Topic: Telehealth Privacy and Security

The Coronavirus pandemic has catalyzed a rapid increase of telehealth adoption. Leveraging telehealth platforms, patients are able to speak with doctors and nurses without having to risk exposure to themselves or others.

The increase has been so drastic, the U.S. Department of Health and Human Services and its Office of Civil Rights (OCR) and the FBI have released special guidance related to the use of telehealth systems, particularly how they have come under attack by malicious actors and advanced persistent threats (APT).

For privacy and security practitioners in healthcare, the increased use of telehealth and government attention signals the need to learn more about telehealth systems, the security risks associated with their use and strategies for mitigating those risks.

Telehealth and Protected Health Information

Telehealth is the use of systems and services to provide health care diagnoses and to connect providers to patients remotely. Often, patients will use applications on their device to connect via videoconference with doctors.

Similar to a conventional provider environment like a hospital or urgent care office, patients must relay information like their birthdate, age and medical history as well as their current symptoms during a telehealth session. The doctor can then prescribe medicine or treatment based on this virtual visit. All of this information is considered protected health information (PHI), which means it must be protected according to HIPAA requirements.

Companies that use or develop telehealth software must ensure their telehealth solution is adequately vetted, configured and used in such a way that demonstrates HIPAA compliance and protects the privacy and security of patients’ PHI.

Security Risks – New “Friends” and Familiar Faces

Telehealth relies on many of the products and technologies with which we are already familiar in both professional and consumer settings. As such, they are prone to many of the same vulnerabilities and risks.

Attackers can intercept data transmitted between the patient and provider during telehealth sessions if encryption and authentication protocols are not properly utilized. Or they could hijack a legitimate user’s credentials and impersonate them during a session, adding an additional layer of complexity to identity theft. In this situation, the victim’s healthcare records could be inaccurately modified – potentially affecting their care for years to come until the illegitimate modifications are rectified.

These types of attacks occur in real time. But attackers can also exploit telehealth environments to obtain patient data-at-rest. In some instances, recordings, notes and patient data collected or created during sessions could be saved to servers or smart phones. If these devices are not adequately encrypted, they could be the targets of a successful data exfiltration attempt.

Topic Discussed: Telehealth Privacy and Security

Read Original Article