The COVID-19 pandemic forced businesses to adapt to a new normal. Work from home mandates pushed some firms to become fully remote, while others had to shutter completely. Severely impacted healthcare providers were on the frontlines navigating the virus and re-configuring their workspaces, personnel, and patient relationships. Telemedicine has also been widely adopted and expanded during the pandemic.
And while healthcare has always been a convenient target for cyber-attacks, the increase in telemedicine brings with it a new set of challenges. Read on to learn about the critical telemedicine cybersecurity concerns for 2021 and beyond.
Chief Telemedicine Cybersecurity Concerns
Even before the COVID-19 pandemic, businesses in every industry were tending toward mobile, remote solutions. The pandemic and its aftermath have accelerated this trend, and the cybersecurity implications continue to grow more complex day by day.
While risks are on the rise, they’re still manageable. This blog will break down all you need to know about the top telemedicine risks and what to do about them across two areas:
- The list of four major threat vectors impacting telemedicine practice
- How HIPAA compliance can address these risks
By the end of this blog, you’ll understand both what you need to look out for and what resources will be helpful in risk mitigation. We’ll also explain how you can simplify it with professional help.
The Biggest Telemedicine Risks and Vulnerabilities
This new normal, which some experts are now referring to as the “next normal,” means that telehealth and telemedicine will become central focuses of the healthcare industry rather than marginal or special provisions.
Healthcare companies that don’t already have telemedicine practices in place will need to set them up sooner rather than later. Opening up the scope of patient-provider relationships beyond meetings in regular facilities will involve new and unprecedented risks.
Risks Internal to Abandoned Healthcare Practices
An often overlooked issue plaguing healthcare providers who have pivoted to telemedicine in the era of COVID-19 is what is left behind in vacant facilities. Businesses from every sector have abandoned their headquarters and offices or significantly reduced staffing and general traffic. The resulting risks are twofold:
- Computers, workstations, and hardware in unattended offices are at risk of theft. All the sensitive data stored on them and traces thereof should be wiped off of endpoints that won’t be supervised physically for prolonged periods and moved to the cloud.
- Similarly, devices and system architecture left unattended for long stretches may fall into disrepair, and antivirus and other protective software installed onto it may not receive updates. These should be automated, or the devices should be shut down and disconnected.
Beyond these, healthcare providers also need to account for analogous risks across their supply chain and the network of strategic partners and business associates essential to their business. As we’ll touch on below, HIPAA compliance extends beyond the individual practice to the associates of that practice (called covered entities).
Work-From-Home Impacts on Telemedicine Security
Another significant risk for healthcare organizations providing telemedicine services lies in the security architecture, or lack thereof, installed on staff’s work-from-home stations. Regardless of how secure your company’s office is, there are too many variables to account for in people’s private homes. Some of these might not even be apparent to your staff themselves.
For example, imagine the work-from-home environment of a mid-career professional at your company. They might be issued a laptop or desktop computer from which they can administer telehealth services, and the device may have state-of-the-art protections installed on it. But a typical home internet connection is more vulnerable to attacks than the secure one at the office.
Requiring this staff member to work from a secure VPN provided by the company is not enough to guarantee safety. There could be other individuals present in the home who are given access to the VPN or gain access to it without permission (such as a child, roommate, or partner). These individuals’ activities could damage your company unknowingly despite having no connection to it.
Patient-Side Security Vulnerabilities of Telemedicine
Personnel aren’t the only individuals navigating this new reality of work from home. The same is true of your clientele, patients receiving your telemedicine services. One significant risk for your business is that interactions you may have previously had through in-person visits are now online via computer or smart devices.
For older clients especially, this exposes them to risks they may be particularly unequipped to handle. For example, your business may cater to clients who previously did not own or interact with a computer or smartphone. These individuals are particularly susceptible to specific social engineering tactics, like phishing, that can give hackers and cybercriminals unfettered access to their devices and accounts. From there, these same bad actors can use their privileged, hidden position to upload viruses and other malware into your systems, all the while posing as a client.
In an even more insidious tactic, cybercriminals may directly target your clientele in ways that harm them and pin the blame on your company. The reputational losses can be detrimental.
Telemedicine Risks Beyond Patients and Providers
Finally, another side to the cybersecurity risks detailed above is how they can cause your company to violate its compliance obligations laid out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA requires companies to safeguard protected health information, per rules we’ll get to below. Failure to do so results in strict HIPAA Enforcement:
- Civil money penalties can be assessed for the negligence of HIPAA rules and regulations leading to the compromise of PHI, up to a total of $1,785,651 million dollars per calendar year.
- Penalties start at $119 if the offender “did not know,” then ramp up to a minimum of $1,191 for “reasonable cause,” a minimum of $11,904 thousand dollars for “willful neglect with correction,” and a flat fee of $59,522 thousand dollars for “willful neglect without correction.”
- Criminal penalties can be assessed for the most severe violations of HIPAA rules, such as those undertaken for the express purpose of personal profit or causing harm to clients.
- Penalties start at one year of imprisonment for intentional misuse, ramp up to five years for false pretenses, and ten years for personal gain.
