Telehealth privacy
and security:
a technical and
user education
challenge

The telehealth market exploded during the COVID-19 pandemic. The delivery of remote healthcare services was essential for many patients and healthcare providers. It protected both parties from the novel coronavirus while ensuring people received treatment for serious health conditions. Yet with its growing use come new challenges around telehealth privacy and security.

For healthcare organizations (HCOs), overcoming privacy and security concerns in telehealth means ensuring that back-end systems are secure and compliant with federal laws restricting the release of medical information. It also means your customers must understand how to secure their devices.

The telehealth market soared in 2020. Patients eschewed visits to clinics and hospitals. HCOs expanded their offerings to include remote consultations. A $200 million grant from the Federal Communications Commission to eligible providers helped spur the shift, too.

During the first four months of the pandemic, telehealth visits accounted for 24% of the medical interactions in the United States—compared to less than 1% in the same period in 2019. And, according to the Centers for Disease Control and Prevention, the percentage of health centers that could provide telehealth services soared from 43% in 2019 to 95% a year later.

Telehealth isn't solely about video consultations, either. It can include remote patient monitoring and the remote management of connected devices, such as smart medication dispensers. For these applications, providers and patients need access to three key IT elements:

• Secure, reliable connectivity
• Remote monitoring services and applications for real-time communications
• Connected devices, such as smartphones and tablets

Wherever you can find sensitive data, you can usually find cyber criminals sniffing around for a way to steal it. Personal information is one of the most significant privacy and security concerns in telehealth. Medical data is particularly lucrative on underground sites. It holds a lot of personal, financial and health-related information, which can be used to create false identities, commit fraud, open credit lines and illegally get prescription drugs or medical equipment. It could even be used to extort victims.

Data breaches in the healthcare vertical rose 71% between 2019 and 2020, according to the 2020 Data Breach Investigations Report. And there was a "notable increase," Security Scorecard reports, in mentions of the top 20 telemedicine companies and more electronic private health information (ePHI) for sale on the dark web in 2020.

So how do cyber criminals exploit telehealth privacy and security to get at this data? According to the DBIR, human error is the most common attack vector. But web applications are a close second.

Web applications can be a direct route to patient data if attackers can steal user logins or exploit vulnerabilities in the code. The U.S. government lifted restrictions on the use of consumer-grade communication apps for telehealth, but those apps could be configured to unwittingly give third parties access to private information and communications, a Harvard Medical School team notes.

"For example, Zoom, currently one of the most popular video conferencing platforms, has had a tenfold increase in usage over just a few months including increased use in healthcare, leading to several important privacy considerations, such as intruders joining video conferences or inadequate encryption of communications, leading to the possibility of eavesdropping," the team wrote in the Journal of the American Medical Informatics Association.

Some of the key cyber threats behind telehealth privacy and security concerns include:

• Exploited vulnerabilities in web apps
• Stolen telehealth app credentials (e.g., by sending phishing emails or texts)
• Malware hidden in legitimate-looking telehealth apps
• Exploited misconfigurations or security issues in consumer-grade communications apps

Many privacy and security concerns in telehealth can be addressed by adhering to federal privacy laws. Compliant HCOs should have various measures in place to protect their IT systems from attack, including:

• Strong authentication and access controls to ensure that only authorized users can access ePHI
• A secure communications system and network to protect ePHI in transit
• Communications monitoring to prevent leaks and breaches

Your role extends beyond securing your network and systems, though. You must educate less tech-savvy patients on safety best practices to ensure that their devices and networks are properly protected. Threat actors will always look for the weakest link in any ecosystem—and if it is not on your end, it might be on the patients'.

According to the Verizon Mobile Security Index 2021, 40% of organizations consider mobile devices the biggest IT security threat. To protect patients from threats to telehealth privacy and security, advise them to:

• Keep devices updated with the latest software and operating system version
• Install anti-malware software from a reputable provider
• Avoid downloading apps from third-party stores
• Avoid clicking on links in unsolicited text messages or emails
• Use two-factor authentication to protect their accounts