Cybersecurity in Telehealth: Protecting Patient Data
The Rise of Cyberattacks in Telehealth
When it comes to targets in healthcare that criminals want to hit with a cyberattack, a telemedicine consultation might not immediately come to mind. But in fact, telehealth is a ripe arena for cyberattacks. With more patients accessing care virtually, organizations must prioritize timely software updates and secure communication channels, and identity verification methods to protect sensitive health data.
The Business Model of Telehealth
It begins with the business model. Many health systems outsource their telehealth services to third-party organizations. These organizations employ physicians, physician assistants and nurse practitioners who are connected to a patient portal or other front-end access methods. On the middle and back-end of the delivery stack, these telehealth providers are credentialed to work within the health system’s electronic health record, write prescriptions and access patient billing systems.
Vulnerabilities in Telehealth Delivery
Additionally, the same virtual provider can serve multiple health systems under various contracts, which means if one virtual provider is compromised, it could potentially affect the many health systems they serve. Next, consider the technical and administrative access environment. Many of these virtual providers work from home, relying on personal devices and home networks for their tasks: using a personal computer with a personal cell phone for authentication (a situation often referred to as BYOD, or Bring Your Own Device – times two).
Protecting Sensitive Health Data
When working with an outsourced telehealth provider, the first step is to conduct a comprehensive risk assessment of their technical, administrative and physical controls related to their virtual delivery environment. First, management of virtual providers. Evaluate how they manage their virtual providers, including their training, credentialing, identity proofing and ongoing monitoring. How are level of assurance controls managed? These controls allow controlled substances versus standard prescriptions.
Implementing a Proactive Cybersecurity Stance
Hospitals and health systems can enhance their cybersecurity by integrating their telehealth providers’ security measures into their overall security strategy. This involves continuously monitoring the risks associated with their telehealth provider and tracking their progress in mitigating those risks, much like they do for their internal operations.
Conclusion
Telehealth is a high-value target for cybercriminals due to the multiple vulnerabilities across the delivery chain, creating significant opportunities for exploitation. To protect patient trust and compliance with industry standards like HIPAA and HITRUST, healthcare organizations must prioritize timely software updates and secure communication channels, and identity verification methods to protect sensitive health data.
FAQs
Q: What kinds of attacks on telehealth programs is the industry seeing?
A: The healthcare industry is witnessing a rise in cyberattacks characterized by a common sequence: the first being intrusion, the initial step where attackers gain access to a system, followed by lateral movement to find vulnerabilities, when attackers seek credentials to gain access to sensitive data and assets.
Q: What makes telehealth delivery a high-value target?
A: It begins with the business model. Many health systems outsource their telehealth services to third-party organizations. These organizations employ physicians, physician assistants and nurse practitioners who are connected to a patient portal or other front-end access methods.
Q: How can hospitals and health systems adopt a proactive cybersecurity stance specific to telemedicine to ensure both patient trust and compliance with industry standards like HIPAA and HITRUST?
A: Hospitals and health systems can enhance their cybersecurity by integrating their telehealth providers’ security measures into their overall security strategy. This involves continuously monitoring the risks associated with their telehealth provider and tracking their progress in mitigating those risks, much like they do for their internal operations.
