandemic has catalyzed a rapid increase of telehealth adoption. Leveraging telehealth platforms, patients are able to speak with doctors and nurses without having to risk exposure to themselves or others.
By Ian Terry, Information Security Consultant at Intraprise Health
The increase has been so drastic, the U.S. Department of Health and Human Services and its Office of Civil Rights (OCR) and the FBI have released special guidance related to the use of telehealth systems, particularly how they have come under attack by malicious actors and advanced persistent threats (APT).
For privacy and security practitioners in healthcare, the increased use of telehealth and government attention signals the need to learn more about telehealth systems, the security risks associated with their use and strategies for mitigating those risks.
Telehealth and Protected Health Information
Telehealth is the use of systems and services to provide health care diagnoses and to connect providers to patients remotely. Often, patients will use applications on their device to connect via videoconference with doctors.
Similar to a conventional provider environment like a hospital or urgent care office, patients must relay information like their birthdate, age and medical history as well as their current symptoms during a telehealth session. The doctor can then prescribe medicine or treatment based on this virtual visit. All of this information is considered protected health information (PHI), which means it must be protected according to HIPAA requirements.
Companies that use or develop telehealth software must ensure their telehealth solution is adequately vetted, configured and used in such a way that demonstrates HIPAA compliance and protects the privacy and security of patients’ PHI.
Security Risks – New “Friends” and Familiar Faces
Telehealth relies on many of the products and technologies with which we are already familiar in both professional and consumer settings. As such, they are prone to many of the same vulnerabilities and risks.
Attackers can intercept data transmitted between the patient and provider during telehealth sessions if encryption and authentication protocols are not properly utilized. Or they could hijack a legitimate user’s credentials and impersonate them during a session, adding an additional layer of complexity to identity theft. In this situation, the victim’s healthcare records could be inaccurately modified – potentially affecting their care for years to come until the illegitimate modifications are rectified.
These types of attacks occur in real time. But attackers can also exploit telehealth environments to obtain patient data-at-rest. In some instances, recordings, notes and patient data collected or created during sessions could be saved to servers or smart phones. If these devices are not adequately encrypted, they could be the targets of a successful data exfiltration attempt.
The introduction of telehealth solutions into providers’ service offerings can speed and improve the provision of healthcare to their patients but can also broaden their attack surface. Organizations should be prepared to expand their security program to compensate, accounting for risks to confidentiality, integrity and availability (CIA) of patient information before they suffer a costly and damaging data breach.
Tele-Help Me Out – What Can We Do?
Providers or business associates looking to use telehealth solutions or ensure existing solutions are secure, should consider the following:
Perform a Security Risk Assessment of the Telehealth Solution and Its Vendor
Commonly referred to as a third-party risk assessment, this type of assessment is performed by the organization to evaluate the security posture of a vendor as well as the controls implemented in their product or service.
For telehealth solutions, assessors should examine prospective telehealth solutions’ documentation and collaborate with vendors’ technical specialists to compare the solution’s technical security controls with organizational standards.
Further, organizations should solicit information related to the vendor’s own cybersecurity/information security program – especially if they are storing or transmitting any patient data (e.g. if they are a SaaS solution). This involves reviewing their policy and process documentation to ensure they have a HIPAA-compliant program in place.
Request or Perform an Application Penetration Test
Providers should request any application penetration testing results or findings associated with the telehealth product from the vendor. Because penetration testing simulates real-world attacker scenarios, they are one of the most effective ways for evaluating the security of a program.
Reviewing and discussing ‘pen’ test activities with prospective telehealth vendors provides insight specific to the application as well as a demonstration of a vendor’s respect for cybersecurity – if a vendor doesn’t perform in-depth penetration testing of their telehealth product, it may be worth looking elsewhere for a partnership where security is mutually valued.
Improve Your Telehealth Policies, Procedures, and Training Materials
Like any technology used by your workforce, data security is highly dependent on how it is used. It is important that your workforce is following processes and policies that are tailored to the unique risks associated with telehealth platforms.
Leveraging policy can ensure your company has the authority to enforce standards of behavior when using telehealth platforms. Process and procedure documentation arms your workforce with step-by-step instructions on how to perform their duties appropriately.
Additionally, education and training on the appropriate use of telehealth platforms — particularly training on HIPAA privacy and security best practices — should be given to workforce members who use it. For example, reminding doctors to destroy any handwritten notes and ensure that telehealth sessions take place away from bystanders to avoid an incidental disclosure scenario.
OCR Enforcement Discretion – This Means We Don’t Have to Worry, Right?
(OCR) announced that it would not impose penalties for noncompliance with regulatory requirements under HIPAA rules against care providers employing telehealth during the COVID-19 public health emergency.
For providers, this means they can temporarily get away with HIPAA noncompliance when implementing and using telehealth systems “in good faith” to serve patients, reduce potential exposure to COVID-19 and handle the abrupt increase in volume.
Additionally, this allows covered health care providers to use popular applications that allow for video chats such as Apple FaceTime and Zoom to provide telehealth services.
This relaxation of enforcement allows providers to quickly pivot towards telehealth integration. Providers should be aware, however, that this does not altogether absolve their responsibility to privacy and security when using telehealth systems – at least, not in the long term.
Though the Notification of Enforcement Discretion does not have an expiration date, OCR has stated they will issue a notice to the public when it is no longer exercising the enforcement discretion. When that day comes, transitioning will be easier for providers that did their due diligence ahead of time – assessing risk, establishing Business Associate Agreements (BAAs) and Data Exchange Agreements, and ensuring their policy and process documentation speaks accurately to their use of telehealth platforms.
Telehealth is a revolutionary technology that has enabled providers and patients to enjoy the benefits of remote health services – benefits that are demonstrating their value during a critical situation.
Providers should be aware of the risks posed by the use of telehealth systems, and developers of these systems should prepare themselves to be on the receiving end of security inquiries and risk assessments. Despite OCR’s enforcement discretion, providers adopting telehealth solutions should not leave security and privacy by the wayside.
About the Author
Ian Terry, SSCP, HCISPP, is an information security consultant at Intraprise Health, a cybersecurity firm that works with healthcare organizations to secure their healthcare data.
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.