Cool Photos from Depositphotos
By Sanjay Joshi
Scott Galloway’s “The Great Dispersion” theory argues that industries are becoming increasingly digitized and distributed, a trend exacerbated by the pandemic with changes like retail moving to people’s homes via e-commerce and movie theaters being displaced by streaming. The same pattern is also playing out in healthcare.
Telehealth took off during the pandemic, with usage multiplying massively in the first year of COVID-19. Though those numbers have since stabilized to closer to 2-4x of 2019 levels, telehealth remains a popular option for many. A study from market research firm SSRS found that nearly one-third of U.S. adults have had a telehealth visit for themselves or a dependent during the pandemic, and that percentage is even high for Medicare beneficiaries. And there’s reason to believe telehealth will remain a prominent care option, even after the pandemic subsides. The infrastructure bill signed last year dedicates $65 billion to expanding broadband, which will help broaden access to healthcare in remote areas and further popularize telehealth.
But while telehealth offers immense benefits to both patients and providers, it also comes with a massive set of overlooked cybersecurity and privacy challenges.
Why is telehealth a potential cybersecurity threat?
Healthcare has always been ripe for attackers for myriad reasons. First, healthcare providers manage incredibly sensitive patient data that is worth a lot of money on the dark web, meaning there’s a huge economic incentive to steal health-related data. Second, due to the criticality of hospital networks, attackers know full well that many health organizations will pay even the highest ransoms because they simply cannot afford any network downtime as it could result in life and death consequences. Next, it’s well-known that healthcare organizations can be technological laggards. A Kaspersky report found that 73 percent of global frontline healthcare providers currently use medical equipment with a legacy OS, which can create security vulnerabilities. Finally, the pandemic has only made healthcare an even bigger target. With many healthcare organizations still stretched thin as a result of a surge in patients — which carries renewed truth due to the Omicron spike — IT and cybersecurity understandably takes a back seat to patient care. Ruthless hackers know this and are eager to jump when their prey is most vulnerable.
Telehealth adds even more danger, primarily because it is still relatively new. And while organizations and care providers are quickly trying to formalize best practices, there’s a steep learning curve. In fact, 30 percent of telehealth providers admitted that some of their clinicians have had patients’ data compromised when conducting remote telehealth sessions. As this process is playing out, attackers may very well see an opening to exploit potential weaknesses.
The practical difficulties of decentralized security
The greatest challenge with telehealth is that it decentralizes the hospital network. It was already a tall order to secure a single, centralized hospital environment, but now, the hospital has moved to “the edge” — it’s in people’s homes.
Why does this distribution and dispersion make it harder on health IT teams? At its simplest, the attack surface is now much more expansive. With new devices and applications being used across hospital HQ, the cloud, and now in homes, there are significantly more potential entry points for attackers.
What’s more, patients are also using their own consumer-grade smartphones, tablets, laptops, and routers to access hospital resources and communicate with healthcare professionals. This equipment is often unsecured, and hospitals lack the visibility and control needed to effectively manage and secure those devices.
Cybersecurity is a shared responsibility
My overarching advice is to remember that “securing telehealth” is not just a SecOps issue — to make telehealth as secure as possible, it’s going to take an ecosystem of players. This is validated by The National Cybersecurity Center of Excellence (NCCoE), a part of NIST, which has developed helpful guidance that pertains to the various components and practices that healthcare providers, technology providers, and patients should employ to ensure secure telehealth.
Let’s start with how healthcare providers — which includes health IT staff, but also increasingly CEOs and boards — play a role. To begin, it’s imperative to establish a single point of risk, control, and governance. Historically these various pillars were siloed, and various stakeholders were making their own decisions independent of one another. Part of the solution also comes down to basics, such as establishing visibility, ensuring good cyber hygiene, prioritizing asset management, and having solid remediation plans for when issues arise. You need to know how many devices are being deployed, where they are, how they’re configured, which protocols are in use, how applications are being used, and constantly monitor for patterns and anomalies.
Beyond that, we need to incentivize the front line, meaning we need to start pulling clinicians into this cybersecurity conversation as well. Maintaining a secure remote healthcare environment does not fully rest on the shoulders of health IT teams — folks on the frontline need to understand how they can unknowingly act as attack vectors, and ensure they practice safe security practices.
Medical device manufacturers
Medical IoT devices, such as patient monitors or insulin pumps, are a huge part of telehealth. The persistent problem with IoT, however, is that devices are often rushed to market so eager vendors can make a money grab, which has ramifications that we’ve seen time and time again.
And once an attacker hacks one IoMT device, they can move laterally throughout a network, potentially gaining access to highly sensitive medical information. That’s why it’s so important healthcare providers vet the medical devices they purchase, and that health IT teams are monitoring for both north-south movement, as well as suspicious east-west movement.
Moving forward, there needs to be greater requirements and regulations mandating that medical device manufacturers design their products with cybersecurity in mind. Security needs to be built into the development process. Additionally, these device manufacturers must consider potential supply chain vulnerabilities and take action to mitigate risks (e.g., are all our device components secure? How do we know? Have we verified?).
There are small but impactful things that patients can do to make telehealth more secure, such as staying up to date on patching their devices, using multi-factor authentication, and educating themselves on cybersecurity hygiene. But the question is…how do we incentivize patients to do those things and take responsibility? Similar to clinicians, patients are part of the “front line” and we need to figure out a way to engage them in this conversation, whether that’s through providing insurance incentives or just making the technology easier to use.
Telehealth is here to stay
The pandemic illuminated the promise of telehealth and reshaped healthcare in the last two years. Given its enormous benefits I fully expect telehealth to remain a permanent fixture of our care system moving forward. But while it’s still in its infancy, it’s critical that we establish and programmatize best practices now so that we can protect hospitals and their patients moving forward.