In the past decade, the use of telehealth services has risen sharply, leading to greater convenience for patients and reduced costs. Telehealth has been used for acute injuries, chronic health conditions including type II diabetes, and mental health conditions. Three types of services include: a telehealth visit between a patient and a healthcare provider, a virtual check-in via a phone call or telecommunications method where the patient has provided video or images, and an e-visit where online patient portals are used. Telehealth visits require access to a phone or a computer capable of accessing the internet.
Unfortunately, telehealth security has become a growing concern as cyberattacks have increased. Using a secure patient communication service can lead to increased telehealth security.
How to Become HIPAA Compliant
HIPAA (Health Insurance Portability and Accountability Act) requires health information to remain secure and confidential—this includes telehealth visits . This policy is aligned with core medical ethics, with the overall intention of maintaining a patient’s right to secure and confidential medical care. In cases where health information can interact with other areas of society, the protection of this information is crucial. For example, social security numbers listed in healthcare records and a patient’s health history should remain confidential in a medical setting—from the time of the patient’s visit to stored medical records.
Encrypted software helps maintain telehealth security but can still be breached. In addition, using a program that is compliant with HIPAA can still lead to violations if the staff is not trained properly. Patients must consent to a telehealth visit and have access to an up-to-date Notice of Privacy Practices.
Some non-public facing platforms have been implemented in healthcare as a result of restrictions being loosened temporarily during the COVID-19 pandemic. These include Zoom, Skype, and Apple FaceTime . Other telecommunications applications, including Facebook Live, Twitch, and TikTok are not allowed as they use public-facing features. Patients must be notified of any possible privacy concerns when using telecommunication apps.
Patient information disclosed during a healthcare visit must remain confidential and secure during the visit and after. In the event that telehealth security becomes compromised, there should be procedures in place to minimize losses. Healthcare providers should only conduct telehealth sessions in a private location – such as at home in a private space or in an office – where confidential information cannot be overheard. Healthcare providers acting in bad faith can face licensing issues or disciplinary action.
It’s possible to communicate directly with patients through video, text messaging, and voice using a secure solution without compromising their privacy and risking HIPAA violations. Healthcare providers can contact patients with critical information, and patients can ask questions or ask for help. Communication records are maintained and can be easily and safely forwarded to other members on a patient’s care team. For example, a specialist added to the patient’s care team can conveniently see previous messages sent between the patient and other healthcare providers.
Some platforms securely integrate electronic health records, lab results, imaging results, and direct messages between healthcare providers and patients. Using such a platform is efficient for patients and healthcare providers while also meeting HIPAA security and privacy regulations.
In late October 2020, the FBI (Federal Bureau of Investigation), CISA (Cybersecurity and Infrastructure Security Agency), and the HHS (Department of Health and Human Services) issued an advisory regarding cyberattacks in the Healthcare and Public Health (HHP) sector . Cybercriminals use malware to target the HHP sector across the U.S., which has led to ransomware attacks and data theft. Healthcare services have been disrupted, which is especially concerning in light of the COVID-19 pandemic and increased usage of telehealth services .
In some cases, ransom is demanded for stolen patient data. CISA, FBI, and HHS recommend against paying ransoms. After payment, cybercriminals may refuse to return critical files or may distribute them to third parties. In addition, the large number of cyberattacks leading to ransom payment may spur other criminals to engage in these illegal activities. A single incident or cyberattack can affect thousands of patients for several years.
Classifying Attacks on Healthcare Systems
Attacks are classified into three categories by the US HSS :
The majority of incidents are unauthorized access and hacking. In the past year, hundreds of breaches have been reported to the HHS Office for Civil Rights. Some institutions do not have an adequate cybersecurity system in place or have not trained staff in best practices. Other facilities might not yet know that they suffered a cybersecurity attack due to ineffective monitoring systems.
In the past two years, the United States has been hit by a massive number of ransomware attacks. These affected 966 government agencies and cost over $7.5 billion in 2019 .
What Were the Consequences?
These attacks are not only irritating and costly but have also led to serious immediate and long-term consequences. These include :
Patient information must be kept secure to comply with HIPAA and avoid adverse consequences, including delays in healthcare. At CanoHealth in Miami, Florida, employee email accounts were accessed by an unauthorized user and included sensitive patient information, such as social security numbers and healthcare information . United Health Services experienced a cyberattack that forced staff to temporarily use offline methods in patient care .
Florida Orthopedic Institute experienced a cyberattack that led to patient information being exposed. In response, the healthcare facility was sued in a class-action lawsuit for $99 million because of its lack of effective security measures .
Some institutions don’t know they have been compromised and may continue to use inadequate systems. It’s important to follow available recommendations and comply with HIPAA to keep patients safe.
As new guidelines are developed, implement them into your patient telehealth and communication workflow as soon as possible. If using cloud services, care must be taken to ensure data integrity and storage. Using a secure and tested platform, such as one receiving a certification from the Health Information Trust Alliance (HITRUST), provides further peace of mind.
In response to the growing number of cyberattacks concurrent with the increased use of telehealth, the FBI, CISA, and HHS recommend that healthcare providers follow these guidelines:
In addition to the above suggestions, it’s important to make personnel involved in telehealth security aware of the recommendations:
When choosing telehealth software, make sure the vendor enters a business associate agreement with you as a healthcare provider, and confirm that the software encrypts data and does not store things like video files. If patients have questions about the software used and how data is handled, be able to answer these questions clearly so patients feel comfortable about their care and the security of their data.