The onset of the coronavirus pandemic in the United States quickly brought telehealth center stage as an alternative mode of health care services delivery.

The technology has shown its viability and effectiveness on a wide scale, and large numbers of providers and patients have discovered its convenience, which means telehealth is likely here to stay. As CMS Administrator Seema Verma put it, “Countless clinicians and beneficiaries received important care while avoiding unnecessary exposure to the virus. Now that providers and patients have had a taste, it’s difficult to imagine the telehealth genie going back into the bottle.”

Indeed, a new report by Doximity, an online networking platform for physicians, notes that more than 20 percent of all medical visits — representing $29.3 billion in medical services — will be conducted by telehealth in 2020. Further, as much as $106 billion of current U.S. healthcare expenditures could be virtualized by 2023, according to the report.

Security Concerns in Telehealth

Telehealth is having a moment — a moment that is likely to become a long-term solution for issues related to cost, access, increased demand for services and convenience. But the upswing in telehealth utilization presents challenges, too, notably around the privacy and security of patient electronic protected health information (ePHI). As more patients and providers connect with each other more frequently online, telehealth privacy and security risks rise as well.

Cyberattacks, including attacks on health systems, have risen alarmingly during the pandemic crisis, revealing the appetite among cyber-criminals to strike when institutions and individuals are at their most vulnerable. Data show a direct connection between the pandemic and rates of cyber-crime. For example, on January 30, the day the U.S. announced its first case of the novel coronavirus, cyberattacks rose by 48 percent, according to Computer World.

Telemedicine Security Safeguards

What can organizations do to safeguard their patients’ ePHI and address security concerns in an environment in which telehealth visits are becoming the convenient and cost-effective new normal?

  1. Conduct a third-party risk assessment on any telehealth service you’re using.
  2. Review any software or policy changes your organization has made since the onset of the pandemic and evaluate whether they are still necessary.
  3. Build encryption into every aspect of telehealth implementation, including storage, transmission and access.
  4. Invest in an encrypted, password-protected platform and a service agreement that ensures a maximum level of security. Ideally, partner with a vendor that offers a HIPAA-compliant, secure telehealth platform that can connect patients and clinicians securely across a variety of environments and whose security controls match or exceed those within your organization.
  5. Frequently update all apps and operating systems, including telehealth programs — and restrict access to apps only to those who are directly involved in using them.
  6. Run virus and malware scans at all times.
  7. Stay current on new and emerging trends in cybercrime.
  8. Educate and regularly re-educate clinicians, staff and patients on privacy and security best practices and sources of telehealth security threats. As often noted in health information technology circles, a healthcare network is only as secure as its weakest link. Often, that weakest link is a human being. (A 2016 study by Verizon, for example, reported that 30% of phishing messages were opened by the targeted individual and 12% of those individuals clicked on the malicious link.) This means everyone must play a role in ensuring the privacy and security of ePHI.
  9. Employ continuous identity authentication tools to ensure that only authorized individuals have access to data. Two-factor identification, for example, has been shown to block 99.9% of automated cyberattacks.
  10. Pay attention to the workflows and logistics of telehealth scheduling to avoid problems such as patients inadvertently gaining access to the system when a clinician is in the middle of an appointment with another patient.

Although the Office of Civil Rights gave providers latitude in using non-HIPAA-compliant platforms, for the provision of services via telehealth during the pandemic, ensuring the privacy and security of ePHI should be a priority for healthcare organizations.

Organizations that had to launch telehealth services quickly still can and should establish strong telehealth security safeguards, procedures and practices.

Learn more about keeping your telehealth video application secure. Download our white paper, “Telehealth and Video Application Security.”