Telehealth and Remote Worksites Are Here to Stay
During the COVID-19 pandemic many healthcare providers and administrative staff are working from home. Technology can allow providers and support teams to do much of what they could do from the medical office or administrative worksite, remotely through a variety of device platforms including computers, tablets, and smartphones. But these personal devices are proving to be more susceptible to cybersecurity vulnerabilities that pose significant information security risk to patient data and the networks which are accessed remotely.
The transformative shift in the settings and manner in which healthcare is operating presents a tremendous challenge to traditional notions for assessing enterprise information security risk and applying safeguards to thwart cybersecurity threats. It is not possible for healthcare organizations to dispatch technicians to the homes of its practitioners and workforce members to identify and mitigate vulnerabilities created through the new reliance on telehealth and the business of healthcare.
Strategies that leverage targeted training materials developed by reputable sources paired with employing video conferencing and text messaging technologies that meet the requirements of the HIPAA Security Rule standards could provide healthcare organizations resilience in this exceptional time.
Training Resources for a Remote Workforce
Responding to a spike in cyber threats that exploit telework technologies during the COVID-19 pandemic, the American Medical Association (AMA) and the American Hospital Association (AHA) have teamed to provide physicians and hospitals with educational material on protecting a remote work environment from cyber criminals.
The two associations have created a joint cybersecurity resource, "Working from home during the COVID-19 pandemic", offering actions to strengthen computers, networks, and medical devices from the rise in COVID-19-themed security threats and attacks. The resource includes checklists, sources, tips, and advice on strengthening protections to keep pace with deceptive cyberattacks that could disrupt patient care or threaten medical records and other data.
The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards & Technology (NIST) has produced a series of multimedia materials that introduce how to safeguard data and reduce cybersecurity threats when using information technology. Telework Security Basics introduces some simple things a remote workforce member can do to improve their information security. The tips apply to almost all situations, and they’re relevant whether using the healthcare organizations’ laptop, tablet, or smartphone, or their own personal desktop or tablet. Preventing Eavesdropping and Protecting Privacy on Virtual Meetings shares basic precautions that can help ensure that telehealth and other video conference meetings are secure from eavesdropping or disruption from unauthorized users.
Telehealth Services Employing HIPAA Security Safeguards Widely Available
According to a recent FAQ from the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) there are a number of video conferencing and text messaging services that they say are HIPAA-compliant.[i] Among the requirements healthcare providers and hospitals should look for when comparing video conferencing or text messaging services is that the data is encrypted during its transmission, ensure that e-PHI is not shared for purposes that are not approved, and has put into place a risk-based management plan to identify and mitigate threats and vulnerabilities to the data.
Ordinarily, HIPAA requires healthcare providers and other covered entities to only create, maintain, or transmit PHI using service providers that guarantee to follow the HIPAA standards and to have a Business Associate Agreement (BAA) in place. Service providers that sign BAAs and then break the rules can be liable for civil and criminal penalties, even during this period when OCR is choosing to not enforce some provisions of the HIPAA rules.
Information security and privacy teams will have to be proactive in working with healthcare providers using commonly available technology to communicate with patients or provide telehealth services. For example, use of internet facing personal communication devices are more vulnerable to cybersecurity threats when used with Wi-Fi connections that are not secure. Hackers have wasted no time to exploit the coronavirus pandemic to attack healthcare organizations as well as patients looking for testing and treatment. We have seen examples of phishing attacks disguised as emails being sent to mimic announcements from the Centers of Disease Control (CDC). Another cybercriminal created a phony map to pinpoint coronavirus cases but actually inserted malware that would steal usernames, passwords, credit card information, and other sensitive data stored on the device. Healthcare organizations must carefully monitor traffic on their information networks and look into unusual activity that could represent an intruder scanning for sensitive data or exfiltration of files stored in the system.
Widespread proliferation of telehealth communication services has long been hoped to facilitate convenient healthcare provider and patient communication. The efforts by the federal government to ease the compliance burden during an unprecedented health emergency, promising not to enforce the HIPAA standards against healthcare providers when providing telehealth treatment, changes how healthcare organizations manage the privacy and security of patient information. Healthcare organizations should approach this unprecedented transformation in how organizations provide care and perform basic work activities with eyes-open to the far-reaching regulatory and information security challenges that may result through the widespread adoption of remote workplace communications with commonly available internet-based messaging and videoconferencing technologies.
Please contact us if we can assist you with any questions about the requirements of the HIPAA Privacy and Security Rules or to assist you in securing your information system from cybersecurity incidents. If you’d like to hear more about this, please listen to episode 11 of The Risk Perspective.
[i] Products claiming to be HIPAA compliant listed in the FAQ:
- Amazon Chime
- Cisco Webex Meetings and Webex Teams
- me (advertises to be a free service)
- Google G Suite Hangouts Meet
- Skype for Business and Microsoft Teams
- Spruce Health Care Messenger
- Zoom for Healthcare
About the AuthorFollow on Twitter More Content by David Holtzman