The COVID-19 pandemic has challenged hospitals and health care systems in countless ways. Between providing critical patient care, maintaining operations and managing a changing workforce dynamic, the health care industry has been – quite obviously – tested over the last several months.
Now factor in the incredible increase in demand for telehealth solutions. As remote telehealth services have gained considerable traction during the pandemic, hospitals and providers have become even more dependent on these digital solutions to remain productive and safely engage with patients.
However, the increase in telehealth usage also inherently brings greater cybersecurity risks. Couple this with the rise in cyberattacks (i.e., phishing schemes, ransomware, etc.) during the ongoing health pandemic, and cybersecurity becomes even more crucial for administering safe and private telehealth solutions.
The Health Resources Services Administration defines telehealth as the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related educations, public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications.
Note that telehealth differs from telemedicine because it refers to a broader scope of remote healthcare services than telemedicine. While telemedicine refers specifically to remote clinical services, telehealth can encompass remote non-clinical services, such as provider training, administrative meetings, and continuing medical education, in addition to clinical services.
The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) recognizes telehealth as a means to protect individuals during the pandemic. However, security and HIPAA compliance remain critical while conducting telehealth activities.
The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) is the foremost federal law on healthcare data privacy in the U.S. The law established national standards to protect sensitive patient health information from disclosure without the patient’s knowledge or consent. Two central provisions of HIPAA are the Privacy Rule and Security Rule which focus on protected health information.
As healthcare organizations implement telehealth services, it must be done in a secure way that maintains HIPAA compliance and reinforces patient confidence that the organizations adequately protect their data at all times.
In response to the COVID-19 crisis, the OCR released a notice regarding health care organizations and their use of audio and video technology to provide telehealth services during the pandemic.
OCR acknowledged that during the COVID-19 national emergency, covered health care providers subject to HIPAA rules may seek to communicate with patients and provide telehealth services through remote communication technologies. Some of these technologies, and the manner in which covered health care providers may use them, may not fully comply with the requirements of the HIPAA rules.
As such, OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA rules against covered health care providers who make a good faith provision of telehealth during the ongoing pandemic.
As such, a covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during this time can use any non-public facing remote communication product that is available to communicate with patients.
Therefore, covered health care providers may use popular applications for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without the risk of OCR imposing penalties for noncompliance with HIPAA rules.
The notice further specifies that organizations should not use public-facing applications such as Slack, Facebook Live, Twitch, TikTok, and similar platforms in the provision of telehealth services.
In addition, the notice explains that covered health care providers seeking additional privacy protections while using video communication should employ technology vendors that are HIPAA compliant. By using these vendors, the health care organization will enter into HIPAA business associate agreements (BAAs). The notice provides a list of some vendors that provide HIPAA-compliant video communication products and will enter into a HIPAA BAA:
As virtual health options introduce new tools to share information across a multitude of platforms and the pandemic provides hackers with greater opportunities to attack vulnerable security systems, health care organizations must remain vigilant in their cybersecurity efforts. With increased telehealth use, risk exposure rises in key areas of cybersecurity, including:
Even with temporarily relaxed HIPAA rules in regards to telehealth, health care providers need to maintain, or even increase, their cybersecurity during the ongoing pandemic – and beyond.
Below are some key areas that providers can focus on to secure their virtual health systems. Implementing strong cybersecurity practices help ease concerns for patients and providers alike.
1. Medical devices and wearables security
Connected devices and wearables inherently raise certain security concerns. These devices generate data classified as protected health information (PHI) and entrust it to the cloud. As consumers and providers continue to use connected health devices, the risk of patient health data grows accordingly. (Note: wearables are electronic devices that individuals can wear, like Fitbits and smartwatches, to collect personal health data.)
For example, devices that send diagnostics to providers need to protect the confidentiality and integrity of the data as it arrives and becomes part of a patient’s confidential record. Furthermore, as patients send pictures or other data to a physician as part of a telehealth session or monitoring program, it is important to develop strategies for complying with and addressing HIPAA requirements.
2. Identity management and multifactor authentication
To ensure that the person on the other end of the virtual connection is indeed who they claim to be, multifactor authentication (MFA) proves vital. Health professionals must verify a patient’s identity to protect the disclosure of private information. Beyond MFA, some providers utilize biometrics (touch or facial recognition in a mobile application), short message service (SMS) tests, or device fingerprinting.
Furthermore, many providers attach contextual information to patients’ electronic medical records or customer relationship management records as a way to improve patient profiling. Contextual information might include metrics from wearables, parental consent for minor patients, or simply information about a patient’s habits in the system. Understanding when and why a patient accesses the ecosystem in search of services can help inform enriched analytics on that patient and improve the patient experience. Making this work relies on an identity management system that is flexible enough to send identity data about a patient to multiple systems. However, as the number of systems multiplies, so do the security concerns.
3. Location-based security
Typically, patients receive virtual health services at home. But in some cases, patients may request services from other locations. It is imperative that organizations providing telehealth services monitor where in the real world their patients receive those services. It may be worthwhile to consider implementing rules for “out-of-bounds” access.
Health care providers must strike a balance between monitoring location-based cues that may signal a cyber threat, while simultaneously offering patients a consistent experience regardless of where they are. Organizations may consider defining location rules and trigger extra authentication only when patients seek virtual services outside of those boundaries.
4. Cybersecurity training
When an organization introduces new services, it is important to educate the consumer about the corresponding risks of using those services. Patients need to understand that their data belongs to them, and that no provider safeguards can replace their own responsibility to make smart decisions about where and how they use telehealth services. It is the responsibility of the organization that both the patients and physicians understand this principle.
As you look to improve your digital security, here are some steps to consider:
While the OCR will not impose penalties if you do not have a BAA in place during the COVID-19 pandemic, it is still good practice to ensure the vendor will protect electronic patient health information (ePHI) that traverses the system.
To address these and other changing cybersecurity and privacy risks, information technology security management should leverage a risk-based assessment methodology. Regardless of the framework chosen, the main goal of the risk assessment is to provide cybersecurity professionals with a method to manage their program and prioritize and manage security activities.
Your Baker Tilly team is here to assist you. Our professionals can work with your management team to complete a diligent risk assessment in order to help you identify vulnerabilities in your controls, and simultaneously ease the concerns of patients, providers and other business partners.
Our life sciences team offers deep expertise in working with clients in the medical space and understands the unique challenges for the sector. We are here to put our knowledge and experience to work as we help ensure that your telehealth systems are properly secured.