Telehealth: Safeguarding Patient DataNew Guidance Spells Out Security Precautions
Given the surge in the use of telehealth during the COVID-19 pandemic - and expectations for continued growth - the Healthcare and Public Health Sector Coordinating Council has unveiled guidance on safeguarding patient data during remote care encounters.
The new 33-page guidance document, Health Industry Cybersecurity - Securing Telehealth and Telemedicine, contains recommendations for how healthcare organizations, telehealth vendors and service providers should assess and mitigate potential cyber risks.
The recommendations include implementing encryption, enhancing monitoring capabilities and using privileged account management tools.
FAIR Health, a nonprofit organization that tracks health insurance claims data, found that telehealth claims to private insurers grew 4,347% from 2019 to 2020 as a result of remote care during the pandemic, HSCC notes.
And the research firm Frost & Sullivan projects a sevenfold growth of telehealth by 2025.
Last year, the Department of Health and Human Services' Office for Civil Rights issued a notice of enforcement discretion saying it would not impose penalties for HIPAA noncompliance against healthcare providers in connection with the good faith provision of telehealth during the COVID-19 public health emergency. That included allowing healthcare entities to provide telehealth services through certain nonpublic-facing remote communications applications that allow for video chats with patients (see: COVID-19: HHS Issues Limited HIPAA Waivers).
"Because telemedicine and telehealth involve the collection and transmission of personal health information and personally identifiable information, they inadvertently present hackers with extremely valuable targets," the HSCC guidance notes.
Telehealth and telemedicine "are, simply, easy targets," particularly because the internet is often used and data is transmitted, the guidance notes.
"Integration of many networks/technologies means no unified security policy/implementation and no central governance, rendering system security dependent on the weakest link. By its very nature, much telehealth communication needs to travel outside of controllable environments, e.g., to patients' personal devices."
Cyberattacks on telehealth systems can result in the theft of PII or PHI; credential harvesting; data exfiltration; the compromise of data integrity, such as exploitation of financial transaction systems and manipulation of clinical data; and the compromise of availability, such as via ransomware or denial-of-service attacks, the guidance notes.
Steps to Take
The guidance offers a long list of recommended steps, including security controls and best practices that entities should consider implementing to reduce the risk of cyber incidents. These include:
- Bolstering asset management, including identifying the current environments used to deliver telehealth functionality and store any related data;
- Enhancing endpoint protection on devices - such as PCs, desktops, workstations and laptops - used to provide the telehealth services;
- Implementing monitoring capabilities, including logs for identity management, infrastructure changes and application access;
- Encrypting data at rest and in transit as well as email;
- Improving mobile device and wireless security;
- Deploying data loss prevention tools to help identify and track movement and use of sensitive data;
- Implementing privileged account management tools to better manage, secure and audit privileged account activities and events;
- Implementing incident response plans.
As telehealth continues to grow, "security should stay top of mind for four reasons," says regulatory attorney Janine Anthony Bowen of the law firm BakerHostetler.
"First, the patient/consumer needs confidence that their personal and highly sensitive details will remain secure. Second, absent consumer confidence, the growth trajectory of telehealth offerings will slow, and lack of consumer confidence will stagnate demand," she says.
"Third, in both federal and state-level health privacy regimes, the law requires it. Finally, a security incident is expensive financially, taxing on the resources of the organization, and has a negative impact on the brand value and reputation of the enterprise."
Bowen adds: "The guidance indicates that the sector is an ‘easy target,' so diligence is critical, and any guidance that improves the tech and security acumen of the sector as a whole is welcome and useful."
Any examination of telehealth security issues is helpful, says Kate Borten, president of privacy and security consultancy The Marblehead Group.
"But too often, reports like this reach larger organizations that are already doing a better job of security and privacy, while midsize and small entities and their business associates are still in the dark," she says.
"In the past, business functionality and ease of use were top priorities. Now, it's essential that rigorous privacy and security reviews rise to the level of top priorities," for all healthcare organizations.
'Baked In' Safeguards
Privacy attorney Iliana Peters of the law firm Polsinelli says the HSCC guidance is helpful "for bringing focus back to data privacy, security, and breach risks related to telehealth modalities."
Healthcare entities are most concerned with providing their patients with the best and most timely treatment, and telehealth is crucial for those purposes, both during this pandemic and otherwise, she notes.
"That said, many healthcare providers forget about the serious risks associated with these and other digital health tools, and, unfortunately, the privacy and security risks can have serious consequences for patient safety, as well as for patient privacy, of course," she says.
"I hope that healthcare providers using digital health tools of all types will stop and consider how the safety of their patients could be adversely affected by any one of the cyber incidents discussed in the guidance, and work closely with their counsel, vendors, and IT specialists to ensure that they 'bake in' security protections from the beginning of their work with these important tools."