3 Privacy Pitfalls of Telehealth and 4 Best Security Practices
The COVID-19 pandemic has made online communication and digital infrastructure even more vital and potentially life-saving. Preventing the spread of the disease through social distancing means more patients than ever are keeping in touch with doctors and other health specialists over the internet.
Telehealth is nothing new, but the significant uptick in usage amplifies both its importance and potential drawbacks. This post is about some of the security pitfalls of services like these and provides the best practices users and providers must begin using to keep each other safe.
1. Social Engineering Campaigns
The Better Business Bureau has reported rising numbers of hackers posing as Department of Health and Human Services (DHS) workers. These scams involve “health care workers” promising “free” or “mandatory” online testing for COVID-19 or even “financial relief” for health insurance customers. Customers may be prompted to hand over personal information or follow a link, which usually contains an installation file for malware or spyware.
To fight social engineering attempts, health care providers must be clear with customers about the methods they’ll use to get in touch such as dedicated patient portal apps. And if customers receive a suspicious call or text message, they should hang up and then use their provider’s official number to verify whether the call or message was legitimate.
2. IoT-Based DDoS Attacks
Patients who cannot physically travel to a doctor’s office, as well as people who are not ill currently but remain at a heightened risk of illness are making increased use of remote monitoring devices. They use these tools to track their vital signs, alert medical staff, and watch for emerging symptoms of illness.
This phenomenon raises worries about Distributed Denial of Services (DDoS) attacks on providers. DDoS attacks involve bad actors hijacking networks of internet-connected devices and using them to overwhelm the digital infrastructure of a health care provider. The downtime continues until they pay a ransom to restore connectivity.
Before a health care organization begins using IoT devices to provide remote services, they must be sure the tools were built in compliance with leading software and hardware security standards. Providers’ IT departments can familiarize themselves with guidance from the Internet Engineering Task Force as well as the National Institute of Standards and Technology.
3. Data Loss and a Lack of Disaster Protection
There is a reason why health care privacy laws require comprehensive data backup protocols for health care providers. But even with these requirements, some providers still experience huge setbacks and public embarrassment in the form of data loss. These situations can be caused by natural disasters as well as data ransom campaigns.
For a case study, we can look at FABEN Obstetrics and Gynecology in Jacksonville, Florida. FABEN had patient data for more than 6,000 individuals held to ransom after hackers infiltrated their system, encrypted their patient records, and then attempted to extort payment in return for restored access.
FABEN didn’t have a data backup system in place, which means years’ worth of files encrypted by the hackers including names, diagnoses, and other sensitive patient information were lost forever.
Health care privacy guidelines exist precisely to prevent this type of loss. Among other things, privacy regulations require health care providers to keep comprehensive, encrypted data backups of all ePHI in an offsite location. Doing so prevents lost access during ransom attempts and potential losses from natural disasters.
Security Best Practices for Telehealth
These incidents aren’t a reason for patients of health care facilities to avoid such products, however. Telehealth, cloud computing, and collaboration software keep patients, doctors, treatment teams, sales and billing departments, and many other parties on the same page even when they can’t interface in-person.
Luckily, both providers and patients can take action to keep themselves, their data, and their platforms safe:
1. Update All Software
Health care providers must work to understand how these updates are applied. If there’s an option for automatic updates, take advantage of it.
Ideally, telehealth technology providers won’t require much, if any, system downtime to apply a security patch. The fear of rendering services unreachable during software updates is one of the leading reasons why companies and institutions delay patching their technology.
2. Secure Local Administrator Accounts
Hospitals and other health care facilities with local administrator accounts should consider implementing random passwords. These passwords should also be set to automatically rotate so that, if they do fall into the wrong hands, the system doesn’t remain vulnerable for long.
3. Activate Multi-Factor Authentication
The concept applies to logins on mobile devices, workstations and telehealth software and apps. Even if the provider’s or patient’s password is compromised, 2FA ensures any bad actors require physical access to another device or account before they can successfully log in.
4. Seek Recommendations and Read Reviews
Not all of these services were built with the same attention to detail, nor the same level of security-mindedness. That is why it’s necessary to seek out recommendations from peers and institutions. IT specialists and other decision-makers must do thorough research before adopting a new piece of software.
Recommendations and reviews can separate the better providers from those that may not have put security first in their product designs.
An Ounce of Prevention
About the Author :
About Jenna Tsui
Co-editor and owner of The Byte Beat. I’m a journalist and freelancer who specializes in technology, sustainability, consumer trends, and more. Please reach out with any writing opportunities – I’d love to collaborate!