Best Practices for Telehealth Cybersecurity During COVID-19 and BeyondBy: Caregility Team
Many healthcare providers who implemented telehealth services weeks or days after the coronavirus pandemic struck may have put telehealth cybersecurity issues on hold as patient needs and the delivery of remote services took precedence. In 2021, telehealth is continuing its ascent, increasingly becoming woven into the fabric of our healthcare delivery — yet cybersecurity threats are also on the rise. Now, it is time for healthcare organizations and medical groups to give telehealth cybersecurity the attention it deserves to safeguard the privacy and security of patient health data.
There are compelling reasons for doing so. Telehealth visits grew 350-fold in April 2020 compared to pre-pandemic levels, according to the Department of Health and Human Services. The trend shows no signs of slowing, and as telehealth and telemedicine usage increases, so will the exposure of patients and healthcare organizations to cybercrime involving personal medical information.
“A rush to develop and implement telehealth technology and a host of other digital health services could make it even easier for cybercriminals looking to gain access to private medical records in the coming year,” cautions consumer credit bureau Experian in its most recent Data Breach Industry Forecast.
Noting that telehealth providers experienced a 30% increase in cybersecurity findings per domain in 2020, the organization predicts that breaches involving personal medical information will be a major data breach trend in 2021.
Although providers were given flexibility during the pandemic in using non-HIPAA-compliant platforms for telehealth services through the Emergency Use Authorization, hospitals and medical groups should still be doing everything they can to protect their patient’s health information as their telehealth services gain traction.
Here are some recommendations to avoid breaches in privacy and security even as telehealth continues to expand:
- If you are currently using a consumer videoconferencing tool, plan to transition to an enterprise video conferencing product designed specifically for healthcare. The consumer video conferencing platform Zoom experienced a 10-fold increase in usage with the onset of the pandemic, much of it by healthcare providers. With that growth came increased incidents of “Zoom-bombing,” the disruptive intrusion, often by trolls, into video conference calls.
- Posing additional risks are the potential for eavesdropping on patient visits stemming from inadequate encryption and the possibility that an eavesdropper could capture a screenshot of patient health information that is being shared during a virtual visit.
- Enterprise grade products may include security features such as encryption or a waiting room with every teleconference that allows the host (clinician) to control when a participant joins the conference. These security features can be standardized across the organization.
- Implement multi-factor authentication for providers as well as for all patients who have online accounts with the provider. This is one of the simplest and most powerful actions providers can take to boost cybersecurity using any one of several easy-to-install MFA systems currently on the market. Industry research shows that an account is more than 99.9% less likely to be compromised when MFA is used.
- Consider updating your encryption. Though most organizations are encrypting patient health information, the goal with encryption is to make it computationally harder and more expensive for hackers to spend the time and energy attempting to compromise the data that is being encrypted. This goal can be achieved with software that uses some of the more powerful and modern encryption methods developed in recent years.
- Apply the principle of least privilege, limiting access to telehealth and telemedicine platforms to the minimal level users require to carry out their duties and responsibilities.
- Change default passwords to strong passwords for all devices and systems.
- Educate and regularly re-educate clinicians, staff and patients on privacy and security best practices and sources of telehealth security threats. (A recent study published in the Journal of Medical Internet Research found that workload had the strongest impact on the rate of clicking on phishing links by employees.)
- Because healthcare hackers tend to target older legacy systems with insufficient security, consider updating your network security. Though replacing your network infrastructure may seem daunting, it pales in comparison to the costs of a data breach that could compromise your patients and their private medical information and jeopardize your organization’s reputation and trust within the community.
- Should an incident or data breach occur, be prepared with a thorough response plan that has been tested and practiced in advance to minimize the negative consequences.
- Use white hat hackers and penetration testers to find holes in your cybersecurity approach. This form of “stress testing” will help you discover your company cybersecurity’s strengths and weaknesses.
For more information, download our white paper, “Telehealth Video Application Security.”