W​hat You Need to Be Doing to Keep PHI Secure in the Cloud

W​hat You Need to Be Doing to Keep PHI Secure in the Cloud

In the past decade, the use of telehealth services has risen sharply, leading to greater convenience for patients and reduced costs. Telehealth has been used for acute injuries, chronic health conditions including type II diabetes, and mental health conditions. Three types of services include: a telehealth visit between a patient and a healthcare provider, a virtual check-in via a phone call or telecommunications method where the patient has provided video or images, and an e-visit where online patient portals are used. Telehealth visits require access to a phone or a computer capable of accessing the internet.

Unfortunately, telehealth security has become a growing concern as cyberattacks have increased. Using a secure patient communication service can lead to increased telehealth security.

What Is HIPAA Compliance?

HIPAA (Health Insurance Portability and Accountability Act) requires health information to remain secure and confidential—this includes telehealth visits [2]. This policy is aligned with core medical ethics, with the overall intention of maintaining a patient’s right to secure and confidential medical care. In cases where health information can interact with other areas of society, the protection of this information is crucial. For example, social security numbers listed in healthcare records and a patient’s health history should remain confidential in a medical setting—from the time of the patient’s visit to stored medical records.

Encrypted software helps maintain telehealth security but can still be breached. In addition, using a program that is compliant with HIPAA can still lead to violations if the staff is not trained properly. Patients must consent to a telehealth visit and have access to an up-to-date Notice of Privacy Practices.

Some non-public facing platforms have been implemented in healthcare as a result of restrictions being loosened temporarily during the COVID-19 pandemic. These include Zoom, Skype, and Apple FaceTime [2]. Other telecommunications applications, including Facebook Live, Twitch, and TikTok are not allowed as they use public-facing features. Patients must be notified of any possible privacy concerns when using telecommunication apps.

Patient information disclosed during a healthcare visit must remain confidential and secure during the visit and after. In the event that telehealth security becomes compromised, there should be procedures in place to minimize losses. Healthcare providers should only conduct telehealth sessions in a private location – such as at home in a private space or in an office – where confidential information cannot be overheard. Healthcare providers acting in bad faith can face licensing issues or disciplinary action.

It’s possible to communicate directly with patients through video, text messaging, and voice using a secure solution without compromising their privacy and risking HIPAA violations. Healthcare providers can contact patients with critical information, and patients can ask questions or ask for help. Communication records are maintained and can be easily and safely forwarded to other members on a patient’s care team. For example, a specialist added to the patient’s care team can conveniently see previous messages sent between the patient and other healthcare providers.

Some platforms securely integrate electronic health records, lab results, imaging results, and direct messages between healthcare providers and patients. Using such a platform is efficient for patients and healthcare providers while also meeting HIPAA security and privacy regulations.

Unprecedented Attacks on Healthcare Systems

In late October 2020, the FBI (Federal Bureau of Investigation), CISA (Cybersecurity and Infrastructure Security Agency), and the HHS (Department of Health and Human Services) issued an advisory regarding cyberattacks in the Healthcare and Public Health (HHP) sector [3]. Cybercriminals use malware to target the HHP sector across the U.S., which has led to ransomware attacks and data theft. Healthcare services have been disrupted, which is especially concerning in light of the COVID-19 pandemic and increased usage of telehealth services [3].

In some cases, ransom is demanded for stolen patient data. CISA, FBI, and HHS recommend against paying ransoms. After payment, cybercriminals may refuse to return critical files or may distribute them to third parties. In addition, the large number of cyberattacks leading to ransom payment may spur other criminals to engage in these illegal activities. A single incident or cyberattack can affect thousands of patients for several years.

Classifying Attacks on Healthcare Systems

Attacks are classified into three categories by the US HSS [4]:

    • Unauthorized Access or Disclosure
    • Hacking or IT Breach
    • Loss
    • Improper Disposal
    • Theft

The majority of incidents are unauthorized access and hacking. In the past year, hundreds of breaches have been reported to the HHS Office for Civil Rights. Some institutions do not have an adequate cybersecurity system in place or have not trained staff in best practices. Other facilities might not yet know that they suffered a cybersecurity attack due to ineffective monitoring systems.

