The COVID-19 pandemic has challenged hospitals and health care systems in countless ways. Between providing critical patient care, maintaining operations and managing a changing workforce dynamic, the health care industry has been – quite obviously – tested over the last several months.
Now factor in the incredible increase in demand for telehealth solutions. As remote telehealth services have gained considerable traction during the pandemic, hospitals and providers have become even more dependent on these digital solutions to remain productive and safely engage with patients.
However, the increase in telehealth usage also inherently brings greater cybersecurity risks. Couple this with the rise in cyberattacks (i.e., phishing schemes, ransomware, etc.) during the ongoing health pandemic, and cybersecurity becomes even more crucial for administering safe and private telehealth solutions.
What is telehealth?
The Health Resources Services Administration defines telehealth as the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related educations, public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications.
Note that telehealth differs from telemedicine because it refers to a broader scope of remote healthcare services than telemedicine. While telemedicine refers specifically to remote clinical services, telehealth can encompass remote non-clinical services, such as provider training, administrative meetings, and continuing medical education, in addition to clinical services.
What about HIPAA?
The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) recognizes telehealth as a means to protect individuals during the pandemic. However, security and HIPAA compliance remain critical while conducting telehealth activities.
The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) is the foremost federal law on healthcare data privacy in the U.S. The law established national standards to protect sensitive patient health information from disclosure without the patient’s knowledge or consent. Two central provisions of HIPAA are the Privacy Rule and Security Rule which focus on protected health information.
As healthcare organizations implement telehealth services, it must be done in a secure way that maintains HIPAA compliance and reinforces patient confidence that the organizations adequately protect their data at all times.
HIPAA compliance during the COVID-19 pandemic
In response to the COVID-19 crisis, the OCR released a notice regarding health care organizations and their use of audio and video technology to provide telehealth services during the pandemic.
OCR acknowledged that during the COVID-19 national emergency, covered health care providers subject to HIPAA rules may seek to communicate with patients and provide telehealth services through remote communication technologies. Some of these technologies, and the manner in which covered health care providers may use them, may not fully comply with the requirements of the HIPAA rules.
As such, OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA rules against covered health care providers who make a good faith provision of telehealth during the ongoing pandemic.
As such, a covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during this time can use any non-public facing remote communication product that is available to communicate with patients.
Therefore, covered health care providers may use popular applications for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without the risk of OCR imposing penalties for noncompliance with HIPAA rules.
The notice further specifies that organizations should not use public-facing applications such as Slack, Facebook Live, Twitch, TikTok, and similar platforms in the provision of telehealth services.
In addition, the notice explains that covered health care providers seeking additional privacy protections while using video communication should employ technology vendors that are HIPAA compliant. By using these vendors, the health care organization will enter into HIPAA business associate agreements (BAAs). The notice provides a list of some vendors that provide HIPAA-compliant video communication products and will enter into a HIPAA BAA:
Skype for Business and Microsoft Teams
Updox
VSee
Zoom for Healthcare
me
Google G Suite Hangouts Meet
Cisco Webex Meetings and Webex Teams
Amazon Chime
GoToMeeting
Spruce Health Care Messenger
What cybersecurity threats should I be aware of?
As virtual health options introduce new tools to share information across a multitude of platforms and the pandemic provides hackers with greater opportunities to attack vulnerable security systems, health care organizations must remain vigilant in their cybersecurity efforts. With increased telehealth use, risk exposure rises in key areas of cybersecurity, including:
Technology failures
Complex identity and access management
Physical security risks
Legacy IT infrastructure
Unpatched software in consumer environments
Increased third-party risks
Use of unsecured or unencrypted personal devices and wireless networks
Social engineering attacks against employees, vendors, and patients through methods such as email (phishing), text messaging, phone calls or fake COVID-19 websites
Even with temporarily relaxed HIPAA rules in regards to telehealth, health care providers need to maintain, or even increase, their cybersecurity during the ongoing pandemic – and beyond.
What are the cyber risks specific to virtual health?
