Linda Comp-Noto, Division President of Healthcare at Teleperformance, discusses the rapidly evolving threat landscape within the Telehealth sector and provides guidance on how providers can uphold stronger standards for security in the new normal.
The COVID-19 health crisis has caused an unprecedented acceleration in the adoption of remote monitoring and care services, enabling consumers to receive on-demand guidance from physicians and clinicians to collaborate remotely. According to McKinsey, medical providers that have scaled their Telehealth services are seeing 50 to 175 times the number of remote patients than before the pandemic.
During this time we are seeing relaxed legislative and regulatory restrictions extend to telemedicine beyond the crisis – Telehealth is now here to stay. But the shift does not come without attention on the attached privacy and security issues. In March, the Office for Civil Rights announced it would hold off from penalizing Telehealth providers for noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) during the crisis – exposing new vulnerabilities in digital infrastructures as a result. With each cyberattack costing on average $1.4 million, vendors must be prepared to remain resilient in the face of unanticipated risks by safeguarding the privacy of patients against increasingly sophisticated bad actors. The responsible expansion of remote care will require new ways of working for a majority of providers, a broadened integration of technology, and a tunnel vision for potential risks to company and patient data.
Due diligence to minimize cyber exposure
In the age of COVID-19, most organizations are facing secondary exposures that they may not even be aware of, or sure how to prevent. Cyber exposure has transformed drastically over recent years, with healthcare organizations succumbing to ransomware attacks, privacy violations, and network disruptions. With a heightened network reliance, healthcare organizations have an intensifying responsibility for sensitive data and the risks associated with this information being compromised or misused. Providers must actively look to minimize cyber loss exposure and facilitate a fast recovery in the event an incident occurs, to prevent cascading impacts on reputation, productivity, and all-important loyalty.
Deploying threat protection on every remote device
As healthcare organizations become remote, their individual communication endpoints – including mobile devices and management tools – instantly become unprotected by a corporation’s perimeter security, therefore making everyone in an organizational network vulnerable. In the new normal of virtual care, access to company resources should be minimized to optimize security. Bring Your Own Device (BYOD) policies have become a leading approach in healthcare settings, which allow clinicians and administrators to use their personal device to interact with hospital resources in a controlled manner. By isolating virtual desktop infrastructures from the user’s own device, personal functions are blocked from interfering with those of the Telehealth platform. Company-wide communication regarding endpoint compliance and security hygiene should be proactively actioned by healthcare organizations to educate staff who are working remotely – many of whom for the first time.
Safely authenticate the right users
Even as users gain confidence in navigating online apps, privacy concerns could still influence users’ future decisions to use digital tools, according to Accenture. This is unsurprising considering the wealth of data-rich information that lies within healthcare records. To prevent data breaches, Telehealth organizations must look to close the gap in medical identity security, and ensure practitioners are treating the right patient and only verified members of staff have access to personal information. Multifactor authentication – which requires users to submit at least two pieces of information to gain access to a device – provides an extra layer of security to mitigate access into healthcare systems via easily-compromised user credentials. Once users log into the Telehealth gateway with their secure username and password, a verified, and secure connection can only be achieved through additional biometric identification, using fingerprint and facial recognition technologies.
The future of Telehealth security
While the expansion of Telehealth is allowing for ongoing, safer care of patients, it is critical that cybersecurity does not take a back seat to patient support. Deploying the right technologies, and crafting high-calibre security requirements for remote devices will allow geographically-dispersed physicians and patients to safely access resources or applications. In the next normal, and once HIPAA requirements lift, more stringent policies will lock patient privacy and facilitate a growing number of remote employees to do their job effectively and safely. By demonstrating that they are acting in good faith, and redesigning their business model with the best interests of customers at the heart of all operations, healthcare providers can reduce future risk of catastrophic events, such as ransomware attacks, and build user confidence.