Securing Telehealth in a Vulnerable World
By Stephen Trout, , HIPAA Blog, Resources, Security, Uncategorized

In a season where “normal health services” have been anything but normal, one thing appears clear: telehealth is here to stay.

A recent study notes that 46 percent of consumers now use telehealth in place of in-person healthcare visits – as opposed to just 11% in 2019. 

Primarily used for level-one consults and routine exams, telehealth offers “a tool for patients to connect with their providers in a way that’s sometimes more convenient, sometimes more accessible, and sometimes the only option,” notes Daniel Marchalik, MD, medical director of physician well-being at MedStar Health. “Being able to leverage the power of telehealth during the pandemic surges has been incredibly important.”

This seismic shift to virtual consults is undergirded by the fact that most insurers now provide increased coverage for telemedicine. As such, providers are gearing up for continued use of telehealth services even beyond the vaccination period for Covid-19. 

In other words, as one doctor notes, “the genie is out of the bottle.” 

Sadly, so are the cyber attacks. 

According to Health Industry Cybersecurity—Securing Telehealth and Telemedicine, telehealth providers faced a multitude of attack vectors from malicious actors in 2020, keeping pace with the emerging global pandemic:

  • 117% rise in website/IP malware security alerts
  • 56% rise in endpoint vulnerabilities that enable data theft
  • 16% increase in patient-accessed web application vulnerabilities
  • 42% growth in file transfer protocol vulnerabilities that expose information traveling between a client and a server on a network

Overall, this has led to a 65% increase in security patching of known vulnerabilities.

Healthcare’s Call to Action

How should healthcare respond? As with all applications of health technology, securing the delivery modes of care must be considered an intrinsic patient safety issue. 

The AMA has made this clear: security simply can not be an afterthought – either by the technology provider or app developer, IT services, or even the technology user.

It stands to reason; if the patient is seen virtually but subsequently has their personal healthcare data compromised by hackers, their overall well-being has not been cared for or protected. Unavailable data may also hinder ongoing health services, leading to a possible negative impact on patient health. 

While anyone who touches HIPAA data is bound to protect it, it’s ultimately the healthcare provider who will be held liable; potential fines, lawsuits, and a negative reputation may result. This would be a lose-lose situation for both provider and patient.

It is incumbent upon healthcare providers therefore to ensure as much security expertise (training, etc.) in telehealth as they do in other aspects of their work.  A security plan that identifies risks is key. 

Integrated Platform Security 

A comprehensive security plan will necessarily examine the “patient journey,” as it seamlessly transitions between diagnostic platforms. For example, a patient may start with a telehealth exam then move to another consult on a different platform. Securing the entire journey should be the focus.  

From a security perspective, the following questions must be included in an overall assessment:   

  • Do we have a HIPAA-compliant infrastructure for all platforms?
  • Are there access controls for all systems, including strong passwords and two-factor authentication?
  • Do we have appropriate protections for telehealth data with PHI, including storage?
  • Are all healthcare communication devices (laptops, tablets, smartphones) used with only protected Wi-Fi networks? 
  • Are systems monitored 24/7 to ensure consistent reliability and uptime?
  • Have we ensured ongoing server hardening (securing with updates and patches)?
  • Are there regular vulnerability scans of servers, and mitigation of the vulnerabilities discovered? 
  • Are off-site backups of HIPAA data being made?
  • Is there log retention of 6 years (a HIPAA mandate)? 
  • Is there a signed Business Associate Agreement (BAA)?
  • Do we have dedicated technical support that will serve as an “extension of our practice”?

As critical as your telehealth environment is for being proactive in your care, it’s also important to create cyber-awareness for your patients (remember your defenses are only as strong as your weakest link). 

We Can Help

A regular, guided risk assessment of the journey of care will be essential. Input from proven HIPAA security experts like HIPAA Vault can be invaluable for maintaining a strong security posture. 

In order to maintain consistent care, you’ll also require dedicated support technicians who will personally answer the phone and resolve your issues promptly. For example, HIPAA Vault maintains a “tierless” technical support staff that’s able to handle everything from general support questions and maintenance to more complex issues such as system monitoring, with over 90% resolution the first time you call. No cumbersome phone trees or being kept on hold for long periods of time. And our managed services allow you to streamline your IT costs, effectively saving you money.

Clearly, virtual visits appear to be a regular part of healthcare’s future. Talk to us about how we can be an extension of your team, and provide a secure infrastructure and 24/7 support services to assist you in your goal of delivering quality, safe healthcare.

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Contact us at 760–290–3460 or www.hipaavault.com.