Virtual visits to healthcare providers providing nonemergency services hit record usage as the COVID-19 pandemic took hold. In March through May 2020, telehealth visits increased 149 times compared to the prior nine-month, pre-pandemic weekly average.1
This rapid growth should not come as a surprise given that, during the heart of the shutdown, many healthcare providers were not seeing patients in their offices. However, as states began reopening in May, telehealth visits still registered 77 times higher than the pre-pandemic baseline in the final week of May 2020.1
Looking at the data another way, 11 percent of US consumers used telehealth in 2019 versus 46 percent of consumers who used telehealth in 2020. Before COVID-19, telehealth providers achieved approximately $3 billion in annual revenue.2 With the accelerated adoption of telehealth by patients and providers, up to $250 billion of current US healthcare expenditures could become virtual.3
Rapidly Deployed Telehealth Services
Healthcare providers, diagnostic equipment manufacturers, medical device makers, and telehealth platform providers depend on a network of regulations and guidances. HIPAA regulations tend to get the spotlight in the healthcare space, but other regulations and guidances are put forth by the Department of Health and Human Services and the Food and Drug Administration, along with widely accepted cybersecurity best practices.
Because of the sudden pandemic-related restricted movement orders issued by state and local governments, on March 18, the Office for Civil Rights announced that, during the pandemic, it would not impose penalties for HIPAA noncompliance against providers using out-of-compliance telehealth platforms. This allowed providers to tap into popular teleconferencing services, such as Zoom, Skype, Microsoft Teams, and others.
While the industry needed to do whatever was necessary to safely serve patients in the early days of the pandemic, the rapid widespread acceleration of telehealth platforms and services created vulnerabilities that must be addressed.
Strengthening Telehealth Cybersecurity
While the overall healthcare cybersecurity landscape is complex, telehealth cybersecurity should focus on endpoint security on the provider side, endpoint security on the patient side, and the security of the data being transmitted.
Provider Endpoint Security
For the purposes of a telehealth discussion, the endpoints in question are primarily computers, mobile devices, and medical devices used by the provider and patient. When providing virtual care, providers can either be working at their office or remotely from their homes. Patients, will, of course, be at home or at another remote location.
When providers are working at a medical facility and accessing the network via a corporate network, at least one side of the equation is more protected. However, when healthcare employees are working remotely, they are navigating some of the same sources of insecurity experienced on the patient side. Regardless, the healthcare provider side of the equation is still a bit easier to manage through policies and practices instead of relying solely on the recommendations shared with patients.
When working remotely, healthcare providers need to follow good cybersecurity practices, like keeping apps and operating systems updated, accessing the network via a VPN, using multifactor authentication, and other practices of this nature. Additionally, whether working remotely or in the office, endpoint detection and response is a must.
Endpoint detection and response uses cloud intelligence combined with a white list and blacklist and advanced static prevention to identify threats. Upon execution, the robust endpoint detection and response uses dynamic malware and exploit detection to stop threats in their tracks. When breaches do occur, EDR mitigates and restores functionality with one-click or automated remediation. Therefore, instead of staring at a computer screen displaying a ransomware demand, they can simply roll back to the pre-attack state and resume work.
Patient Endpoint Security
As mentioned, many of the current cybersecurity healthcare standards are designed for a protected network environment, like a hospital or medical office. Patients’ internet connections are not generally designed with this level of security. Unlike remote employees, healthcare providers cannot require patients to take security measures, but there are steps that can be taken:
- Educate patients about telehealth cybersecurity threats
- Recommend patients use a VPN during telehealth services and for medical device usage
- Utilize multifactor authentication
- Encourage patients to frequently update all apps and operating systems
- Suggest they use anti-malware and antivirus software
- Help patients learn to recognize social engineering attacks
When data is properly encrypted, even when cybercriminals breach telehealth defenses, encrypted health information is of no or little use without the encryption key.
Encryption must be applied to both the stored patient data and to patient data while it is being transmitted:
- Data encryption at rest protects patient data when it is stored in the cloud or on the premises
- Data encryption in transit secures patient data when it’s transmitted using in-transit encryption standards, such as SSL/TLS certificates
Out of necessity, telehealth adoption accelerated very rapidly, particularly during the early onset of the COVID-19 pandemic. While patients are returning to healthcare facilities for in-person visits, increased telehealth usage is here to stay. Therefore, healthcare organizations must revisit their cybersecurity practices to ensure they have the defenses needed for safe and secure operations. If SilverSky can help, don’t hesitate to contact us.
- “Virtual visits hit record usage with 149-times increase during first wave of COVID-19,” Healthcare Purchasing News, August 10, 2020
- McKinsey COVID-19 Physician Survey, May 2020
- Medicare telemedicine healthcare provider fact sheet, March 17, 2020, cms.gov