Telehealth Cybersecurity Post COVID-19

COVID-19 has dramatically changed the way healthcare is delivered. Providers were forced to pivot quickly from total reliance on in-person visits to total reliance on alternative delivery methods. Between early March 2020 and early April 2020, the number of visits to ambulatory practices declined by nearly 60% while telehealth appointments became commonplace. While ambulatory visits are starting to rebound, the overall impact still appears to be indicating that there is still a significant decline in in-person visits to healthcare providers. As we move past the pandemic, telehealth is declining somewhat, but most experts believe that COVID-19 has fundamentally changed the delivery model to include an increased reliance on telehealth.

A McKinsey & Company report predicted that up to $250 billion of the current healthcare spending could transition to telehealth. The study also indicated that consumers were significantly more likely to use telehealth going forward and providers also view telehealth more favorably than they did before COVID-19. The Healthcare Financial Management Association recently published an article where a physician stated that by using telehealth, they believe they could reduce their in-office days to two per week. It’s easy to see how providers will want to utilize telehealth going forward to reduce their expenses. 

All of this information suggests telehealth is here to stay. At the start of the COVID-19 response, the Centers for Medicare and Medicaid (CMS) Office of Civil Rights (OCR) issued a waiver of potential penalties for HIPAA violations related to the use of telehealth which enabled providers to quickly implement telehealth without fear of HIPAA enforcement. Recently CMS announced that the Public Health Emergency Waivers provided to help healthcare providers meet the demands of the Covid-19 pandemic would expire on May 11, 2023. However, CMS does realize that it may take providers longer to implement new controls related to the provision of telehealth and has extended the waiver on telehealth until August 9, 2023.

Securing Your Telehealth Environment

While consumers are showing an increased interest in using telehealth going forward there are still concerns about the security of their PHI in the telehealth environment. A recent survey indicated over 25% of consumers surveyed were worried about the privacy of their PHI. This concern is only heightened by media reports outlining the risk of video call hijacking or ‘zoombombing.’ In order to increase consumer acceptance and ensure continued compliance with HIPAA requirements, organizations who have implemented telehealth in response to the COVID-19 pandemic need to take steps to secure their telehealth environment. 

Step 1 – Evaluate Your Providers

As organizations raced to respond to COVID-19 many of them did not have a chosen telehealth provider.  As a result, physicians and other practitioners often signed up for services independently. Recently one provider with an extensive provider network was quoted as indicating her organization had providers using FaceTime, Zoom, Cerner, and other telecommunication platforms. Before you can secure your environment, you need to get a good understanding of what your providers are using. You will then need to make some decisions. Do you continue to allow providers to “pick their solution” or do you go with a standardized product throughout the organization?   

The pros of “pick their solution” are that your providers are comfortable with their choices. The cons of “pick their solution” are that it is significantly riskier to have multiple solutions. Additionally, your patients may find it confusing to use FaceTime for appointments with the cardiologist, Zoom for appointments with the internist, and Microsoft Teams for appointments with yet another provider.

Once you have inventoried your providers you need to do a vendor evaluation. This should be done regardless of if you have one vendor or five. This vendor evaluation can also help you reduce the number of products being used. While a significant portion of the evaluation should focus on the ease of use, tool performance, and other factors, you also need to consider security. Performing vendor due diligence is not only a HIPAA requirement but will help you reduce the risk of a data breach. Remember that even if the telehealth vendor has the breach, your organization will be subject to both potential reputational damage and review by the OCR to verify you had appropriate controls in place. Your vendor assessment should include the following at a minimum:

• Is the vendor HIPAA compliant? Can they provide you evidence of that compliance?
• Does the vendor have any security certifications, such as HITRUST?
• Have they provided details on what they do with your data? Is it maintained by the vendor? If so, how is it stored and what protections are in place?
• What is their communication protocol? Do they have protections to stop ‘zoombombing?’
• Do they train their personnel on the protection of PHI?
• Do they have a well-developed incident response plan?

Once you have evaluated and selected your final vendors be sure to execute a Business Associate Agreement (BAA) outlining your expectation of their compliance with the applicable HIPAA regulations.

Step 2 – Secure Your Environment

Now that you know who you are going to use and are reasonably certain that they are protecting your data, you need to look at your environment. Even during the pandemic bad actors did not reduced their efforts and may in fact be finding much easier targets as people work from home without readily accessible IT support or coworkers to advise them. 

The Cybersecurity & Infrastructure Security Agency (CISA) has developed Guidance for Securing Video Conferencing. While not specific to healthcare they do give you a roadmap for establishing a secure environment. Their guidance can assist you in securing your telehealth environment. At a minimum you should be verifying your users are connecting securely, access is properly restricted, file sharing is appropriate, and your tool has all current security features.

Securing your environment also extends to securing the devices used for telehealth. All devices, both organization-owned and personal devices, should be managed using a mobile device management tool that is password protected, encrypted, has up-to-date anti-malware software, and other security measures. Your network should be configured to approve both the user and the device before allowing access and automatically log off inactive sessions. Logging of network activity should be done, and logs should be audited to identify potentially unusual activity.

Step 3 – Train Your Providers

You probably already do annual HIPAA training, but as we move towards more telehealth make sure your training is enhanced to address the risks of telehealth. Specifically, training should remind providers that telehealth should be delivered in a secure manner, they should be aware of where they are and who can overhear them. Delivering telehealth in a public space or in front of their family could result in a HIPAA violation. Remember the current COVID-19 waiver only protects the telehealth activity, if you disclose PHI while providing care at Starbucks the OCR would probably not think you had made a good faith effort to protect that information.

Training should also cover restricting access to the device used to provide services and physical and logical security of the device. Take this opportunity to remind your workforce that leaving laptops unattended in cars or other places is never a good idea. Remember a laptop is stolen every 53 seconds, and in 2018 45% of healthcare information breaches were a result of lost or stolen laptops. This is also a good time to do refresher training on IT security, including reminders of the risks of phishing. Finally, you should make sure your workforce is aware that even though you may be receiving emails and phone numbers for the provision of telehealth, caution needs to be taken before using that information for any other purpose. You don’t want to comply with HIPAA only to find yourself in a TCPA lawsuit.

Summary

While HIPAA has been around for over 20 years, we continue to see breaches and OCR fines resulting from a failure to comply with HIPAA regulations. ComplaincePoint’s HIPAA reviews consistently show that organizations have not fully implemented the HIPAA Privacy, Security, and Breach rules. The increased use of telehealth will only create additional opportunities for data breaches unless organizations take a step back now and verify that their telehealth environment is secure. Consumer confidence in your organization could be significantly impacted if it turns out you were using insecure tools or failed to take expected steps to protect the telehealth environment. 

CompliancePoint has experienced assessors who can help you evaluate your HIPAA program including your telehealth services. If you are interested in how we can help, please reach out to us at 855-670-8780 or connect@compliancepoint.com.

---