By Isaac Madan, CEO & Co-founder, Nightfall
Telehealth — the process of receiving health care virtually or over the phone — has skyrocketed in popularity over the last year. In 2019, only 11% of Americans used telehealth solutions; today, 76% of Americans are interested in using telehealth moving forward. Caregivers favor telehealth too, and even government insurance policies are now providing the same coverage for telehealth services as in-person patient visits.
The rise of telehealth presents a thorny cybersecurity issue for healthcare organizations and IT professionals. The Health Insurance Portability and Accountability Act (HIPAA) states that covered entities must put controls into place to identify and protect against anticipated threats to the security of protected health information (PHI).
Health organizations have been using cloud storage and cloud-based applications for the last decade; in one survey, 35% of healthcare organizations held more than 50% of their data or infrastructure in the cloud. Cloud storage is an attractive target for hackers, where misconfigurations or lax security make it easy to extract valuable information. And, with the rise of telehealth, attacks targeting cloud storage reap more data than ever.
Telehealth and patient health data
Telehealth became more popular during the pandemic, but all signs point toward telehealth becoming the new norm. The convenience, personalization, and efficacy of telehealth solutions continue to drive demand for teletherapy apps, virtual visits, and other methods of digital delivery.
Data is a critical part of providing telehealth. Platforms like Teladoc and Talkspace collect data from therapy sessions, online self-assessments, doctor notes, and patient insurance claims. This data is used actively to monitor patient outcomes, optimize care, and ensure that doctors are kept in the loop as needed. That’s a lot of PHI — and other sensitive data like personally identifiable information (PII) that needs to be shared and stored in the cloud. This data at rest and in motion requires high levels of security; telehealth companies may need to comply with GDPR and other privacy regulations, too.
While cloud solutions are the best option for sharing and storing patient health data on the go, cloud data storage can surface cybersecurity risks and vulnerabilities. There are many aspects to protecting cloud data, from ensuring access controls are properly implemented to encrypting data, creating a secure cloud architecture, and setting up a robust monitoring and alerting system. This is where data loss prevention can play a key role.
Security threats to telehealth
While telehealth is increasingly popular among patients, it’s also become a desirable target for cybersecurity criminals.
There are many reasons why healthcare organizations are easy targets for hackers. IT infrastructure tends to be outdated at hospitals and clinics. Healthcare organizations are often slower to adopt industry best practices and stay up to date on the latest threats. These targets also can lead to a big payout: private health organizations tend to have the financial resources to actually meet ransomware demands, for instance.
Telehealth is a relatively new field. While many telehealth providers are tech-first startup companies, some platforms are simply add-ons to existing health infrastructure. A therapist at a health clinic, for instance, may be using Zoom or another SaaS tool to provide virtual sessions to patients. This type of set-up is only as strong as the network used by the clinic — which, in many cases, has many vulnerabilities to exploit.
Researchers at Harvard warned that organizations need an intentional, 360-degree approach to protecting telehealth solutions. “Awareness is an important first step, and can take the form of education, employee training, and simulated cyberattacks (eg, sending fake phishing emails and providing training for those who click) toward establishing a culture of security,” wrote the study’s authors.
It’s not just training that’s needed. Specific cloud-based security solutions can help telehealth organizations maintain patient data security.
Protecting telehealth data
Cloud software and cloud storage are highly collaborative environments where data security best practices can be difficult to implement. In telehealth, there are a large number of users in these environments: including insurance providers, doctors, nurses, pharmacists, and patients. A cloud platform’s always-on nature also makes it difficult to manually monitor and track when data is improperly shared or accessed.
There are a number of steps that telehealth providers can take to ensure the security of patient health data. A cloud data protection solution is an immediate measure that can provide a critical layer of security, monitoring, and control. These solutions can be set up to monitor security and send an alert whenever PHI appears somewhere it shouldn’t, like in a public Slack channel.
Healthcare organizations should know who has access to sensitive information and restrict access to unauthorized parties. Specifically, cloud data loss prevention (DLP) providers can help strengthen data security and meet compliance regulations like HIPAA, which explicitly requires logical access controls to secure sensitive information and prevent data breaches.
Telehealth organizations are recommended to take a layered approach to security. In addition, to cloud DLP, an organization should use extensive, encrypted backups to make sure stored patient information is never lost. Adding multi-factor authentication will also help ensure only authorized users are accessing data in use. Most importantly, telehealth providers must use encrypted, HIPAA-compliant messaging platforms to secure data in motion.
With telehealth here to stay, now is the time for healthcare organizations to invest in cloud security tools that keep patients safe.