Healthcare Cybersecurity Must Keep Pace with Skyrocketing Telehealth Usage

telehealth healthcare cybersecurity

Virtual visits to healthcare providers providing nonemergency services hit record usage as the COVID-19 pandemic took hold. In March through May 2020, telehealth visits increased 149 times compared to the prior nine-month, pre-pandemic weekly average.1 

This rapid growth should not come as a surprise given that, during the heart of the shutdown, many healthcare providers were not seeing patients in their offices. However, as states began reopening in May, telehealth visits still registered 77 times higher than the pre-pandemic baseline in the final week of May 2020.1 

Looking at the data another way, 11 percent of US consumers used telehealth in 2019 versus 46 percent of consumers who used telehealth in 2020. Before COVID-19, telehealth providers achieved approximately $3 billion in annual revenue.2 With the accelerated adoption of telehealth by patients and providers, up to $250 billion of current US healthcare expenditures could become virtual.3

Rapidly Deployed Telehealth Services

Healthcare providers, diagnostic equipment manufacturers, medical device makers, and telehealth platform providers depend on a network of regulations and guidances. HIPAA regulations tend to get the spotlight in the healthcare space, but other regulations and guidances are put forth by the Department of Health and Human Services and the Food and Drug Administration, along with widely accepted cybersecurity best practices. 

Because of the sudden pandemic-related restricted movement orders issued by state and local governments, on March 18, the Office for Civil Rights announced that, during the pandemic, it would not impose penalties for HIPAA noncompliance against providers using out-of-compliance telehealth platforms. This allowed providers to tap into popular teleconferencing services, such as Zoom, Skype, Microsoft Teams, and others.

While the industry needed to do whatever was necessary to safely serve patients in the early days of the pandemic, the rapid widespread acceleration of telehealth platforms and services created vulnerabilities that must be addressed.

Strengthening Telehealth Cybersecurity 

While the overall healthcare cybersecurity landscape is complex, telehealth cybersecurity should focus on endpoint security on the provider side, endpoint security on the patient side, and the security of the data being transmitted. 

Provider Endpoint Security

For the purposes of a telehealth discussion, the endpoints in question are primarily computers, mobile devices, and medical devices used by the provider and patient. When providing virtual care, providers can either be working at their office or remotely from their homes. Patients, will, of course, be at home or at another remote location.

When providers are working at a medical facility and accessing the network via a corporate network, at least one side of the equation is more protected. However, when healthcare employees are working remotely, they are navigating some of the same sources of insecurity experienced on the patient side. Regardless, the healthcare provider side of the equation is still a bit easier to manage through policies and practices instead of relying solely on the recommendations shared with patients.

When working remotely, healthcare providers need to follow good cybersecurity practices, like keeping apps and operating systems updated, accessing the network via a VPN, using multifactor authentication, and other practices of this nature. Additionally, whether working remotely or in the office, endpoint detection and response is a must.

Endpoint detection and response uses cloud intelligence combined with a white list and blacklist and advanced static prevention to identify threats. Upon execution, the robust endpoint detection and response uses dynamic malware and exploit detection to stop threats in their tracks. When breaches do occur, EDR mitigates and restores functionality with one-click or automated remediation. Therefore, instead of staring at a computer screen displaying a ransomware demand, they can simply roll back to the pre-attack state and resume work.

Patient Endpoint Security

As mentioned, many of the current cybersecurity healthcare standards are designed for a protected network environment, like a hospital or medical office. Patients’ internet connections are not generally designed with this level of security. Unlike remote employees, healthcare providers cannot require patients to take security measures, but there are steps that can be taken:

  • Educate patients about telehealth cybersecurity threats
  • Recommend patients use a VPN during telehealth services and for medical device usage
  • Utilize multifactor authentication
  • Encourage patients to frequently update all apps and operating systems 
  • Suggest they use anti-malware and antivirus software 
  • Help patients learn to recognize social engineering attacks

Data Encryption

When data is properly encrypted, even when cybercriminals breach telehealth defenses, encrypted health information is of no or little use without the encryption key. 

Encryption must be applied to both the stored patient data and to patient data while it is being transmitted:

  • Data encryption at rest protects patient data when it is stored in the cloud or on the premises 
  • Data encryption in transit secures patient data when it’s transmitted using in-transit encryption standards, such as SSL/TLS certificates

 

Out of necessity, telehealth adoption accelerated very rapidly, particularly during the early onset of the COVID-19 pandemic. While patients are returning to healthcare facilities for in-person visits, increased telehealth usage is here to stay. Therefore, healthcare organizations must revisit their cybersecurity practices to ensure they have the defenses needed for safe and secure operations. If SilverSky can help, don’t hesitate to contact us.

 

Sources:

  1. “Virtual visits hit record usage with 149-times increase during first wave of COVID-19,” Healthcare Purchasing News, August 10, 2020
  2. McKinsey COVID-19 Physician Survey, May 2020
  3. Medicare telemedicine healthcare provider fact sheet, March 17, 2020, cms.gov

 

Security Engineer Administrator
SilverSky offers a comprehensive suite of products and services that deliver unprecedented simplicity and expertise for compliance and cybersecurity programs.

Previous

Next

Managed Detection and Response

Comprehensive solutions to detect, prioritize, and address security incidents.

Managed Security Services

24 X 7 X 365 monitoring, management, and system maintenance.

OPTIONS:

Managed Endpoint Detection and Response

Protects against all threat vectors.

Email Protection Suite

Monitor and manage your email environment with advanced email security and compliance protections.

Cloud Email and Collaboration

Cloud office productivity enhanced with proven security and compliance protection.

How does SilverSky's integrated stack of solutions meet your needs?

Compliance and Risk Services

Assess your program and controls, benchmark and identify areas for improvement. Develop your security roadmap for investment and improvements. Effectively measure ROI and impact on your security posture

Incident Response Readiness

Incident Response Plan Development / Review. Incident Response Readiness Review. Emergency Incident Response.

Discuss your compliance, risk management and incident response readiness needs.

Schedule Free 1-on-1 Consultation

Financial Services

1,500+ small & mid-sized financial institutions rely on SilverSky to meet and exceed FFEIC, GLBA and PCI DSS requirements and overall cybersecurity needs.

Healthcare

Hundreds of small & mid-sized healthcare organizations rely on SilverSky to address HIPAA and other regulatory requirements and serve overall cybersecurity needs.

Retail

Small and mid-sized retail organizations count on SilverSky to maintain PCI DSS requirements, secure customer data and reduce cybersecurity threats.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Resources

White papers, guides, tools, on-demand webinars, case studies and more. Explore a range of topics. 

Events & Webinars

Blog

Product Sheets

SilverSky product and services information at your fingertips. Product data sheets, compliance matrixes, & brochures.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Become A Partner

Partner with SilverSky to tap into the approaching $300 billion+ cybersecurity market.

Talk to one of our partner managers and consider expanding your cybersecurity offerings.

Schedule Partner Exploration Discussion

Share This