Healthcare and Public Health Sector Coordinating Councils (HSCC) recently released a report titled Health Industry Cybersecurity – Securing Telehealth and Telemedicine. This report outlines the latest cyber security threats facing telehealth, as well as steps healthcare facilities should take to mitigate risk.
The report comes in the wake of the Covid-19 pandemic, making it a timely advisory to healthcare providers. Reports show that over 30 percent of weekly medical visits occurred via telehealth platforms between June 26 and November 6, 2020. Telehealth is the new norm, and healthcare providers need to safeguard telehealth systems and ePHI against common cyber attacks.
We’re summarizing HSCC’s report to inform and support our healthcare partners.
Understanding the Threat Landscape
Telehealth platforms (the umbrella term for electronic healthcare communication) and telemedicine services (the specific term for virtual medical practice) are both potential targets for cyber-attacks. The report emphasizes that telehealth and telemedicine are valuable and plentiful targets for cyber criminals. Telehealth merges a multitude of networks and involves the transfer of sensitive patient information, making it a prime source of data exposure risk.
HSCC lists the three most common impacts following a successful attack against these telehealth systems as:
- Compromise of Confidentiality: Identity and personal data are critical parts of online privacy, and cyber criminals are targeting this information. Both patients and healthcare organizations are at risk when identifying information falls into the wrong hands. Compromises of confidentiality include theft of personally identifiable information (PII), data exfiltration, and credential harvesting.
- Compromise of Integrity: Cyber criminals also target the inner workings of healthcare systems. When compromising integrity, these malicious actors manipulate clinical data and exploit financial transaction systems. Security incidents of this scale can be both costly and difficult to recover from.
- Compromise of Availability: These types of attacks are highly dangerous within healthcare systems. Compromises of availability like ransomware and denial of service attacks have the potential to stall operations and patient care.
Telehealth and telemedicine platforms can provide a safe and accessible way for patients to speak with their medical providers. Unfortunately, such access comes with data exposure risk. Cyber criminals will exploit vulnerabilities in systems and networks to steal information and disrupt internal operations. Healthcare facilities need to stay up to date on the latest telehealth security threats and take proactive measures to prevent data loss.
Telehealth Security: Considerations for Healthcare Facilities
In addition to outlining the latest telehealth security risks, HSCC also provides cybersecurity considerations for healthcare facilities. These tips will help organizations increase cybersecurity awareness, employ the proper cyber security tools, and take appropriate action against threats. Some of the main considerations include:
- Technology & Vendor Protocol: HSCC emphasizes the importance of vetting healthcare technology and third-party vendors. Managers should develop a protocol for technology procurement and deployment, keeping security risks in mind every step of the way. Each stage of the supply chain defines a vendor or technology’s cyber risks.
However, this diligence does not stop after deployment. HSCC encourages healthcare facilities to plan for updates, patches, monitoring, and maintenance for both new and legacy systems.
- End User Management: Telehealth presents unique cyber security challenges since the patients also play a role in security. Improper use of these platforms could lead to accidental disclosure of sensitive information.
HSCC’s report includes end-user management as part of their recommendations. Healthcare facilities should provide basic guidelines and instruction for secure telehealth and telemedicine use. These can include basic information like using a private home network for medical visits.
Credentials and user verification are also key parts of end-user management. Telehealth platforms should require unique credentials for every patient, such as secure passwords, security questions, and multi-factor authentication (MFA) . Encrypting patient communications will help protect patient identities and ePHI as well.
- User & Event Monitoring: Healthcare organizations need to know who is using telehealth platforms and when. This monitoring can help pinpoint when an unauthorized user accesses the platform and whether this user is a threat. HSCC recommends logging and monitoring all user and administrative access to the system.
- Data Risks & Controls: The report outlines a wide range of recommendations pertaining to data risks and controls. Healthcare facilities should establish clear processes for exchanging ePHI and PII, particularly as to how the healthcare provider will exchange the information with the patient. For example, if a physician sends patient information electronically and speaks to the patient on a video call, this needs to be written out.
It’s also important to specifically outline which security protections will be used for each type of data. This includes security measures like end-to-end encryption for the data being exchanged.
- Encryption: As mentioned, data encryption is a significant part of telehealth security. HSCC recommends that healthcare facilities encrypt end-to-end communication channels, as well as data in transit and at rest. If a healthcare system is integrated with another system, like billing or pharmacy, those systems should be encrypted as well.
Email is another important consideration. If providers or administrators are using email to communicate with patients, these channels should have encryption in place as well. Otherwise, malicious actors could access email servers to obtain patient data.
The HSCC report also emphasizes the importance of mobile device security, data loss prevention tools, privileged account management, advanced logging capabilities, and security incident response. Adopting telehealth and telemedicine best practices requires a large-scale security operation. This is why many healthcare organizations would benefit from partnering with a healthcare cybersecurity provider.
Outsourcing security efforts allows healthcare facilities to employ reliable telehealth management and monitoring, regardless of the capabilities of their in-house IT team. A cybersecurity provider can employ telehealth and telemedicine assessments to uncover the current state of security and recommend additional steps. This permits healthcare IT teams to focus on everyday technical needs and support patient care.
Fortified Health Security (Fortified) is proud to offer a suite of healthcare cybersecurity tools for facilities of all sizes. The Fortified ecosystem provides advisory, healthcare operations center (SOC), and threat assessment and intelligence services. Based in Franklin, TN, our experts work with organizations to evaluate risk and strengthen the cybersecurity posture for long-term data loss prevention. Contact us today to analyze your telehealth security.