Securing Telehealth Technologies in a Vulnerable World

by Stephen Trout

After a tumultuous year for healthcare, one thing appears clear: telehealth is here to stay.

In fact, a recent study notes that 46 percent of consumers now use telehealth in place of in-person healthcare visits — as opposed to just 11% in 2019.

Used primarily for level-one consults and routine exams, telehealth offers “a tool for patients to connect with their providers in a way that’s sometimes more convenient, sometimes more accessible, and sometimes the only option,” notes Daniel Marchalik, MD, medical director of physician well-being at MedStar Health. “Being able to leverage the power of telehealth during the pandemic surges has been incredibly important.”

This shift to virtual consults doesn’t seem to be going away anytime soon; in fact, with insurers now providing increased coverage for telemedicine, providers are anticipating continued use of telehealth services even beyond the vaccination period for Covid-19.

In other words, as one doctor notes, “the genie is out of the bottle.” Sadly, so are the cyber attacks.

According to Health Industry Cybersecurity — Securing Telehealth and Telemedicine, telehealth providers experienced a multitude of attack vectors from malicious actors in 2020, unfortunately keeping pace with an emerging global pandemic:

• 117% rise in website/IP malware security alerts

• 65% increase in security patching of known vulnerabilities

• 56% rise in endpoint vulnerabilities that enable data theft

• 16% increase in patient-accessed web application vulnerabilities

• 42% growth in file transfer protocol vulnerabilities that expose information traveling between a client and a server on a network

• 27% increase in remote desktop protocol security issues given the widespread adoption of remote work

A Call to Action

In telehealth, therefore, as in all expressions of healthcare technology, securing the delivery modes of healthcare must be seen as a fundamental and intrinsic part of patient care.

Security simply can not be an afterthought, either by the technology provider or app developer, IT services, or the technology user.

It stands to reason: if the patient is seen (virtually) by their physician but in the end, has their sensitive healthcare data compromised by hackers (a clear attack on their person and privacy), the patient’s overall well-being stands to suffer.

Important services may also be delayed, leading to a negative impact on health. The healthcare provider will also be liable, and face potential fines and lawsuits. This would be a lose-lose situation for both.

It is incumbent upon healthcare providers therefore to apply as much security expertise in telehealth as they do in other aspects of their work.

Beyond the most fundamental question then — Is my IT infrastructure and telehealth delivery platform HIPAA compliant? — the following questions must be asked.

Do I have:

• a signed Business Associate Agreement (BAA)?
• access controls to systems, including strong passwords and two-factor authentication?
• server hardening (securing with updates and patches)?
• regular vulnerability scans of servers and mitigation of the vulnerabilities discovered?
• systems monitored 24/7 to ensure consistent reliability and uptime?
• appropriate protected storage of telehealth data with PHI?
• off-site backups of HIPAA data?
• log retention of 6 years (a HIPAA mandate)?
• dedicated technical support that is essentially an “extension of my practice”?

In addition, the provider will need to ensure that all healthcare communication devices (laptops, tablets, smartphones) are used with only protected Wi-Fi networks. A regular, guided risk assessment of all potential organizational weaknesses will cover this; input from a trained security consultant is also invaluable for maintaining a strong security posture.

As critical as your telehealth environment is for being proactive in your care, it’s also important to help create cyber-awareness for your patients — keeping in mind that your defenses are only as strong as your weakest link.

Finally, you’ll also need dedicated support technicians who will personally answer the phone and resolve your issues promptly. HIPAA Vault maintains a “tierless” technical support staff that’s able to handle everything from general support questions and maintenance to more complex issues such as system monitoring, with over 90% resolution the first time you call.

No cumbersome phone trees or being kept on hold for long periods of time. And our managed services allow you to streamline your IT costs, effectively saving you money.

Clearly, virtual visits are here to stay. Talk to us about how we can provide a secure infrastructure and 24/7 support services to assist you in your goal of delivering quality, safe healthcare.

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Contact us at 760–290–3460 or www.hipaavault.com.