In March 2020, the federal government took multiple steps to relax regulations for telehealth, enabling physicians to use consumer platforms such as FaceTime, Zoom, and Skype to perform telehealth visits as part of the response to the coronavirus pandemic. To support widespread adoption of telehealth during the pandemic, the Secretary of Health and Human Services also issued a limited waiver of Health Insurance Portability and Accountability Act (HIPAA) sanctions and penalties for the duration of the COVID-19 Public Health Emergency. The uptick in telehealth visits, shifting from in-person appointments, was unprecedented, and accomplished more in a matter of weeks than over a decade of telehealth lobbying; however, the sudden transition to such platforms, some of which are not inherently secure, and others of which do not have privacy protections adherent to HIPAA, has created a healthcare landscape rife with opportunity for breaches in patient privacy.
Introduced in the U.S. Senate in June, the Equal Access to Care Act would enable healthcare providers licensed in one state to practice telehealth in any other state. In mid-July, the bipartisan House Telehealth Caucus introduced the Protecting Access to Post-COVID-19 Telehealth Act which maintains and expands telehealth access in a post-COVID era and protects patients from figuratively “falling off the cliff” of virtual healthcare access when the public health crisis is behind us. The expiration date for telehealth regulatory relief is unknown, but, on July 23, 2020, the Secretary of Health and Human Services renewed the COVID-19 Public Health Emergency Declaration through at least October 23, 2020.
As telehealth settles in as a permanent fixture in the healthcare ecosystem, considerations about access and technologies will have to be balanced with increasing and maintaining security of electronic protected health information (ePHI) in this format. Natali Tshuva, CEO of the Internet of Things (IoT) security company Sternum, put it well in an interview when she said “PHI is only as secure as the weakest device, and the fast growth in medical IoT is only increasing the risks.”
Currently, HIPAA regulations specify that 1) PHI be encrypted upon collecting, storing and transmitting ePHI and accessible only to authorized individuals, and 2) accessing ePHI be via secure communication systems that can be monitored and remotely deleted of ePHI. These regulations only apply to “covered entities” including health care providers and insurers, but not to patients. As this applies to telehealth, where a promising feature is the accessibility a patient has from their home, there is inherent risk to ePHI in communicating over a patient’s potentially insecure device. Moreover, for non-HIPAA-compliant platforms being utilized to offer telehealth, it is unclear which file formats containing patient data are protected under HIPAA. Currently, most patient-facing telehealth interfaces prioritize usability and ease for patients across all ages and technology fluencies, which may compromise security and authentication.
Further, the Food and Drug Administration (FDA) has regulatory control over medical devices but does not regulate consumer-facing devices and apps that do not include an explicit clinical function. As these direct-to-consumer, remote patient monitoring (RPM) devices become mainstream, they will increasingly become paired as telehealth accessories. However, under their current framework, they are not restricted in collecting or sharing patient data (health, location, or home data) and are able to operate with long and loose privacy policies that require consumers to accept risks to their ePHI.
In 2017, long after Fitbit made news in 2011 for leaking self reported sexual activity online, researchers from the University of Edinburgh demonstrated multiple security threats including workarounds of their end-to-end encryption and intercepting data upon cloud storage on two Fitbit models. Further, devices such as insulin pumps and implantable pacemakers are vulnerable to hacking with potentially devastating consequences. In June, 2019, the FDA published a warning of the security vulnerabilities and issued a recall of specific Medtronic insulin pumps based on their interceptable wireless communication between devices. Shortly thereafter, the FDA released information on URGENT/11, a set of identified potential healthcare cybersecurity vulnerabilities of certain operating systems that can infiltrate downstream devices on the same networks, putting healthcare systems and PHI at risk. For reference, the updated 2018 cybersecurity recommendations from the FDA are available here.
Cybersecurity Attacks and Threats During the COVID Pandemic
Threats to digital privacy have not eased during the COVID pandemic, and by some measures, are increasing under relaxed privacy regulations. Whether through software glitches, or through malicious actors using ransomware or phishing tactics against hospitals, laboratories, physician offices, and pharmaceutical companies developing vaccines, there are pandemic-created opportunities that are being exploiting.
- On June 9th, a telehealth security breach attributable to a technology glitch occurred when users of the Babylon app (a health app with over 2.3 million users in the United Kingdom that facilitates video visits, health checks, and symptom checkers) temporarily resulted in the opportunity for patients to view other patients’ video encounters.
- In March, the U.S. Health and Human Services Department suffered a cyber attack that was identified before breaching any security networks or IT infrastructure but was intended on spreading misinformation about the COVID response.