These penalties present another cybersecurity-related telemedicine risk. The threats detailed above not only compromise your system, but also put your practice in financial jeopardy as well due to HIPAA Enforcement. To that end, let’s take a closer look at the telehealth implications of HIPAA.
How Compliance Impacts Telemedicine Security
Non-compliance violations constitute a major risk for business continuity, as the financial and reputational costs can be debilitating. HIPAA impacts all stakeholders both in and adjacent to the healthcare industry, whether you’re a new practice that deals in telemedicine or an established walk-in clinic. The US Department of Health and Human Services (HHS) has a breakdown of covered entities, including healthcare providers of all shapes and sizes.
The covered entities list isn’t limited to healthcare providers. It also includes healthcare plans and all parties involved in their administration, healthcare clearinghouses, or parties who process nonstandard health information into standardized forms.
Even if you are involved in telemedicine tangentially, as a business associate facilitating a healthcare provider’s transition to the new normal, you may be implicated by HIPAA. It requires contractual commitment for compliance across a covered entity’s strategic partners.
Let’s take a close look at how each HIPAA rule impacts telemedicine cybersecurity concerns.
Telemedicine Implications of the HIPAA Privacy Rule
The first rule in the HIPAA framework is the Privacy Rule. The rule defines PHI as a protected category, and its impacts on telemedicine have to do with the definitions it establishes for proper use and disclosure of PHI. Per HHS’s breakdown of the Privacy Rule:
- All uses and disclosures of PHI that do not meet one of the following conditions are not allowed. Use or disclosure outside these permitted cases constitutes a HIPAA violation:
- Use or disclosure to the subject of PHI or requested by them or a representative.
- Use or disclosure that contributes to the development of health or billing operations.
- Use or disclosure that the subject of PHI has had a reasonable opportunity to reject.
- Use or disclosure that is incidental to permitted or authorized use cases.
- Use or disclosure that is undertaken in the public interest or for the public’s benefit.
- Use or disclosure of a limited, de-identified sample and for academic research.
- Certain use cases are required. These include uses that are the subject of PHI requests, along with specific requests by the HHS or law enforcement.
- All authorized uses and disclosures of PHI, except those required due to the subject’s request or a legal request, must be limited to the minimum necessary requirement.
When administering or facilitating telemedicine services, your business needs to ensure all uses and disclosures are permitted, authorized, or required cases.
Telemedicine Considerations of the HIPAA Security Rule
The second rule in the HIPAA framework is the Security Rule. It exists to extend PHI protections out to electronic PHI (ePHI), codifying safeguards for the confidentiality, integrity, and availability of ePHI. With this focus on ePHI, it’s especially applicable to telemedicine practices. Per the HHS’s breakdown of the Security Rule, the primary controls it requires include the following:
- Administrative safeguards applicable to telemedicine management, including:
- Security management processes, designed for systematic control over PHI
- Security management personnel, with delegated authority and responsibility
- Information access management, including managed restrictions on access
- Workforce training and management, including HIPAA-specific training
- Regular evaluation of security practices, ensuring staff’s accountability
- Physical safeguards applicable to the hardware used for telemedicine, including:
- Facility access control, limiting exposure of facility to outsider threats
- Workstation and device control, monitoring for irregular use patterns
- Technical safeguards applicable across software and the cloud, including:
- Access control, including systematic identity and access management
- Audit control, including scheduling and protocols for audit log security
- Integrity management, preventing all unauthorized changes to PHI
- Transmission fidelity, securing PHI for traffic over external networks
In the course of administering or facilitating telemedicine services, you’ll need to ensure all these practices are met to guarantee confidentiality, integrity, and availability of ePHI. URAC is a member of the International Society for Telemedicine and eHealth (ISfTeH). This is an accreditation for telehealth, telemedicine, support services, and remote patient monitoring, offering certification of an organization’s adherence to best practices of high-quality care, compliance, and sustainability.
Telemedicine Risks and the HIPAA Breach Notification Rule
Finally, the last prescriptive rule within the HIPAA framework is the Breach Notification Rule. It exists to specify actions covered entities need to take if and when a security breach happens. This applies to telemedicine providers as they are vulnerable, covered entities. Per HHS’s breakdown of the Breach Notification Rule, required notice includes:
- The notice must be provided to all individuals impacted by the breach as soon as possible and no later than 60 days after the breach has been discovered.
- The notice must be provided to the HHS Secretary no later than 60 days after discovering the breach impacts 500 or fewer people, or within 90 days of year’s end if the impact is 500 people or more.
- Notice must be provided to a local media outlet servicing a given geographical area if more than 500 people within that specific area are impacted by the security breach.
In administering or facilitating telemedicine services, the measures above minimize the probability of an attack. This rule requires specific actions if one does happen.
Address Telemedicine Security Controls Professionally
The threats faced by telehealth and telemedicine companies in 2021 and beyond are nearly endless. To sum up, from above, some of the biggest telemedicine cybersecurity concerns involve threat vectors from abandoned offices and technology infrastructure, threats of working from home for both your personnel and clientele and the risks inherent to non-compliance. RSI Security’s suite of HIPAA compliance services can help covered entities mitigate these threats with solutions tailored to their needs and means —contact us today!