Telehealth services have been available for many years in the U.S., but their use had been limited by technological barriers, regulations and lack of coverage by insurers. Then came COVID-19, and telehealth usage exploded. From March to April 2020, telehealth use soared to as high as 80% of patient visits from less than 1%, according to data published on JAMA Network.
While virtual care visits have eased in the ensuing months, most providers intend to make telehealth an integral and permanent part of their care delivery strategy. Survey results from a HIMSS webinar last November show that 90% of responding providers intend to increase (or continue to increase) telehealth access. In addition, most organizations expecting telehealth volume to increase post-pandemic by an average of 53%.
Hospitals and health systems are embracing telehealth because they’ve seen how well it works for their patients. Telehealth improves patient access to care, increases patient engagement and offers clinicians insights into a patient’s home environment, which can inform care decisions. Further, virtual care increases practice revenue and reduces costs to both patients and providers.
Hospitals and health systems also are being pressured by patients who expect telehealth services from their care providers delivered through multiple devices and communications tools. To ignore this market trend is to lose business to more consumer-friendly competitors. There are, however, important factors hospitals and health systems need to embrace to deliver secure virtual care services.
Cybersecurity Risks
As with any services connected to a network, virtual care can be vulnerable to a multitude of security risks. Healthcare providers experience a heightened risk from cybercriminals. The digitized patient’s financial and health information found in electronic health records (EHRs) includes medical records, Social Security numbers, credit card information and more. These are hot commodities for cyber thieves.
It is no coincidence that healthcare has higher costs associated with data breaches than any other industry. Each data breach is an average $7.13 million per incident, according to IBM Security’s 2020 data breach cost report. This is in comparison to the $3.86 million on average across all industries. Healthcare is a far more frequent target of cybercriminals, facing 2-3x more cyber attacks than other industries. Even worse, attacks against healthcare will rise substantially in 2021 as providers and other stakeholders conduct more business virtually.
One of the reasons healthcare breaches are so costly is the HIPAA penalties around failure to protect patient data. Fortunately for providers, the U.S. Office for Civil Rights in March 2020 said it would waive penalties for HIPAA noncompliance against providers leveraging popular teleconferencing apps such as Zoom and Skype. This decision, however, hardly means these apps aren’t vulnerable to hackers.
As its use becomes more common, telehealth presents an increasingly prevalent and tempting target for cybercriminals trying to steal data either to sell on the black market or hold for ransom. Healthcare organizations that quickly rolled out virtual care services in response to the pandemic without putting in place proper security and controls to protect patient data are particularly vulnerable to attacks from external threat actors and malicious insiders.
What can hospitals and health systems do to deliver secure virtual care services? They need to develop specific virtual care privacy and security strategies. Here are 5 key elements for healthcare organizations ramping up virtual care services to consider in devising an effective security strategy.
Protect the Crown Jewels
The first step is understanding 1) what is your most critical data, and 2) where it resides. For healthcare entities, patient data is of paramount importance. If you don’t know where your crown jewels are, you can’t protect them.
Continuous identity authentication ensures authorized individuals have access to data. Your organization can accomplish identity authentication through a variety of approaches.
Implement Proper Safeguards
The healthcare industry is notorious for poor attention to security. This is despite the fact that it is an increasingly more likely target for breaches. If organizations can’t spend money on new infrastructure, they can nonetheless practice fundamental security hygiene. Ensuring out-of-date systems – which provide easy points of entry – are patched is one such method.
Multi-factor authentication, or the requirement of utilizing two pieces of evidence to sign in, is among the most common and has been proven effective in blocking 99.9 percent of all automated cyber-attacks.
Should an attacker succeed in gaining a foothold in the network, healthcare organizations must prevent access across their systems. Enacting safeguards such as privileged access and user authentication is the primary tactic for this purpose. Other technical security measures include encryption of data (at rest and in transit), redesigning data architecture around data flow, and providing security at the device level.
Train Patients to Be Security Aware
Telehealth multiplies the risk to healthcare data and IT systems because it creates additional points of entry into a network. Every patient’s virtual appointment presents a potential security vulnerability to hospitals and health systems.
While most of these videoconferencing services have tightened up security, patient devices still may lack basic security. Mobile devices, for example, rarely are equipped with antivirus or anti-phishing protection. It is in the interests of patients and providers that patients are informed and educated about potential security vulnerabilities surrounding virtual care and the steps they can take to help diminish these dangers. Additionally, using a VPN both during telehealth services and for general device usage will mitigate the risk of any exploiting new vulnerabilities.
Monitor and test
Finding out your network was successfully breached two months ago is every hospital executive’s nightmare. Hospitals and health systems must be constantly vigilant against data theft. Their environments should be constantly monitored for unusual activity using a secure information and event management (SIEM) tool that provides real-time analysis and security alerts.
Hospitals and health systems also should test their environments by emulating threats to determine where there are vulnerabilities. Such penetration testing allows organizations to identify and mitigate against risks before hackers exploit them.
Build security awareness internally
As mentioned above, malicious insiders are a threat to healthcare organizations. So too are employees that lack security training, regardless of their good intentions. Healthcare is “the only industry where insider threats are greater than threats from the outside,” according to a 2018 Verizon report. “Human error remains a major contributor to healthcare risks.”
Many breaches have occurred because a user inside an organization clicked on an email link that carried malware. This malware infected the user’s computer and eventually traversed the network. Reduce these incidents by providing security training to healthcare employees.
By following these security steps, healthcare organizations can better protect patient data while expanding virtual care services.
How we can help
We help you navigate the complexities of cybersecurity and risk management. You can rely on us to be your partner every step of the way. From helping you reduce the risk of ransomware attacks, protecting your EHR systems and more, we’re here for you.
Pivot Point Consulting and MorganFranklin, another Vaco company, are working together to help you minimize cyber disruption and damage to your IT function and business.
Laura Kreofsky, Senior Vice President of Strategy at Pivot Point Consulting, brings a wealth of expertise to her role leading Pivot Point Consulting’s Advisory practice. Over the past 27 years, she has led health IT planning, implementation and operations in the private and public sectors; working with and for academic medical centers, community hospitals, insurers, public health agencies and international clients. Her areas of focus include IT-enabled business strategy, IT operations and governance and industry regulations and reform.
Ferdinand Hamada brings more than 20 years of experience in cybersecurity and technology transformation within the life sciences space. Prior to joining MorganFranklin, a Vaco Company he served as vice president of information technology and chief information security officer (CISO) at Catalent Pharma Solutions. Hamada also served for more than 10 years at KPMG Consulting, focusing on IT advisory for several of the nation’s top pharmaceutical clients. He began his career in various IT positions at Cardinal Health and Merck.