The COVID-19 pandemic has enabled that huge leap into telehealth because of the urgency to provide care. The U.S. has waived certain regulatory requirements to enable flexibility to use telehealth as a response to the COVID-19 pandemic. But with healthcare delivery moved online or to the “cloud,” as with any online activity there are security risks involved.
Even with guidelines being relaxed to expedite care, the healthcare industry still must have a system that is clear, efficient, and secure. The security, privacy, confidentiality, and integrity — as well as the availability — of patient data and information that is created, received, maintained, or transmitted electronically within the healthcare system needs to be trusted as, in a word, safe. And the solutions put in place must address these issues for COVID-19 and for the world following COVID-19.
Security and privacy concerns surrounding telehealth (and other digitally provided services) are not new. But they are coming to the forefront now when people are ready to accept the exchange of privacy for the immediacy of care and services.
But to transform care delivery at the unprecedented speed needed during these uncertain times requires more than just a deregulation of telehealth. While this change is revolutionizing the American healthcare industry, it is important to proceed safely and effectively.
Players, stakeholders, and responders to this pandemic need to be nimble and adaptable when called on to collaborate. Security and privacy must never be compromised when it comes to delivering urgent care.
“The delicate balance between privacy and data protection on the one hand, and the protection of public health on the other, presents a number of challenges,” advises American Medical Association (AMA) President Patrice A. Harris, M.D., M.A.
Health IT Security states that the growth of telehealth use for safer care of patients during the crisis also raises privacy concerns for patients’ personal data and companies’ private information. This concern is compounded by the fact that most healthcare providers are not trained in data security or in protecting the privacy of their patient’s information online.
“In cyberspace, there are many methods that can be used to break into the electronic system and gain unauthorized access to a large amount of protected health information (PHI). Therefore, the information security and patient privacy in telehealth is at a higher risk for breaches of PHI,” according to a paper published in The International Journal of Telerehabilitation.
TechTalks cites “...from monitoring the patients’ homes and detecting indications of a fall or other health emergencies to acquiring and remotely transmitting patients’ health data, one breach by one savvy hacker can disrupt or even destroy a single patient’s life.”
Suggested security best practices
How platforms secure and protect the information being exchanged is as important as the access to care they provide. At a minimum, as suggested by Stephen Hyduchak, CEO of Aver, it is key to “...make sure the telehealth service is reputable and that it’s following the Health Insurance Portability & Accountability Act (HIPAA). Also, only disclose relevant information that is absolutely essential.”
Ensuring security and privacy of patient communication and data exchange is crucial. The federal government’s easing of restrictions is a not license to settle for less security. Just because HIPAA rules have been waived, healthcare organizations and providers should not skimp on security as they rush to provide care remotely.
A HIPAA-compliant telehealth provider is the safe mode during a pandemic. Compliance to HIPAA and to the Health Information Technology for Economic and Clinical Health Act (HITECH) ensures accountability. That compliance is measured through a trusted benchmark — the HITRUST certification — to show that the healthcare provider, organizations, and their IT vendors have not only achieved compliance but also can prove that they are a trustworthy resource.
George Jackson, Jr., senior principal consultant at healthcare cyber-risk management firm Clearwater, advises that in telehealth, you deal with three systems almost simultaneously: “You’re dealing with the vendor and the platform, with the provider’s environment, and with the patient environment. So pretty much anything that you look at as far as a risk or vulnerability, you have to triple [the risk] because those threats and vulnerabilities exist in three interconnected arenas,” said Jackson.
Among the “Six Steps to Protect Against Increased Telehealth Cybersecurity Dangers,” the use of VPN or cloud-based technologies is recommended when considering your telehealth service providers. Opting for secure health technologies means observing industry-standard cybersecurity guidance and protocols.
The lifting of HIPAA penalties for telehealth use during COVID-19 by the U.S. Department of Health and Human Services Office of Civil Rights is not litigation-proof. “Plaintiffs, later on, may use any violation to justify a negligence claim in case of a breach,” according to the same article from JDSupra, a legal intelligence consulting group.
Telehealth per se is not specifically covered by HIPAA provisions — the healthcare providers using them are. Other entities covered by HIPAA include health plans and healthcare clearinghouses. Those who utilize telehealth that involves protected health information must meet the same HIPAA requirements as if the services were provided in person.
The protection of patient information — and the security of communication — must be safeguarded at all times. The healthcare system is already besieged by COVID-19. It cannot afford any more threats, cyber or otherwise. #BeLifeWIREd