Below are some key areas that providers can focus on to secure their virtual health systems. Implementing strong cybersecurity practices help ease concerns for patients and providers alike.
1. Medical devices and wearables security
Connected devices and wearables inherently raise certain security concerns. These devices generate data classified as protected health information (PHI) and entrust it to the cloud. As consumers and providers continue to use connected health devices, the risk of patient health data grows accordingly. (Note: wearables are electronic devices that individuals can wear, like Fitbits and smartwatches, to collect personal health data.)
For example, devices that send diagnostics to providers need to protect the confidentiality and integrity of the data as it arrives and becomes part of a patient’s confidential record. Furthermore, as patients send pictures or other data to a physician as part of a telehealth session or monitoring program, it is important to develop strategies for complying with and addressing HIPAA requirements.
2. Identity management and multifactor authentication
To ensure that the person on the other end of the virtual connection is indeed who they claim to be, multifactor authentication (MFA) proves vital. Health professionals must verify a patient’s identity to protect the disclosure of private information. Beyond MFA, some providers utilize biometrics (touch or facial recognition in a mobile application), short message service (SMS) tests, or device fingerprinting.
Furthermore, many providers attach contextual information to patients’ electronic medical records or customer relationship management records as a way to improve patient profiling. Contextual information might include metrics from wearables, parental consent for minor patients, or simply information about a patient’s habits in the system. Understanding when and why a patient accesses the ecosystem in search of services can help inform enriched analytics on that patient and improve the patient experience. Making this work relies on an identity management system that is flexible enough to send identity data about a patient to multiple systems. However, as the number of systems multiplies, so do the security concerns.
3. Location-based security
Typically, patients receive virtual health services at home. But in some cases, patients may request services from other locations. It is imperative that organizations providing telehealth services monitor where in the real world their patients receive those services. It may be worthwhile to consider implementing rules for “out-of-bounds” access.
Health care providers must strike a balance between monitoring location-based cues that may signal a cyber threat, while simultaneously offering patients a consistent experience regardless of where they are. Organizations may consider defining location rules and trigger extra authentication only when patients seek virtual services outside of those boundaries.
4. Cybersecurity training
When an organization introduces new services, it is important to educate the consumer about the corresponding risks of using those services. Patients need to understand that their data belongs to them, and that no provider safeguards can replace their own responsibility to make smart decisions about where and how they use telehealth services. It is the responsibility of the organization that both the patients and physicians understand this principle.
What are some cybersecurity best practices?
As you look to improve your digital security, here are some steps to consider:
Notify patients about the privacy risks inherent to telehealth and video conferencing
Ensure your platform of use has end-to-end encryption capabilities and privacy modes
Utilize a nonpublic-facing product to ensure only intended parties can participate in the communication
Set up multi-factor authentication when accessing relevant systems
Ensure users have the most up-to-date version of the mobile applications
Ensure that any remote printing is done through secured devices and the printed materials are stored securely
Verify that the firewall settings maintain adequate security
Validate the security of any applications that were recently web-enabled for remote work
Review user access, including privileged accounts
Validate the performance of cybersecurity monitoring processes due to remote work
Employ a technology vendor considered HIPAA-compliant
Do not use services without a BAA in place
While the OCR will not impose penalties if you do not have a BAA in place during the COVID-19 pandemic, it is still good practice to ensure the vendor will protect electronic patient health information (ePHI) that traverses the system.
To address these and other changing cybersecurity and privacy risks, information technology security management should leverage a risk-based assessment methodology. Regardless of the framework chosen, the main goal of the risk assessment is to provide cybersecurity professionals with a method to manage their program and prioritize and manage security activities.
Your Baker Tilly team is here to assist you. Our professionals can work with your management team to complete a diligent risk assessment in order to help you identify vulnerabilities in your controls, and simultaneously ease the concerns of patients, providers and other business partners.
Our life sciences team offers deep expertise in working with clients in the medical space and understands the unique challenges for the sector. We are here to put our knowledge and experience to work as we help ensure that your telehealth systems are properly secured.
