Telemedicine: Good for patient safety, but what about security, privacy?
Remote healthcare — telehealth or telemedicine — has been available for decades.
It just hasn’t been used very much.
Not because of technology limits. The biggest barrier? Money. Medicare wouldn’t cover it. Therefore, most insurers that modeled their policies on Medicare wouldn’t either. No face-to-face? No reimbursement.
But that barrier fell, at least temporarily, in mid-March, thanks to an ongoing health crisis that puts both patients and doctors at risk if they meet in person. Many insurers are even waiving copays.
Not surprisingly, telehealth spiked almost overnight. A research paper published in the Journal of the American Medical Association in November 2018 reported that between 2005 and 2017, just one of every 150 primary care doctor visits was conducted remotely. For specialists, the gap was one in every 5,000–10,000.
No more. The overall numbers are still being collected, but Teladoc Health, the largest U.S. provider of remote care, reports that its platform is being used for more than 100,000 appointments a week, up from about half that a month earlier.
Overall, CNBC said analysts anticipate telehealth “visits” of more than 200 million this year, almost six times the original projection for the year of 36 million.
Good and bad
Is that a good thing?
At many levels, yes. It is obviously impossible to deliver hands-on health care remotely — in many cases a doctor needs to probe and poke, and lab services might be required as well. But there is no reason a consultation, including deciding on a prescription, can’t be just as effective by phone or online.
The Boston Globe reported last week on a physician who was writing prescriptions for patients she had never met, who were homeless and addicted to opioids, after speaking with them via FaceTime. Telehealth makes even more sense for patients with more conventional health care needs, who have an ongoing relationship with a primary care doctor who knows their history.
It means no drive to the doctor’s office (better for the environment, no traffic gridlock), no sitting in a waiting room (more efficient) and no chance of picking up an infection in an environment that, no matter how hard the staff works at keeping things clean, is still a “germ factory.”
At a time when hospitals are banning visitors and postponing elective surgery, it makes even more common, and medical, sense.
So, what’s not to like?
Unfortunately, telehealth comes with the same risks that plague everything online. Hackers, from anywhere in the world, are constantly looking for enhanced opportunities to steal identity, financial credentials and personal information, including highly personal and confidential medical information.
And they see enhanced opportunity when things like telehealth ramp up as quickly as it has, on platforms that are scrambling to handle exponential increases in demand.
Especially when some of the heightened security and privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA) are being relaxed.
An advisory March 30 from the federal Department of Health and Human Services (HHS) noted the temporary relaxation of some compliance standards during the pandemic, saying that as long as a medical provider uses a “non-public-facing” communication channel, there will be no penalties for “noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth.”
It “encourages” providers to “notify patients that these third-party applications potentially introduce privacy risks,” and says they should enable all “available” encryption and privacy modes on those platforms.
Normally, as the HIPAA Journal recently reported, “The channel of communication used for communicating ePHI [electronic personal health information] at distance … has to be HIPAA-compliant.”
To comply with HIPAA, the channel has to be secure enough to ensure that only authorized users have access to ePHI, that the “integrity” of the ePHI is protected and that there are no “accidental or malicious breaches.”
Security? Not so rigorous
That is a tall order — a very tall order, given that even online channels with rigorous security protocols are sometimes breached. And so far, videoconferencing security has never been described as rigorous.
The opposite, actually. A Twitter exchange from a couple of weeks ago had more than one security expert referring to the security of all videoconferencing platforms as “a dumpster fire.” Not that ePHI security with in-person care has been all that good. Hundreds of millions of records have been compromised during the past decade.
And of course, “non-public-facing” channels should help. HIPAA also still requires that providers use only messaging or communication services that have a business associate agreement (BAA) with the third party storing the data.
HHS listed 10 vendors that “represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA.”
Those vendors include Skype for Business/Microsoft Teams, Updox, VSee, Zoom for Healthcare, Doxy.me, Google G Suite Hangouts Meet, Cisco Webex Meetings/Webex Teams, Amazon Chime, GoToMeeting and Spruce Health Care Messenger.
The advisory stressed that inclusion on the list is not “an endorsement, certification, or recommendation of specific technology, software, applications, or products.”
Still, all of this basically means that, at least for now, required security measures amount to some level of encryption and efforts to secure the endpoints, where telehealth transmissions begin and end.
Is that enough?
Not nearly, according to Ted Harrington, executive partner at Independent Security Evaluators and author of the forthcoming book “Hackable: How to Do Application Security Right.”
Plan for the worst
“If ever there was a succinct summary of the misperceptions about security, this would be it,” he said. “While encryption and endpoint security are critical components to an effective security strategy, they are not the entire strategy.”
That entire strategy, he said, has to include defense in depth, a paradigm that assumes a breach will happen and then implements mitigations to reduce both the likelihood and impact of an attack.
It also requires threat modeling, which “helps you enumerate what you are trying to defend, who you are defending against, and the attack surfaces where they will attack.”
And, as is preached at every security conference in the world, all systems, networks and applications need rigorous security testing. Harrington notes that it takes more than simply scanning for known vulnerabilities. “You need to abuse system functionality, daisy chain vulnerabilities, and seek the unknowns,” he said.
Indeed, the software on which the functionality of systems and apps are built should be tested from start to finish of the software development life cycle (SDLC), starting with architectural risk analysis, threat modeling, multiple kinds of analysis (static, dynamic, interactive) and finally penetration testing.
Chris Clark, senior manager at Synopsys, said he thinks some security measures will be a casualty of the current crisis, but he is optimistic that it may lead to long-term improvements in secure telehealth.
“With the impact of COVID-19, it is clear that action will override security, but as the crises diminishes, actions that should have been taken will start to be applied,” he said. He thinks while an event like this in the past might have been considered a “100-year event,” after which incentives to improve security would subside, “this event will be long-lasting, and the same care taken to secure medical networks and devices should be applied to remote and teleworks.”
Clark said that in the short term, if medical providers simply use a virtual private network (VPN), “that should address many of the paths of basic attack. As the remaining cyber hygiene issues are discovered they will need to be addressed but will take time.”
Rehan Bashir, managing consultant at Synopsys, said another reason for long-term optimism is documented evidence of better protection of ePHI.
He said that according to HHS, the number of compromised ePHI records peaked in 2015 at more than 113 million and has declined since then.
“There is still a long road ahead as we enter the realm of telehealth, which will come with its own challenges,” he said. “There might again be a spike in breaches.”
But the decline since 2015 shows that it is not so much a matter of not knowing what to do as it is simply taking the time and spending the money to do it.
Clark said medical providers need to realize the technology used for telehealth “is an enterprise solution being used in a medical context. The organizations’ IT departments must take a much closer look at addressing cyber security needs and challenges.”
And that, Harrington said, means more comprehensive testing.
“Unfortunately, it’s hard to do security right — there’s no way around that,” he said. “Proper security testing takes time — usually weeks or months to perform the assessment, plus however long for the developers to implement the remediations.”