Physicians ‘have to be mindful’ of cybersecurity risks in telehealth
Click Here to Manage Email Alerts
Since the start of the COVID-19 pandemic, telehealth has been implemented by practices nationwide.
At this year’s American Telemedicine Association’s EDGE Conference, a panel of experts discussed the various security risks stemming from telehealth, how cybersecurity impacts clinical care and how to help ensure the security of telehealth.
“There’s all kinds of new technologies, innovative disruptive technologies being used in health care, and we embrace the benefits that they provide to patient safety and operational efficiency, but we also have to be mindful of some of the potential cybersecurity risks that can disrupt operations or, in fact, introduce potential patient harm,” Greg Garcia, executive director of cybersecurity at the Healthcare and Public Health Sector Coordinating Council and moderator of the panel, said.
Telehealth security risks
Christopher Logan, director of health care industry strategy at the software company VMware, said that while other industries such as banking and retail have long embraced the digital side of business, health care had faced barriers to doing so, including staffing, the hands-on culture in health care, costs of telehealth, lack of reimbursement for telehealth visits, internet access and patients’ digital literacy.
Although telehealth has been around for years, “COVID-19 truly was a catalyst,” Logan said.
“It really forced implementation of telemedicine adoption at a different pace and scale,” he said.
This introduced more privacy and security issues, as “health care already had a cyber target on its back for a number of different reasons,” Logan said.
These include the use of older technologies that are vulnerable to cybersecurity issues and digital medical records with patients’ identity documentation, which highlights the need to focus efforts on securing patient information.
Certain applications that can be used by both health care workers and patients present security issues as they provide a “gateway into both the patient and the provider,” Logan said.
“We really have to look, as an industry, to validate that the applications are meeting certain security standards,” he added.
Patients may have a “default sense of security” when using new devices or technology due to how often they use other digital technologies in their day-to-day lives, Logan said.
“We really need to get back to the basics in making sure that our consumers understand what the threats are to them as they’re coming in, and that we bear some of the brunt to make sure that they’re up to par with what they’re doing to take that service in,” he said. “At the end of the day, we all know that technology is going to fail — somebody’s out there trying to find a loophole, trying to find a new way into it. We have to continue blocking and tackling.”
Clinical impact of cybersecurity
Mark P. Jarrett, MD, MBA, chief quality officer and deputy chief medical officer at Northwell Health in New York, noted that the number of telehealth visits will probably not be as high as it was during the early days of the COVID-19 pandemic, but “the numbers will be dramatically, astronomically higher than they were before COVID-19 started.”
He also noted that cybersecurity concerns can differ based on the size of a practice. Large hospital systems have a cybersecurity teams that can help address threats, Jarrett said. Meanwhile, providers in medium and small practices “are basically out there on their own.”
These practices, he said, must choose a telehealth platform and learn how to use it.
Therefore, Jarrett stressed that moving forward, it is important to consider how small providers can use this technology, and to provide them support on what risks are associated with it.
Telehealth risks are also on the patient’s side, according to Jarrett, noting that their home wi-fi networks may not be secure.
Additionally, patients may be exposed to online scams that look like a telehealth platform but instead collects their health and personal information to sell or advise them to purchase products that could be unsafe.
“I don’t love over-regulation, but this is an area where we have to be careful because the patients will be hurt,” Jarrett said. “Cybersecurity is a patient safety issue, it’s not just a computer issue.”
Regulating telehealth
Jessica Wilkerson, a cyber policy adviser in the Office of Strategic Partnerships and Technology Innovation at the FDA’s Center for Devices and Radiological Health, said the FDA does not directly regulate telehealth — a department within HHS does — but “cybersecurity is a shared responsibility.”
She said that in the case of medical devices, there is a point where the security of the device is out of the hands of the regulators and the manufacturers; once it goes to a patient or a hospital to be used, they need to take certain measures to help keep the device secure.
“It’s not just that you have to be doing you part and then just sort of wash your hands of it and go away,” Wilkerson said. “You have to be doing your part and talking to the other person about what they’re doing and their part, and how it fits with what you’re doing on a constantly evolving basis, because telemedicine is the sort of epidemy of cyber security issues.”
As those involved in the process of telehealth may or may not be cybersecurity experts, Wilkerson said that “the ‘whole of ecosystem’ approach of telehealth to cybersecurity is so critical.”
“I think that’s one of the things that is really being driven home during the pandemic — all of these different pieces and all of these different people needing to work together to really make this work,” she said.