Get your FREE copy of "The Ultimate Guide of SSL"

Download Ebook

3 Privacy Pitfalls of Telehealth and 4 Best Security Practices

Digital connectivity and big data are powerful allies especially when it comes to connecting citizens with vital services like health care.

The COVID-19 pandemic has made online communication and digital infrastructure even more vital and potentially life-saving. Preventing the spread of the disease through social distancing means more patients than ever are keeping in touch with doctors and other health specialists over the internet.

Telehealth is nothing new, but the significant uptick in usage amplifies both its importance and potential drawbacks. This post is about some of the security pitfalls of services like these and provides the best practices users and providers must begin using to keep each other safe.

privacy pitfalls

1. Social Engineering Campaigns

Social engineering campaigns were around long before COVID-19 became a pandemic. Unfortunately, bad actors have been all too willing to exploit the confusion and desperation brought on by economic hardship and the newfound reliance on telehealth and digital communications.

The Better Business Bureau has reported rising numbers of hackers posing as Department of Health and Human Services (DHS) workers. These scams involve “health care workers” promising “free” or “mandatory” online testing for COVID-19 or even “financial relief” for health insurance customers. Customers may be prompted to hand over personal information or follow a link, which usually contains an installation file for malware or spyware.

To fight social engineering attempts, health care providers must be clear with customers about the methods they’ll use to get in touch such as dedicated patient portal apps. And if customers receive a suspicious call or text message, they should hang up and then use their provider’s official number to verify whether the call or message was legitimate.

2. IoT-Based DDoS Attacks

One of the key features of telehealth is the use of networked patient health monitoring devices powered by the Internet of Things (IoT).

Patients who cannot physically travel to a doctor’s office, as well as people who are not ill currently but remain at a heightened risk of illness are making increased use of remote monitoring devices. They use these tools to track their vital signs, alert medical staff, and watch for emerging symptoms of illness.

This phenomenon raises worries about Distributed Denial of Services (DDoS) attacks on providers. DDoS attacks involve bad actors hijacking networks of internet-connected devices and using them to overwhelm the digital infrastructure of a health care provider. The downtime continues until they pay a ransom to restore connectivity.

Before a health care organization begins using IoT devices to provide remote services, they must be sure the tools were built in compliance with leading software and hardware security standards. Providers’ IT departments can familiarize themselves with guidance from the Internet Engineering Task Force as well as the National Institute of Standards and Technology.

3. Data Loss and a Lack of Disaster Protection

Telehealth platforms deliver convenience for patients and health care institutions. Of course, the digital nature of telemedicine apps, patient portals, and electronic patient health information (ePHI) makes them even more vulnerable than paper-based records.

There is a reason why health care privacy laws require comprehensive data backup protocols for health care providers. But even with these requirements, some providers still experience huge setbacks and public embarrassment in the form of data loss. These situations can be caused by natural disasters as well as data ransom campaigns.

For a case study, we can look at FABEN Obstetrics and Gynecology in Jacksonville, Florida. FABEN had patient data for more than 6,000 individuals held to ransom after hackers infiltrated their system, encrypted their patient records, and then attempted to extort payment in return for restored access.

FABEN didn’t have a data backup system in place, which means years’ worth of files encrypted by the hackers including names, diagnoses, and other sensitive patient information were lost forever.Health care privacy guidelines exist precisely to prevent this type of loss. Among other things, privacy regulations require health care providers to keep comprehensive, encrypted data backups of all ePHI in an offsite location. Doing so prevents lost access during ransom attempts and potential losses from natural disasters.

Security Best Practices for Telehealth

As we’ve seen, plenty of risks exist regarding adopting and using telehealth portals and electronic patient records.

These incidents aren’t a reason for patients of health care facilities to avoid such products, however. Telehealth, cloud computing, and collaboration software keep patients, doctors, treatment teams, sales and billing departments, and many other parties on the same page even when they can’t interface in-person.

Luckily, both providers and patients can take action to keep themselves, their data, and their platforms safe:

1. Update All Software

One of the best defenses against emerging threats is to keep all software and hardware, including patient portals, medical devices, and institutional applications, up to date. The best telehealth technology providers take existing and novel threats seriously and work quickly to push updates to patients and providers to keep them safe.

Health care providers must work to understand how these updates are applied. If there’s an option for automatic updates, take advantage of it.

Ideally, telehealth technology providers won’t require much, if any, system downtime to apply a security patch. The fear of rendering services unreachable during software updates is one of the leading reasons why companies and institutions delay patching their technology.

2. Secure Local Administrator Accounts

Local workstations and administrator accounts are some of the most tempting targets for hackers. They’re also a weak link for insiders who want to make off with sensitive provider or patient information.

Hospitals and other health care facilities with local administrator accounts should consider implementing random passwords. These passwords should also be set to automatically rotate so that, if they do fall into the wrong hands, the system doesn’t remain vulnerable for long.

3. Activate Multi-Factor Authentication

User identification is vital on both the provider’s and the patient’s side of telehealth services. User ID makes multi-factor authentication crucial. Multi-factor authentication also called two-factor authentication (2FA) requires a password, as usual, as well as a one-time code sent to a secondary account or device.

The concept applies to logins on mobile devices, workstations and telehealth software and apps. Even if the provider’s or patient’s password is compromised, 2FA ensures any bad actors require physical access to another device or account before they can successfully log in.

4. Seek Recommendations and Read Reviews

The last few years have seen an explosion in the number of companies offering telemedicine solutions and secure communication platforms for patients, practices, hospitals, and health insurance providers.

Not all of these services were built with the same attention to detail, nor the same level of security-mindedness. That is why it’s necessary to seek out recommendations from peers and institutions. IT specialists and other decision-makers must do thorough research before adopting a new piece of software.

Recommendations and reviews can separate the better providers from those that may not have put security first in their product designs.

An Ounce of Prevention

As the saying goes, an ounce of prevention is worth a pound of cure. With these risks and best practices in mind, patients and the providers they rely on can continue engaging in long-distance care while minimizing their threat surface.

Related Articles:

About the Author :

About Jenna Tsui

jenna-tsuiCo-editor and owner of The Byte Beat. I’m a journalist and freelancer who specializes in technology, sustainability, consumer trends, and more. Please reach out with any writing opportunities – I’d love to collaborate!

See Author’s Website

Disclosure: AboutSSL appreciates your continuous support. It helps us tremendously to keep moving in the competitive SSL industry. Here most of the links which direct you to buy any SSL/TLS related service or products earns us a certain percentage of referral commission. Learn More