- Hammersmith Medicines Research Laboratory and other health care systems, physicians offices, and testing laboratories have been prime targets for ransomware attacks that hold and lock patient data crippling workflows and threaten to make PHI public if ransom is not paid.
- Eleven health care systems reported data breaches related to malware or hacking incidents that compromised PHI in July 2020. Notably as many as 274,837 patient records were compromised by a malware attack of the Benefit Recovery Specialist system in Houston, Texas.
- The Rhode Island based healthcare system Lifespan settled with OCR for more than $1mil after an employee’s stolen laptop had 20,431 unsecured individuals’ PHI in the form of work emails. Further investigation revealed noncompliance with security measures including unencrypted work devices, insecure tracking of PHI on its network, and missing business associate agreements with affiliates.
What should patients do?
In a 2010 Health IT consumer survey, two-thirds of patients were worried about the privacy of their PHI when using an online health record. Notably, healthy individuals were more concerned about privacy compared to their counterparts with chronic conditions. Despite these perceived risks, and likely even more so under the circumstances of the COVID pandemic, patients are willing to compromise on security in order to achieve improved and continuous health care access. (1,2)
Whenever possible, patients should discuss using secure means of communicating with their healthcare providers. A list of HIPAA compliant and secure platforms commonly used for telehealth visits is shown in Table 1, from the U.S. Health and Human Services website:
Table 1. List of Telemedicine Video Platforms that are HIPAA Compliant
However, not all providers are using these HIPAA-compliant platforms. If a patient requires healthcare access, their healthcare needs may outweigh the perceived risks of a telehealth encounter. A first alternative still remains the telephone. Although a telehealth visit through video might be a nice way to connect with your physician, the added benefit of your physician seeing you may not always be necessary.
Guidance for the Present and Future
To move the needle towards a more secure telehealth and healthcare delivery system, the American Medical Association and the American Hospital Association have teamed up to offer guidance for providers and healthcare systems to secure home work environments and bring awareness to cyber phishing and malware attacks to their employees. Healthcare workers are typically under-aware of cybersecurity threats and should undergo annual formal cybersecurity training programs. Additionally, given the inherent vulnerability during the COVID pandemic, Microsoft has made its Account Guard service available through the pandemic to health care organizations, providers and device manufacturers for surveillance of cybersecurity attacks.
On a larger scale, National Cybersecurity Center of Excellence (NCCoE) and the National Institute for Standards and Technology (NIST) are collaborating with the public and private sectors on a Telehealth RPM Project to develop comprehensive security architecture for a Telehealth RPM ecosystem. It aims to build the architecture behind a telehealth RPM network in a lab based environment, implement the five functions of the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover), and identify and troubleshoot security vulnerabilities. The resultant template architecture with safeguards in place, the NIST Cybersecurity Practice Guide, will set industry security standards and will be made freely available to healthcare providers as well as telehealth developers as a roadmap to follow in order to secure and maintain patient integrity, telehealth functionality, patient confidentiality and protection of PHI.
As of July 2020, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency announced it is working with experts to protect the nation’s critical healthcare infrastructure.
Cybersecurity in the telehealth and remote patient monitoring ecosystem needs to be proactive rather than reactive. There is a need to develop a set of security standards that are ubiquitous, end-to-end, and enforceable. To quote Natali Tshuva once again, “The rush to cybersecurity should be as fast as the rush to telemedicine.”
NODE.Health Foundation is a 501(c)(3) non-profit organization dedicated to education, validation and dissemination of evidence based digital medicine. As the largest professional association in digital medicine, NODE.Health empowers societies, executives and NODES from health systems, payers, life sciences, venture capital, startups and the public sector involved in healthcare digital transformation. NODE.Health does not endorse any specific products or services.
NODE.Health is pleased to cross post this article giving examples of recent developments in cybersecurity for telehealth security and maintenance. NODE.Health encourages its readers to be diligent with understanding the risks to telehealth from a cybersecurity perspective and to be diligent with the use of telehealth technology for both patients and providers. As more developments come out on cybersecurity steps for ensuring the safety of telehealth beyond the pandemic, NODE.Health will keep its readers informed about the latest happenings. Interested in learning more about the Network of Digital Evidence (NODE.Health) and becoming a member? Click here
- Vodicka E, Mejilla R, Leveille SG, Ralston JD, Darer JD, Delbanco T, Walker J, Elmore JG. Online access to doctors’ notes: patient concerns about privacy. J Med Internet Res. 2013 Sept 26;15(9):e208.
- Walker J, Ahern DK, Le LX, Delbanco T. Insights for internists: “I want the computer to know who I am”. J Gen Int Med. 2009 May,24(6):727–732.