By Matt Kunkel
As a result of the COVID-19 pandemic, healthcare organizations have had to pivot to telehealth services. During the first quarter of 2020, the number of telehealth visits increased by 50 percent, compared with the same period in 2019.
Though it’s helped the healthcare industry safely keep up with demand, there are privacy and security risks associated with telemedicine. As a result, healthcare information security processes have never been so crucial.
Due to the sensitive information healthcare organizations possess, providers and the vendors they choose to work with must focus on the core elements of information security—such as extensive identity authentication processes, utilizing securely designed communication platforms, and an agile governance, risk, and compliance program.
Not Just a One-Year Wonder
Like digital transformation initiatives in other industries, the pandemic expedited the implementation process for digital solutions at healthcare organizations and insurance companies that didn’t already have them in place. Despite the initial rush, however, telehealth isn’t a one-year wonder.
In 2019, about 33 percent of inpatient hospitals and 45 percent of outpatient facilities offered telemedicine services to patients, according to Definitive Healthcare data.
Since then, venture capital funding for telemedicine companies increased to $788 million in the first quarter of 2020 alone—more than tripling funding from the same period in 2019. Furthermore, it’s projected to be a $185.6 billion market by 2026, according to Fortune Business Insights.
With growth and increased usage, comes more complex compliance and security risks. How can information security teams combat these issues?
Extensive Identity Authentication Processes: Despite extensive reports about the importance of strong passwords, some consumers still don’t heed warnings to create strong account credentials. It’s why 81 percent of security breaches are due to weak or stolen passwords. When dealing with hundreds or thousands of patients using telemedicine capabilities, the likelihood of healthcare organizations being compromised or breached grows. The increasing number of users also makes it much more difficult to detect and identify stolen identities. This is why multi-factor authentication processes should be enabled within telemedicine platforms. According to Microsoft, 99.9 percent of compromised accounts do not use multi-factor authentication. Healthcare organizations protect themselves as well as their patients when incorporating more extensive identity authentication processes.
Vendor Risk Management: Telemedicine inherently requires a digital method of communication for doctor and patient interaction. And, more than likely, healthcare providers will need multiple vendors to do so effectively. For example, some healthcare providers use one tool to communicate with patients through their websites, such as email or a chatbot, but they’ll also need a tool to communicate securely via video. As a result, vendor and third-party risk management become incredibly important. Each tool must have the same security standards as the healthcare provider, especially considering the confidentiality information, personal data, and signed documents sent with communication platforms and portals. Back in 2019, Quest Diagnostics, announced 11.9 million customers’ personal information was potentially compromised. The breach was linked to a third-party vendor––the American Medical Collection Agency (AMCA)––they hired. While vendors’ decisions are oftentimes outside of one’s control, there are still items one can look for when evaluating a potential communication partner for telemedicine purposes: a vendor with a designated security team, enterprise-level trust, and a transparent partnership.
Agile GRC Software: Healthcare organizations need to move security and compliance processes to the cloud. Management and workflow software reduces errors, improves training, and introduces more accountability into risk-management and compliance operations. Prioritizing cloud-based software presents the opportunity for agile workflows, encouraging everyone to participate in reducing risk which ultimately creates a more secure environment. In a highly regulated industry, healthcare providers must stay compliant. Cloud-based GRC software offers a centralized and automated solution for compliance management, rather than managing tasks via spreadsheet-based or homemade workflow solutions.
Telemedicine has arrived and isn’t going away. Healthcare information security and risk management professionals need to be prepared and plan for increased telemedicine usage. The best way to do so is by securing patient accounts via multi-factor authentication processes, third-party, risk-resilient partnerships, and implementing cloud-based software to manage risk and compliance workflow. By adopting these solutions, healthcare organizations will be at the cutting edge of security protection as well as sustaining a culture of risk.
Matt is the co-founder and CEO of LogicGate. Prior to LogicGate, he spent over a decade in the management consulting space building technology solutions to operationalize regulatory, risk, and compliance programs for Fortune 100 companies. It was during this time he learned the skills to realize his true calling: building world-class companies that meaningfully affect the lives of others through user-friendly technology. Given his extensive background in the GRC space, Matt regularly speaks and consults on risk and compliance topics. Recently, he was named an Ernst & Young finalist for the Entrepreneur Of The Year® 2020 Midwest Award.