Social distancing and stay-at-home orders are designed to protect us from the spread of COVID-19, but what about patients that still require check-ups, post-hospitalization follow-ups, continued monitoring due to other conditions – Telehealth is a convenient solution.
VIRTUAL HEALING ON THE RISE
Telehealth is a broad term that applies to healthcare of patients remotely or at a distance with technology. Virtual care protects medical staff and patients by enabling continued check-ups through digital means such as video conferencing, apps, and mobile phones. It is crucial that protected health information (PHI) is managed security and properly in telemedicine.
What are some types of Telehealth Services?
- Video Conferencing – a live, virtual doctor or healthcare professional visit.
- Store & Forward – collecting clinical information and sending it electronically to another site for evaluation such as medical records, diagnostics, lab results, or video files.
- Remote Patient Monitoring (RPM) – digital technologies to collect medical records and other forms of health data from individuals in one location and electronically transmit that information securely to healthcare providers in a different location for assessment and recommendations.1
- Mobile health (mHealth) – the use of mobile phones and other wireless technology in medical care.
Physician use of virtual visits doubled from 14% in 2016 to 28% in 2019 (before the COVID-19 pandemic), according to the AMA (American Medical Association). Some experts estimate virtual visits across the U.S. will rise from 50,000 to 100,000 daily.2
This innovative technology offers a more cost-efficient, safe method for continued care. Telehealth’s adoption will definitely increase, as the Center for Medicare and Medicaid Services (CMS) recently expanded its reimbursement coverage.3
As we quickly engage new technologies to help the world adapt to our new normal, we must also make sure we are still taking cyber care of our compliance and security requirements.
DIAGNOSING THE NEW RISKS
New technologies also bring new vulnerabilities. Healthcare professionals that offer this service must apply more safeguards to keep electronic protected health information (ePHI) secure, private, and HIPAA compliant. Many organizations that offer telehealth apply security controls such as encryption or a secure peer-to-peer connection, while not storing any video of the visits.
Existing Telehealth Providers
As a best practice, if you are a telehealth institution, review your existing virtual care security protocols and consider new security issues – your risk profiles would most likely have changed. Key considerations to review and solutions that can address them:
|SECURITY CHALLENGE||TREATMENT & SOLUTION|
|Is the telehealth servicing managed by a third-party provider? Do you have a Business Associate Agreement (BAA)?||Third-Party Risk Management (TPRM); Penetration Testing|
|Can their existing systems manage the bandwidth of more remote workers, patients, and data?||Security Maintenance & Analysis|
|Who has access to the system and what rights does each user have?||Identity Access Management (IAM); Security Architecture Review|
|Does it integrate into the overall clinical workflow? How does it fit into the entire organization’s network? What systems connect?||Risk assessment; Penetration Testing|
|Are the appropriate medical staff familiar with how to process a virtual appointment? What communications are sent on behalf of the institution to the patient (confirmation of appointment, satisfaction surveys)?||Security Awareness Training|
|What about BYOD (Bring Your Own Device)?||HIPAA Compliance; Policy & Procedures|
|What are the privacy requirements for a patient in California consulting a physician in another state?||HIPAA Compliance; Privacy Compliance|
|What is the process if our telehealth system or app gets hacked?||Incident Response Readiness; Forensic Services|
Exploring Telehealth as a Service
For health care institutions looking to expand their services to include telehealth, analyze your security profile and acceptable risk. Understand your institution’s business goals, your compliance and regulatory requirements, and your social responsibility to practice reasonable security.
DUTY OF CARE
Physicians take the Hippocratic oath to treat their patients to the best of their ability and preserve a patient’s privacy. As part of this promise, medical professionals rely on their IT team to administer reasonable and appropriate security controls to preserve patient ePHI. Telemedicine adds another layer of complexity to that pledge.
Your information security team has the crucial role of protecting your data with the proper infrastructure, tools, resources to keep the network safe. They must apply a reasonable security strategy in which the safeguard does not outweigh the risk it addresses. Basically, treatment must ‘do no harm’.
Where do you start? A good look at your existing security should be done periodically with a framework that encompasses your mission, business objectives, and obligations. Duty of Care Risk Analysis (DoCRA) provides a practical method to outline your risks and their likelihoods. This assessment allows you to prioritize your risks and identify resources required to address them. Results from the assessment are shown in a summary that is easily understood by all teams – C-Suite, IT, legal. DoCRA enables teams to secure the budget and resources required to keep patient data secure.
Proactive cyber care would holistically address security challenges instead of treating the symptoms; a routine check-up to ensure safeguards on medical records, infrastructure, staff cyber security awareness, and security policies are still effective. Overall, the best security treatment for evolving technologies is to continually balance your mission, objectives, and obligations to all facets of data management.
Enhance your security strategy for your new working environments while practicing ‘Duty of Care’.
HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.
1. Center for Connected Health Policy https://www.cchpca.org/about/about-telehealth/remote-patient-monitoring-rpm
2. SYRACUSE https://www.syracuse.com/coronavirus/2020/03/coronavirus-way-of-life-doctors-patients-turn-to-telemedicine-like-never-before.html
3. CMS https://www.cms.gov/newsroom/press-releases/president-trump-expands-telehealth-benefits-medicare-beneficiaries-during-covid-19-outbreak