Articles & Blogs
The Privacy and security issues of expanding Telehealth
Telehealth is the distribution of health-related services and information via electronic channels allowing long-distance patient and clinician contact, care, advice, reminders, education, intervention, monitoring, and remote admissions.
There has been a many fold increase in the adoption due to COVID 19 and patients being unable to travel to meet doctors.
It is important to understand that telehealth is susceptible to cyber breaches and poses an immense threat to the confidentiality, integrity, and availability of patients’ electronic medical records. Patient’s medical records contain very sensitive information that should not be made accessible to unauthorized persons to protect patient privacy, integrity, and confidentiality.
The flipside is that this information needs to be easily available whenever required by authorized users for an authentic purpose. Telehealth presents all of the security issues as any other electronic transmission but, probably one of the most important issues will be availability – signal interference, interruption of transmission, or outages causing a real issue. Also, DOS outages could present a greater risk to patients who depend on telehealth services.
Attacks on the telehealth network can be grouped into two broad categories depending on their type:
Active attacks: These attacks include modification, interruption, or fabrication of patient information.
Passive attacks: These attacks include the interception of information but ,not alteration. These attacks are accomplished by monitoring a system performing its tasks and collecting information. These include eavesdropping, sniffing, or traffic analysis kind of activities. Passive attacks result in the disclosure of information or data files to an attacker without the consent or knowledge of the user.
Hence, this poses a big challenge – How can Telehealth be seamless, fast yet secure?
Telehealth providers should consider taking several steps to ensure their patient encounters are private and secure. Providers should ensure that all transmissions are encrypted and remote connections have strong, preferably two-factor – authentication. They should also make sure that private rooms are set aside for telehealth sessions and that redundant, multiple paths for connection, power, and service are provided.
Mitigating Security risks in Telehealth
Security in telehealth begins with establishing best practices, cyber hygiene and rolling out standard operating procedures.
1. Improve Platform Safety: HIPAA requires that providers integrate encryption and other safeguards into their interactions with patients. However, patients’ devices are often the weakest link and fall prey to hackers.
2. Privileged Access & Authentication: Continuous identity authentication ensures only authorized individuals have access to data. Identity authentication can be accomplished through a variety of approaches.
Multi-factor authentication, or the requirement of utilizing two pieces of evidence to sign in, is among the most common and has been proven effective in blocking 99.9 percent of all automated cyber-attacks.
Beyond this, users need to develop strong, unique passwords for, not just their telehealth platform accounts, but across their entire online logins and accounts.
3. Investing in Patient Education: Cybersecurity ultimately relies on the end-user. As hackers continuously exploit new vulnerabilities, developers & security expert are in a constant race to keep up with new threats. However, the security is only as strong as its weakest link – end patient.
Healthcare providers should educate patients about cybersecurity and the steps they should take to improve the overall safety by:
● Educating patients about the telehealth security threats
● Using a VPN for providing telehealth services and general device usage
● Frequently updating all apps and operating systems, not just telehealth platforms
● Advising on frequent anti-malware and virus scans
● Restricting app permissions
Similarly, with privacy, it is crucial healthcare entities are aware of all the privacy and consent requirements that come with providing telehealth in non-emergency times, as many of those requirements are different from the ones currently being enforced during the public health emergency.
Other privacy and security concerns related to telehealth include how healthcare providers store, access and manage sensitive patient information.
Providers need to take steps to reduce the risk of data breaches, including implementing encryption of data at rest, offering end-user training, automating compliance enforcement, and utilizing insider threat monitoring.
Risk Management Framework – Managing & Measuring what matters
A risk management program allows you to manage overall information security risk. It is an approach to identify, quantify, mitigate, and monitor risks. The reason to look at risk in a comprehensive manner is to make sure no one area is getting too much attention or, too little. Frameworks also help you identify the bigger elements of risk that need review and mitigation. Additionally, it help you to prioritize the treatment of certain risks. The adherence to risk frameworks also helps give your customers comfort that a standard risk management is in place and hence, reduce your audit burden. Typically, a Risk Management program comprises of the following phases: Risk identification Risk analysis Risk evaluation Risk treatment Risk Monitoring A good risk management framework will have the following characteristics: Comprehensive in types of risks it covers Practical for an organization to implement Updated with current real-world risks Based on controls that can be reviewed and audited Reliable so that your vendors and customers can accept it There are many risk management frameworks that one can choose from and it important to understand the advantages of each. Common risk management frameworks include: NIST CSF SOC 2 ISO 27001 HITRUST NIST (National Institute of Standards and Technology) framework is a comprehensive cybersecurity framework (CSF). It is very widely accepted across different company sizes and business domains. Most cyber-security professionals are well aware of this framework as it is readily available. Although widely available and very popular there is no certified third-party audit mechanism. Hence, it can only be self-assessed. SOC 2 Type 2 is an internal controls report based on the scope you define. It is widely used in the United States to show the maturity of your controls. A CPA firm that is part of the American Institute of CPAs (AICPA) conducts the audit & issues an assessment report. The AICPA does not audit/review the assessment for completeness or quality. HITRUST CSF is a framework that came leverages NIST, SOC, and ISO along with others to create a more comprehensive standard. It is widely implemented in the United States by organisations in the healthcare space. Unlike others, although there are external assessors that are involved in the certification process, HITRUST reviews all assessments and issues the certificate. Additionally, among all the frameworks above it tends to be the most expensive to implement. It is important to choose a framework that matches your long-term security goals & needs. At Accorian, we work with all of the above frameworks. We help organizations choose the right framework and aid with the implementation. This is done by augmenting our team into your security team to help steer the rollout, aid with query resolution, choosing of the right controls & workaround during mitigation advisory, facilitating the selection of vendors & products and end to end program management.View More