Telehealth and Cybersecurity Amid the Pandemic

ABSTRACT: As telehealth programs rapidly expand during the COVID-19 pandemic, organizations and individuals must continue to be aware of potential cybersecurity threats.

“The New Normal.” “Social distancing.” “Stay home.” “Unprecedented.”

You’ve probably heard the above phrases more than once, twice, or fifty times over the past couple of months during the COVID-19 pandemic.  Almost all aspects of life are changing and/or have changed, including the way in which we are seeking medical care.

Indeed, telehealth is rapidly becoming a new normal” for routine healthcare visits, a market predicted to reach more than $130 billion worldwide by 2025 and $10 billion by the end of 2020. What is telehealth? According to the U.S. Department of Health and Human Services, Office for Civil Rights, it is “the use of electronic information and telecommunications technologies to support and promote long-distance clinical healthcare, patient and professional health-related education, and public health and health administration.” 

Examples of telehealth and its technologies include: mobile and/or wireless health platforms, real-time interactive services, such as teleconsultation and telenursing, and remote patient monitoring (such as for diabetes, weight gain/loss, and dementia), which are available via the internet, video, steaming media, webcam, live chat and/or video conference.

While innovative, convenient, and helpful to our society, especially in these challenging times, such telehealth programs have also raised concerns about cybersecurity risks to healthcare organizations and the public as healthcare organizations continue to speed toward implementing these programs. Examples of such cybersecurity risks include hacking and data breaches, phishing attacks, ransomware threats, loss or theft of equipment, data loss, and medical device attacks. These threats are especially concerning considering HIPAA privacy requirements. However, during the COVID-19 pandemic, organizations implementing telehealth programs will not likely be penalized by the HHS, Office of Civil Rights for HIPAA violations should the programs fail to comply with the required regulations, as long as they are using non-public facing remote communications in good faith. This leniency is not likely to last forever though.

What makes these threats possible? The fact that these telehealth systems heavily rely on the Internet. Further vulnerabilities of such systems include weak passwords, insecure network services, lack of secure updates, lack of privacy protection, outdated antivirus software, lack of secure data transfer and storage, and lack of device management.

However, to provide some protection, the following non-public facing remote communications are currently permitted: Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Zoom and Skype. These types of communications use end-to-end encryption, allowing only the person or persons communicating on each end to see what is transmitted, require personal accounts, logins, and passwords, and provide the users some control over how the communication occurs (i.e. video, sound, etc.). Not included in this list are Facebook Live, Twitch, TikTok, and similar video communication applications, as they are public facing. Such public facing forms of remote communication are not secure for such telehealth programs due to being open to the public and permitting more open and uninhibited access to the communications taking place.

Telehealth is likely here to stay, which is why it is so important that organizations and individuals ensure that steps are continuously taken to protect the platforms from breaches and protect users’ private information. There are many other organizations providing continuing recommendations of how to mitigate and otherwise address cybersecurity risks and actual breaches. See American Hospital Association and National Institute of Standards and Technology.  To learn even more about cybersecurity risks and practical approaches to effectively defending against and/or addressing breaches, Baker Sterchi previously did a three part series on cybersecurity risks, which can be accessed here, here, and here.