If the COVID-19 pandemic has proven anything beyond the shadow of a doubt, it’s the vital necessity of accessible healthcare throughout the country. The spread of the virus, as well as its corollary effects across the whole economy, have shown that everyone is connected to the health industry in some way. As such, privacy and security concerns in telehealth have wide reaching implications not just for telehealth and telemedicine companies, but for society at large.
Telehealth measures make care more easily accessible to consumers—a necessary respite in an age when social distancing makes many services so much harder to access. However, they can also expose healthcare providers and adjacent companies to increased risk of cybercrime.
Top Cybersecurity Vulnerabilities of Telemedicine
Telehealth and telemedicine companies are the future of healthcare. But they’re also at the forefront of our COVID-accelerated present. And right now, they bear the burden of learning on the fly as Americans adapt and migrate to telehealth platforms en masse.
Relatively new platforms and unprecedented traffic: together, these conditions form a perfect storm for cybercrime. But which telemedicine security issues are most pressing?
Below, we take a deep dive into two main areas:
- An overview of the risks facing telemedicine
- A guide to how HIPAA ensures security
But first, let’s take a close look at why you should be concerned in the first place…
Why is Telemedicine Cybersecurity Important?
Telemedicine is the future of healthcare. If your company isn’t already involved in it, you figure to be soon enough. Telehealth already assumed a sizable portion of the medical industry’s growth potential before the current pandemic; now, it sits in a dominating position atop it.
According to McKinsey projections for telehealth post-COVID, telehealth utilization jumped from 11 percent to 46 percent of the general population, with providers seeing up to 175 times as many patients as before. Future growth is imminent, with 76 percent of consumers now indicating interest in telehealth (up from just 11 percent before). Overall, McKinsey projects $250 billion dollars of growth potential across the telemedicine market.
However, there are major risks that come with all this growth.
A recent report from two leading cybersecurity analysts reveals that cybercrime targeting telehealth has skyrocketed, as well. Overall cybersecurity findings are up, as is activity related to telehealth across various darkweb forums. With great opportunity comes great vulnerability.
Telemedicine Security Risks 101
Why do cybercriminals target telemedicine businesses, and the health industry more broadly?
On the one hand, healthcare is the largest employer in the US by a sizable margin. That size is a big reason it’s among the most profitable industries in the world. However, the sheer number of stakeholders spread across clientele and personnel also make it a prime target.
On the other hand, the industry harbors some of the most valuable bounties available to cybercriminals: personal health information (PHI). Various forms of PHI include:
- Demographic (biographical) information on clients
- Medical histories, including clients’ test results
- Clients’ insurance and payment information
PHI is valuable in its own right, as clients’ biographical and payment information empowers fraud and outright theft via their individual accounts. But on a deeper level, seizing clients’ PHI puts cybercriminals in a position to grind healthcare businesses to a halt. This lets them leverage opportunity and reputational costs into huge ransom payments.
Given its gravity, the presence of PHI is itself a vulnerability.
How Hackers Get Their Hands on PHI
Telehealth providers face the same general vulnerabilities of all companies, in addition to the PHI-based risks unique to the medical field. And while not all cybersecurity vulnerabilities of telemedicine businesses relate to PHI, these are by far the most consequential risks.
Cybercriminals exploit a wide variety of vulnerabilities and mobilize complex set techniques to seize PHI from telehealth providers. These include, but are not limited to:
- Faulty cybersecurity architecture – Gaps in the cyberdefense of any company provide opportunities for hackers to seize control of assets and wreak havoc. For example:
- Weak or lacking firewalls to prevent incoming viruses and other malware
- Unsecured networks that hackers use as an entrypoint to other systems
- Weak authentication protocols let hackers bypass password protection
- Unencrypted information is easier to steal and mobilize once stolen
- User error and manipulation – Even the most carefully secured cyberdefense system must account for human error across various personnel and clientele accounts:
- Users who aren’t trained properly may create weak passwords
- Social engineering tricks users into compromising their own accounts
- Hackers may enter physical spaces and exploit unsupervised endpoints
- Network disruption – Another method of attack involves targeting servers with distributed denial of service (DDoS), a process in which:
- Hackers flood your server with endless requests
- The traffic slows or even stops network functionality
- From there, hackers may exploit newly opened vulnerabilities
- Or, they may demand a ransom before allowing normal service to resume
The most dedicated hackers will employ combinations of attacks, leveraging multiple vulnerabilities at once. The first step to keeping your business protected is HIPAA compliance.
HIPAA and Telemedicine Cyberdefense
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to ensure uniform security standards for PHI and the medical and health-adjacent field more broadly. The US Department of Health and Human Services (HHS) administers it and oversees compliance.
The core of HIPAA is its four main rules:
- Privacy rule – Specifically codifies PHI as a protected class of information and requires particular safeguards for its protection of. Also grants patients the right of access to PHI.
- Security rule – Further specifies the various administrative, physical, and technical safeguards required to ensure confidentiality, safety, and security of PHI.
- Enforcement rule – Details procedures for enforcement of privacy and security rules and particular penalties enforced for noncompliance or other violations thereof.
- Breach notification rule – Also known as HITECH; requires HIPAA-covered companies to notify all stakeholders in the event of a data breach within a short window of time.
Following the specific regulations and controls each rule calls for cannot completely remove the risks posed by cybercrime. However, compliance is a baseline set of precautions that minimizes vulnerabilities and mitigates risks facing telemedicine companies and the healthcare industry.
How to Ensure HIPAA Compliance
Across the rules and listed above and the controls they require, HIPAA compliance can be challenging. The best way to guarantee your company’s safety is to bring in professional help not just for assessment but for preparation and patchwork to make sure all safeguards are in place.
RSI Security isn’t just an accredited HIPAA Compliance Assessor; we’re a full-service Advisor as well. RSI Security’s HIPAA compliance services comprise:
- Comprehensive Security Rule assessment, auditing, and patchwork.
- Baseline vulnerability scanning and in-depth penetration testing.
- Ongoing awareness and training regimen for all personnel.
If your company fails to comply with HIPAA, cybercrime isn’t the only threat you face. The HHS enforces these rules through a collaboration between its Office of Civil Rights (OCR) and the Department of Justice (DOJ). Failure to comply can result in fines of up to $1.5 million dollars annually, as of the 2013 update. Jail time is possible for the most serious offenses.
Plus, the immediate impact of these large fines and legal consequences compounds with reputational damage HIPAA noncompliance can do to your company.
Professional Telemedicine Cybersecurity With RSI Security
Here at RSI Security, we’re committed to helping telehealth companies secure their PHI and all other valuable resources. Our team of experts has over a decade of experience providing compliance and other managed security services to companies of all sizes, in all industries.
Plus, we know that compliance isn’t the end of cybersecurity; it’s just the beginning. Businesses in cyberhealth, adjacent fields, and across every industry need to be proactive about their cyberdefense. To maintain the complete safety of your clients’ PHI, you’ll need robust cybersecurity architecture and ongoing detection and response, among other practices.
For all that and more, we’re more than happy to help. Contact RSI Security today to see how easy dealing with all the privacy and security concerns in telehealth can be.