The COVID-19 pandemic has driven a dramatic increase in telehealth adoption. To protect patients and staff from possible exposure, healthcare providers have made rapid investments in telehealth video conferencing platforms to accommodate video visits, rather than in-person exams. In April 2020, it was reported than nearly half of the nation’s physicians are now using telehealth to treat patients, up from just 18 percent two years ago.
In some cases, providers have adopted commercial or consumer-grade video conferencing applications for those telehealth appointments. While these applications complied with relaxed HIPAA regulations and enabled clinicians to quickly implement the solutions, news of security flaws and privacy violations quickly emerged.
As the COVID-19 pandemic continues, video visits may become a long-term solution for healthcare organizations. That means it’s more important than ever to assess your current video solution for potential security risks and, if necessary, evaluate alternate options to determine if you can provide a more secure solution for virtual patient visits.
Emerging Telehealth Security Risks
Over the past several months, many telehealth-related security breaches have been reported, especially with the use of common consumer-grade video solutions. Some of the privacy violations and concerns that have emerged include:
- Videobombing: In some cases (especially when using general consumer video conferencing applications), video conferences aren’t always password protected. This allows individuals to hack into and interrupt an ongoing conference — often, displaying inappropriate behavior or content.
- Misleading encryption claims: Some solution providers claim to provide end-to-end encryption within their video conferencing platforms when their version actually does not offer that complete encryption. In these cases, the solution may allow unauthorized access to encrypted audio and video from telehealth appointments.
- Third-party data sharing: Some popular consumer-grade teleconferencing solutions have been accused of sharing user data with third parties like Facebook — without properly notifying users.
- Malware: It has also been discovered that some teleconferencing solutions have been infected with malware, which allows malicious actors to record sessions and capture text without the participants’ knowledge.
- Unsecured video calls: While some video solutions allow you to delete previously recorded calls, researchers have found that those calls may actually be accessible for hours after being deleted. Worse, previously recorded calls can sometimes be accessed and downloaded through an unsecured link.
6 Considerations for Evaluating Telehealth Video Conferencing Solutions
As provider organizations weigh their telehealth options, they should thoroughly vet the security of all available offerings, whether they’re directed at general consumers or healthcare organizations. When performing that due diligence, use the following considerations to evaluate potential solutions:
- End-to-end encryption: Video streams should be encrypted from end to end — meaning that only the people involved in a call should have access to what’s said or shown. Even the solution provider should not have access to that data.
- Up-to-date security certifications: Your solution provider should have up-do-date security credentials that prove it has undergone security and privacy audits by a trusted third party.
- Tracked access: The video solution should be able to track who has accessed the system and its data. You may also want to ask further questions about how user accounts are secured.
- Industry standards and best practices: Cybersecurity best practices evolve quickly. Make sure your video solution provider is following the current industry standards and best practices, such as continuous uptime monitoring and regular vulnerability scans.
- Secure data centers: Is the core infrastructure of the video solution protected in a secure, hardened data center? These data centers are designed to physically withstand natural or man-made disasters.
- Privacy/identity protection: Only authorized users should have access to critical data. In addition, videoconferences should never be recorded, and patient information should not be stored by a videoconferencing service.
While affordability, added features, and ease-of-use may be important to your organization, when it comes to video conferencing solutions in a healthcare setting, security and privacy must come first.
Typically, healthcare-specific platforms are specifically designed to facilitate clinical collaboration and patient communication in safe, secure way. As you explore virtual care platform options, look for a partner who conducts routine security audits and can offer third-party verification of HIPAA compliance.
For a deeper look at the use of telehealth video conferencing solutions, including the benefits of healthcare-specific solutions and how to find a compliant video solution, download the white paper, “Telehealth Video Application Security.”