By Sonia Arista, CISM
Telemedicine tools and initiatives can offer immense benefits, but can also put the data of patients and employees at risk. Learn how to secure telemedicine initiatives as they grow in popularity.
Mobile technologies have become a staple in the healthcare space, as individuals seek to gain more accessibility and control over their information and treatment plans. Many healthcare practices have adopted applications that allow for simplified communication between patients and physicians, while wearable connected devices are now often used to track patient progress and support care plans.
The use of technology to communicate with patients, rather than physical meetings, can be highly beneficial – both economically and for convenience, especially for those in remote areas with limited access to medical care.
Telemedicine is the next phase of this trend, and it is growing in popularity for the benefits it brings patients and the reach it offers physicians. However, this practice does not come without security risks. Patient-owned devices that connect from personal WIFI back into a healthcare systems’ network can easily be targeted as entryways for cyber criminals. This can similarly trigger non-compliance, as HIPAA regulates the types of communication channels permitted to transmit medical data for telehealth.
As telemedicine becomes more popular, healthcare organizations need to ensure that they have the security tools and processes in place to ensure that the technology that makes telemedicine possible is not also being exploited for cyberattacks.
The Growth of Telemedicine
With enabling technology more readily available, telehealth initiatives are consistently growing in popularity. Research shows that 70% of consumers would rather obtain a prescription via a video consultation than a trip to the doctor’s office. Furthermore, telehealth practices are reportedly popular with physicians across age groups, with the number of doctors reporting telemedicine as a skillset doubling between 2015 and 2018.
The value of the telehealth sector is expected to reach $130.5 billion by 2025. Several factors are contributing to this growth:
- Reimbursement Programs: Over the past few years, several pieces of legislation, including the Creating High-Quality Results and Outcomes Necessary to Improve Chronic Care (CHRONIC) Act, have been drafted that assist the growth of telemedicine, such as reimbursement programs. For example, Medicaid allows states to reimburse practitioners that incorporate telehealth, given that it conforms to federal standards for efficiency, quality of care, and economy. States can also reimburse providers for costs such as technical support.
- Physician Shortage: There is a physician shortage being driven by an increased need for doctors as the population grows and ages, and a limited supply of qualified physicians – both for primary care and specialties. In some states, where medical practice insurance has skyrocketed, even large population centers have a serious deficit of certain types of medical specialists. Telemedicine can help reduce the impact of this shortage by enabling patients to communicate with specialists about conditions treated by fewer doctors, even out of state or in other countries, or for those in remote locations, even communicate with their primary care. “Crowd-sourced” medicine and consults are also increasing in popularity as an alternative to costly and cumbersome “second opinion” appointments.
- Digital Tools: To provide quality care via telehealth, providers and patients now utilize periphery internet-based technology such as cameras, medical and communications software, mobile medical devices, and more. Advancements and accessibility of such tools over the past few years make telemedicine a viable option for more and more people.
Risks of Telemedicine Initiatives
However, if not implemented carefully, rapid growth and speed-to-market rollout can put the data security of patients and broader health system employees at risk.
Telemedicine requires various devices, applications, and software programs to connect from remote locations back to the provider network. These devices may not be solely owned or managed by the health provider making security assurances within the network and at the device layer difficult to make. Lack of visibility into the posture of public networks, a lad in security updates, or less-than-secure connections can leave health systems vulnerable, allowing cyber criminals to leverage these devices and methods as entryways into the core enterprise network.
As telemedicine initiatives grow, CISOs and IT teams at healthcare systems need to create a security infrastructure that allows them to reach patients remotely without compromising compliance or the security of sensitive data. Of course, segmentation is one strategy for addressing this problem. But that needs to be combined with other methods just as critical.
Securing Telemedicine Initiatives
To secure telehealth, security teams need to implement tools that offer visibility into each device within the network, the level of security within that device, as well as data use and movement. This will ensure at-risk devices can be isolated to minimize lateral movement of cyber criminals across the network – especially into areas where sensitive data is stored. To achieve this level of visibility, security teams can leverage several tool and strategies.
- Network Access Control (NAC): NAC solutions can play a pivotal role in the security of telemedicine initiatives. Modern network access controls, for example, enable security teams to see each connected IoT device operating within the network. This is especially essential as telemedicine is conducted over connected mobile devices such as smartphones, tablets, or portable medical devices. A NAC solution identifies each of these devices at the moment of connection, continuously tracks and monitors each device, and can issue automated responses to those exhibiting anomalous, threatening behavior. NACs can also limit access for devices using techniques such as micro-segmentation, ensuring they can only enter and leverage data from the portions of the network necessary to their function.
- Application Security: Telehealth practices rely on several applications to connect physicians with patients. Often, IT teams cannot control the level of security built into these apps, or if remote users are updating their applications as soon as patches are released –which can leave them vulnerable. Application security tools, such as web application firewalls, can protect health networks from common application vulnerabilities, such as the OWASP top ten, zero-day threats, and malicious bots.
- Integrated Management and Analytics: There is a lot of activity in modern healthcare networks owing to the growing volume of connected devices and applications coming in from employees (BYOD programs), guests, and patients. Even if healthcare IT teams deploy separate and isolated security tools, they still need a centralized view of all network activity and unified security alerts. Taking an architectural approach to security and allowing for centralized management consoles supports maintaining visibility into security alerts, compliance efforts, and data usage in an efficient way.
In addition to implementing security tools, healthcare institutions practicing telemedicine must also make subsequent changes to their security programs. Review contracts with third-party providers as well as strategies for gathering and responding to threat intelligence. When purchasing tools that enable telemedicine from third-party vendors, IT teams must be careful to measure the level of risk created by the tool and adjust security policies accordingly. Furthermore, they must delineate clear expectations for the level of security that is to be provided by the vendor. The days of blindly relying on the execution of security terms within BAA agreements is long past. Finally, access to current threat intelligence is also an important part of securing telemedicine, ensuring that IT teams stay a step ahead of threat trends that may seek to target telehealth tools in attacks.
Advanced Healthcare Services Require Advanced Security
Healthcare systems will continue to pursue telemedicine for the myriad of benefits it provides. With this in mind, IT teams must be careful to implement the necessary security controls alongside telehealth-enabling tools to maintain visibility into devices and monitor and secure data moving between and within connected networks, ensuring consistent data security and compliance.
About the author
Sonia Arista is a seasoned Information Security and Technology specialist with over 20 years’ experience. At Fortinet, she is responsible for the go-to-market strategy, solutions and sales growth for the company’s healthcare business. Based in Boston, Sonia works closely with healthcare industry leaders to demonstrate the importance of a security fabric approach to enable scalable, protected, cost-effective access to high value patient data that addresses changing regulatory standards and industry identified threats. Sonia earned a BBA in Management Information Systems from Southern Methodist University and has certifications in Certified Information Security Management (CISM) and as a HITRUST Alliance Certified CSF Practitioner (CCSFP). Sonia is currently pursuing an Executive Master’s Degree in Cybersecurity at Brown University.