By Laura Kreofsky, VP, Advisory & Telehealth, Pivot Point Consulting, a Vaco Company, and Ferdinand Hamada, Managing Director at MorganFranklin Consulting
Telehealth services have been available for many years in the U.S., but their use had been limited by technological barriers, regulations and lack of coverage by insurers. Then came COVID-19, and telehealth usage exploded. From March to April 2020, telehealth utilization soared to as high as 80% of patient visits from less than 1%, according to data published on JAMA Network.
While usage has eased in the ensuing months, most providers intend to make telehealth an integral and permanent part of their care delivery strategy. Survey results from a HIMSS webinar last November show that 90% of responding providers intend to increase (or continue to increase) telehealth access, with most organizations expecting telehealth volume to increase post-pandemic by an average of 53%.
Hospitals and health systems are embracing telehealth because they’ve seen how well it works for their patients. Telehealth improves patient access to care, increases patient engagement and offers clinicians insights into a patient’s home environment, which can inform care decisions. Further, virtual care increases practice revenue and reduces costs to both patients and providers.
Hospitals and health systems also are being pressured by patients who expect telehealth services from their care providers delivered through multiple devices and communications tools. To ignore this market trend is to lose business to more consumer-friendly competitors.
As with any services connected to a network, however, virtual care can be vulnerable to a multitude of security risks. Healthcare providers experience a heightened risk from cybercriminals. The digitized patient personal and financial information found in electronic health records (EHRs) includes medical records, Social Security numbers, credit card information and more are hot commodities for cyber thieves.
It is no coincidence that healthcare has higher costs associated with data breaches than any other industry – $7.13 million on average per incident, according to IBM Security’s 2020 data breach cost report, versus $3.86 million on average across all industries. Healthcare is a far more frequent target of cybercriminals, facing 2-3x more cyber-attacks than other industries. Even worse, attacks against healthcare are expected to rise substantially in 2021 as providers and other stakeholders conduct more business virtually.
One of the reasons healthcare breaches are so costly is the HIPAA penalties around failure to protect patient data. Fortunately for providers, the U.S. Office for Civil Rights in March 2020 said it would waive penalties for HIPAA noncompliance against providers leveraging popular teleconferencing apps such as Zoom and Skype. This decision, however, hardly means these apps aren’t vulnerable to hackers.
As its use becomes more common, telehealth will present an increasingly prevalent and tempting target for cybercriminals trying to steal data either to sell on the black market or hold for ransom. Healthcare organizations that quickly rolled out virtual care services in response to the pandemic without putting in place proper security and controls to protect patient data will be particularly vulnerable to attacks from external threat actors and malicious insiders.
What can hospitals and health systems do to deliver secure virtual care services? They need to develop specific virtual care privacy and security strategies. Here are 5 key elements for healthcare organizations ramping up virtual care services to consider in devising an effective security strategy.
Protect the crown jewels
The first step is understanding 1) what is your most critical data and 2) where it resides. For healthcare entities, patient data is of paramount importance. If you don’t know where your crown jewels are, you can’t protect them. Continuous identity authentication ensures authorized individuals have access to data. Identity authentication can be accomplished through a variety of approaches.
Implement proper safeguards
The healthcare industry is notorious for poor attention to security, despite the fact it is an increasingly likely target for breaches. If healthcare organizations can’t spend money on new infrastructure, they at least can practice fundamental security hygiene by ensuring out-of-date systems – which provide easy points of entry for any intruder – are patched.
Multi-factor authentication, or the requirement of utilizing two pieces of evidence to sign in, is among the most common and has been proven effective in blocking 99.9 percent of all automated cyber-attacks.
Should an attacker succeed in gaining a foothold in the network, healthcare organizations must prevent access across their systems by enacting safeguards such as privileged access and user authentication. Other technical security measures include encryption of data (at rest and in transit), redesigning data architecture around data flow and providing security at the device level.
Train patients to be security aware
Telehealth multiplies the risk to healthcare data and IT systems because it creates many more points of entry into a network. Every patient’s virtual appointment presents a potential security vulnerability to hospitals and health systems.
While most of these videoconferencing services have tightened up security, patient devices still may lack basic security. Mobile devices, for example, rarely are equipped with antivirus or anti-phishing protection. It is in the interests of patients and providers that patients are informed and educated about potential security vulnerabilities surrounding virtual care and the steps they can take to help diminish these dangers. Additionally, using a VPN both during telehealth services and for general device usage will mitigate the risk of any exploiting new vulnerabilities.
Monitor and test
Finding out your network was successfully breached two months ago is every hospital executive’s nightmare. Hospitals and health systems must be constantly vigilant against data theft. Their environments should be constantly monitored for unusual activity using a secure information and event management (SIEM) tool that provides real-time analysis and security alerts.
Hospitals and health systems also should test their environments by emulating threats to determine where there are vulnerabilities. Such penetration testing allows organizations to identify and mitigate against risks before they are exploited by hackers.
Build security awareness internally
As mentioned above, malicious insiders are a threat to healthcare organizations. So too are employees who are well-intentioned but lack security training. Healthcare is “the only industry where insider threats are greater than threats from the outside,” according to a 2018 Verizon report. “Human error remains a major contributor to healthcare risks.”
Many breaches have occurred because a user inside an organization clicked on an email link that allowed malware to infect their computer and eventually traverse the network. These incidents can be reduced by providing security training to healthcare employees.
Laura Kreofsky, VP, Advisory & Telehealth, Pivot Point Consulting, brings a wealth of expertise to her role leading Pivot Point Consulting’s Advisory practice. Over the past 27 years, she has led health IT planning, implementation and operations in the private and public sectors; working with and for academic medical centers, community hospitals, insurers, public health agencies and international clients. Her areas of focus include IT-enabled business strategy, IT operations and governance and industry regulations and reform.
Ferdinand Hamada brings more than 20 years of experience in cybersecurity and technology transformation within the life sciences space. Prior to joining MorganFranklin, a Vaco Company he served as vice president of information technology and chief information security officer (CISO) at Catalent Pharma Solutions. Hamada also served for more than 10 years at KPMG Consulting, focusing on IT advisory for several of the nation’s top pharmaceutical clients. He began his career in various IT positions at Cardinal Health and Merck.