Keeping Patient Information Storage and Communication Systems Secure

In the past two years, the United States has been hit by a massive number of ransomware attacks. These affected 966 government agencies and cost over $7.5 billion in 2019 [5].

What Were the Consequences?

These attacks are not only irritating and costly but have also led to serious immediate and long-term consequences. These include [5]:

    • Redirection of patients needing emergency care
    • Inability to access medical records
    • Loss of medical records
    • Postponed medical tests and cancellation of surgical procedures
    • Interrupted emergency services
    • Legal costs if healthcare systems are found to be negligent in telehealth security

Patient information must be kept secure to comply with HIPAA and avoid adverse consequences, including delays in healthcare. At CanoHealth in Miami, Florida, employee email accounts were accessed by an unauthorized user and included sensitive patient information, such as social security numbers and healthcare information [6]. United Health Services experienced a cyberattack that forced staff to temporarily use offline methods in patient care [7].

Florida Orthopedic Institute experienced a cyberattack that led to patient information being exposed. In response, the healthcare facility was sued in a class-action lawsuit for $99 million because of its lack of effective security measures [8].

Some institutions don’t know they have been compromised and may continue to use inadequate systems. It’s important to follow available recommendations and comply with HIPAA to keep patients safe.

As new guidelines are developed, implement them into your patient telehealth and communication workflow as soon as possible. If using cloud services, care must be taken to ensure data integrity and storage. Using a secure and tested platform, such as one receiving a certification from the Health Information Trust Alliance (HITRUST), provides further peace of mind.

Specific Guidelines on Securing Patient Information

In response to the growing number of cyberattacks concurrent with the increased use of telehealth, the FBI, CISA, and HHS recommend that healthcare providers follow these guidelines:

    • Keep up-to-date with the Health Information and Sharing Analysis Center and with CISA, FBI, and HHS
    • Back up data frequently
    • Create backups of telehealth systems and medical records offline
    • Test backups regularly
    • Create a cyberattack response plan
    • Keep secured networks physically separate from unsecured networks
    • Password-protect files offline
    • Implement a data recovery plan
    • Keep sensitive data and servers in a physically secure location
    • Update software regularly

In addition to the above suggestions, it’s important to make personnel involved in telehealth security aware of the recommendations:

    • Users should be trained in the software they use and in general security practices
    • Users should routinely change their passwords and avoid sharing passwords with other employees
    • Employees and stakeholders should be made aware of threats and how to prevent them
    • Employees should have a contact point for when they believe they have identified or experienced a cyberattack
    • Employees should be routinely trained regarding HIPAA and required protocols

When choosing telehealth software, make sure the vendor enters a business associate agreement with you as a healthcare provider, and confirm that the software encrypts data and does not store things like video files. If patients have questions about the software used and how data is handled, be able to answer these questions clearly so patients feel comfortable about their care and the security of their data.

How can we help? TigerConnect specializes in serving healthcare providers and ensures telehealth security with our easy-to-use patient and clinical telecommunications platform. Request a demo today.

References

    1. Medicate telemedicine health care provider fact sheet. Available at: https://www.cms.gov/newsroom/fact-sheets/medicare-telemedicine-health-care-provider-fact-sheet (Accessed on April 10, 2020).
    2. US Health and Human Services. Notification of enforcement discretion for telehealth remote communications during the COVID-19 nationwide public health emergency. (2020, March 30) Retrieved from https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html
    3. Alert (AA20-302A). (2020, October 28). Retrieved from https://us-cert.cisa.gov/ncas/alerts/aa20-302a
    4. Breach Report. Retrieved from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
    5. The State of Ransomware In the US: Report and Statistics. (2019, December 12). Retrieved from: https://blog.emsisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019/
    6. CanoHealth Advises Patients of Potential Data Security Issue. (2020, June 12). Retrieved from https://canohealth.com/cano-health-advises-patients-of-potential-data-security-issue/
    7. Statement from Universal Health Services. (2020, October 29). https://www.uhsinc.com/statement-from-universal-health-services/
    8. One of Florida’s largest orthopedic providers faces a class-action lawsuit after a data breach. (2020, July 2). Retrieved from https://www.abcactionnews.com/money/consumer/taking-action-for-you/one-of-floridas-largest-orthopedic-providers-faces-class-action-lawsuit-after-data-breach

Tags: