CMHC Pulse Blog

As evidenced by recent changes within the healthcare system, the novel coronavirus (COVID-19) outbreak has changed the standard practice of medicine, shifting the model of care into the digital space and encouraging telehealth solutions whenever possible. Although this has allowed for greater flexibility and the ability for many medical practices to continue conducting business, the resulting rapid expansion of telehealth services carries its own set of risks concerning data privacy and online patient safety. The outbreak has led to a drastic increase in cybersecurity threats, with many rapidly emerging telemedicine solutions entering the market without adequate prior testing and safety records.

New workflows and technologies are being introduced to meet rapidly rising patients demands in a short period of time, requiring information technology professionals to develop rapid-response risk-analysis capabilities, Dan Costantino, Chief Information Security Officer at Penn Medicine told Healthcare IT News in an interview. Security and privacy concerns have surrounded digital medical services since their introduction, however, they are heightened now as more patients readily exchange privacy for the immediacy of care and when an increasing number of telemedical platforms are forced to enter the market as soon as possible.

Data Privacy and Patient Safety

Federal regulations have lessened HIPAA restrictions for the time of the pandemic to make providing online care easier, allowing practitioners to utilize popular telecommunication platforms such as Zoom and Skype. While these service providers allow for easy communication with patients, they also present potential data privacy concerns.

Recently, a growing number of reports has been issued concerning hackers targeting Zoom domains and other applications used in the telehealth space. In addition, there has been an increase of warnings pertaining to COVID-19 fraud schemes and supply chain attacks as cyber criminals have been taking advantage of rising use.

Telehealth Cybersecurity Best Practices 

The increased cybersecurity risks are tied to expanded lists of users accessing networks and telecommunications platforms as well as a rush of untested solutions, potentially exacerbating online security, data privacy, and compliance threats. While complete protection against cybersecurity threats is difficult to guarantee in the current technological environment, especially with many providers working from home devices and networks, the following best practices can help protect providers and patients in online interactions.

Ensure VPN Security

One of the most important elements of protected communications are virtual private networks (VPNs), which are primary methods of connecting remotely to enterprise networks. The use of these networks ensures data is encrypted and that sensitive corporate data passes through corporate resources before being distributed through an internet-hosted application. According to data reported by Health IT Security, virtual private network (VPN) usage has increased by 124 percent in the United States within the past two weeks alone. This surge is contributed to growing concerns over network safety.

While VPN use is one of most secure methods of online communication, organizations have been failing to patch core vulnerabilities, leading to rising numbers of cases of exploitation of VPNs; Health IT Security reports, “As of January 2020, thousands of organizations still had not updated the flaws with the latest patches.”

Practitioners providing online care and healthcare organizations with telehealth services must ensure VPN software is up to date and eliminate potential VPN vulnerabilities to protect sensitive patient data.

Use Approved and Reputable Software

The rapid rise of telemedicine services has prompted the emergence of new platforms and applications, many of which have not yet been adequately vetted. Providers are urged to download applications only from reputable sources and utilize only approved and safe telecommunications platforms. Healthcare organizations may already offer such systems although providers should check with their HR department to ensure they have the right information before downloading and connecting to any new platforms.

Understand How Platforms Manage Data

To ensure compliance, patient safety, and data privacy, providers utilizing any online services should have a robust understanding of the data collection, storage, and destruction practices of each platform. The majority of reputable telecommunications providers should feature codes of conduct and information about their data use policies, as well as their levels of compliance with HIPAA regulations. Both patients and providers should aim to disclose personal information when absolutely necessary to prevent misuse or mishandling of sensitive data.

Use Identity Authentication

Healthcare institutions should ensure their software and telemedicine platforms are equipped with appropriate identity authentication systems, which are critical to online safety. The most common method is the use of multi-factor authentication, reported to block 99.9% of all automated cyberattacks. As a security enhancement, multi-factor authentication allows users to log in and access their accounts after they present two or more pieces of evidence confirming their identity, thereby greatly reducing cybersecurity threats.

Manage Mobile Device Access

Allowing practitioners to access healthcare-related information and telemedicine platforms from their personal devices makes rapid virtual care more feasible than distributing corporate devices for home use at this time. However, providers and healthcare organizations must have the appropriate mobile device management tools before they can securely embrace a bring-your-own-device (BYOD) strategy. This includes the segregation of personal devices and applications from healthcare apps and data – which is crucial and can radically reduce the risk of data leaks and risk of potentially vulnerable, stolen, or lost devices.

Telemedicine security policies should be put into place to help define virtual care, remote access, as well as BYOD requirements for clinicians. According to recommendations from Health IT Security, providers should also employ a tiered system which grants devices access to data based on their security levels. In this way, organization-owned laptops and other top-tier controlled devices would have the most access, while personal or BYOD mobile devices would have minimal access to sensitive data.

The growing use of telemedicine technologies has added significant benefit to the healthcare sector at this time, yet the safety of patient data and their privacy lies in the hands of medical practitioners. While many of these technologies are still new to most users, cyber criminals have already begun to locate and target network and software vulnerabilities, using the broad expansion of telemedicine as a platform for attack. As the number of telehealth encounters continues to increase, medical professionals and organizations must prioritize the cybersecurity and network safety of all online interactions.


Sign up to receive updates on educational opportunities, complimentary content, exclusive discounts, and more.