telehealth healthcare cybersecurity

Virtual visits to healthcare providers providing nonemergency services hit record usage as the COVID-19 pandemic took hold. In March through May 2020, telehealth visits increased 149 times compared to the prior nine-month, pre-pandemic weekly average.1 

This rapid growth should not come as a surprise given that, during the heart of the shutdown, many healthcare providers were not seeing patients in their offices. However, as states began reopening in May, telehealth visits still registered 77 times higher than the pre-pandemic baseline in the final week of May 2020.1 

Looking at the data another way, 11 percent of US consumers used telehealth in 2019 versus 46 percent of consumers who used telehealth in 2020. Before COVID-19, telehealth providers achieved approximately $3 billion in annual revenue.2 With the accelerated adoption of telehealth by patients and providers, up to $250 billion of current US healthcare expenditures could become virtual.3

Rapidly Deployed Telehealth Services

Healthcare providers, diagnostic equipment manufacturers, medical device makers, and telehealth platform providers depend on a network of regulations and guidances. HIPAA regulations tend to get the spotlight in the healthcare space, but other regulations and guidances are put forth by the Department of Health and Human Services and the Food and Drug Administration, along with widely accepted cybersecurity best practices. 

Because of the sudden pandemic-related restricted movement orders issued by state and local governments, on March 18, the Office for Civil Rights announced that, during the pandemic, it would not impose penalties for HIPAA noncompliance against providers using out-of-compliance telehealth platforms. This allowed providers to tap into popular teleconferencing services, such as Zoom, Skype, Microsoft Teams, and others.

While the industry needed to do whatever was necessary to safely serve patients in the early days of the pandemic, the rapid widespread acceleration of telehealth platforms and services created vulnerabilities that must be addressed.

Strengthening Telehealth Cybersecurity 

While the overall healthcare cybersecurity landscape is complex, telehealth cybersecurity should focus on endpoint security on the provider side, endpoint security on the patient side, and the security of the data being transmitted. 

Provider Endpoint Security

For the purposes of a telehealth discussion, the endpoints in question are primarily computers, mobile devices, and medical devices used by the provider and patient. When providing virtual care, providers can either be working at their office or remotely from their homes. Patients, will, of course, be at home or at another remote location.

When providers are working at a medical facility and accessing the network via a corporate network, at least one side of the equation is more protected. However, when healthcare employees are working remotely, they are navigating some of the same sources of insecurity experienced on the patient side. Regardless, the healthcare provider side of the equation is still a bit easier to manage through policies and practices instead of relying solely on the recommendations shared with patients.

When working remotely, healthcare providers need to follow good cybersecurity practices, like keeping apps and operating systems updated, accessing the network via a VPN, using multifactor authentication, and other practices of this nature. Additionally, whether working remotely or in the office, endpoint detection and response is a must.

Endpoint detection and response uses cloud intelligence combined with a white list and blacklist and advanced static prevention to identify threats. Upon execution, the robust endpoint detection and response uses dynamic malware and exploit detection to stop threats in their tracks. When breaches do occur, EDR mitigates and restores functionality with one-click or automated remediation. Therefore, instead of staring at a computer screen displaying a ransomware demand, they can simply roll back to the pre-attack state and resume work.

Patient Endpoint Security

As mentioned, many of the current cybersecurity healthcare standards are designed for a protected network environment, like a hospital or medical office. Patients’ internet connections are not generally designed with this level of security. Unlike remote employees, healthcare providers cannot require patients to take security measures, but there are steps that can be taken:

  • Educate patients about telehealth cybersecurity threats
  • Recommend patients use a VPN during telehealth services and for medical device usage
  • Utilize multifactor authentication
  • Encourage patients to frequently update all apps and operating systems 
  • Suggest they use anti-malware and antivirus software 
  • Help patients learn to recognize social engineering attacks

Data Encryption

When data is properly encrypted, even when cybercriminals breach telehealth defenses, encrypted health information is of no or little use without the encryption key. 

Encryption must be applied to both the stored patient data and to patient data while it is being transmitted:

  • Data encryption at rest protects patient data when it is stored in the cloud or on the premises 
  • Data encryption in transit secures patient data when it’s transmitted using in-transit encryption standards, such as SSL/TLS certificates

 

Out of necessity, telehealth adoption accelerated very rapidly, particularly during the early onset of the COVID-19 pandemic. While patients are returning to healthcare facilities for in-person visits, increased telehealth usage is here to stay. Therefore, healthcare organizations must revisit their cybersecurity practices to ensure they have the defenses needed for safe and secure operations. If SilverSky can help, don’t hesitate to contact us.

 

Sources:

  1. “Virtual visits hit record usage with 149-times increase during first wave of COVID-19,” Healthcare Purchasing News, August 10, 2020
  2. McKinsey COVID-19 Physician Survey, May 2020
  3. Medicare telemedicine healthcare provider fact sheet, March 17, 2020, cms.gov

 

Managed Security Services

Your around the clock SOC.

Managed Endpoint Detection and Response

Some attacks will succeed. Don’t worry—we have you.

Managed Detection and Response

Augment your IT team using our expertise and the latest technologies.

Email Protection Suite

Defending against the leading attack vector.

Cloud Email and Collaboration

More than ever, the cloud is essential.

Incident Response Readiness

When a breach occurs, you’ll be ready.

Compliance & Risk Services

Take the next steps on your cybersecurity maturity journey.

Trusted Cybersecurity for an Uncertain World

Understand, detect, and effectively respond to threats, reduce business risk and improve the return on your security investment.

Financial Services

We comply with the same regulations you do.

Healthcare

Affordable defenses for a sector under attack.

Retail

SilverSky stands between cybercriminals and your customers’ data.

Benefits of a Single Vendor Relationship

The Cooperative Bank of Cape Cod found itself especially appreciative of SilverSky’s comprehensive solution set—particularly as they rapidly, but securely, enabled employees to work remotely.

ACET

Automated Cybersecurity Examination Tool

HIPAA

Health Insurance Portability and Accountability Act

PCI DSS

Payment Card Industry Data Security Standard

FFIEC

Federal Financial Institutions Examination Council

GLBA

Gramm-Leach-Bliley Act

ACET Helps Credit Unions Further Their Missions

Learn how going all in for ACET protects customers and the health of community-based financial services.

Resources

Articles, guides, ebooks, tools, on-demand webinars, case studies, and more. Explore a range of topics.

Events & Webinars

Upcoming webinars, conferences, and trade shows.

Revisiting Cybersecurity’s Delicate Balance

Learn how CISOs are rebalancing prevention, detection, and response for stronger cyber defenses.

About Us

Trusted cybersecurity for an uncertain world.

Careers

Looking to join the fight against cybercriminals?

Security Management Console

Comprehensive customer portal for state of devices, reports for compliance, support tickets, and more.

Transforming Cybersecurity Culture from Corner Offices to Cubicles

Executives are increasingly thinking about cybersecurity management in a similar manner as they would any other risk assessment. This guide is here to help.