The Multi-Pronged Approach to Defeating Telehealth Threats

By Troy Ament, field CISO for healthcare, Fortinet

At the American Telemedicine Association’s conference in January, cybersecurity was a foremost concern. There’s an acknowledgment that the industry can’t ignore this issue and must take it seriously. In fact, mitigating cybersecurity risk is one of ATA’s nine policy principles. The Association considers it a requirement for “connected care.”

But admitting there’s a problem is only half of it – the real challenge is actually taking the steps to address it. And that’s the part that’s much easier said than done. The telehealth industry has to take proactive steps to confront this issue, because it’s only going to grow. And the solution will come in multiple parts: technology, people and processes – in other words, it’s going to take some behavioral changes, too.

Looking at the threat landscape

The healthcare sector was already facing major cybersecurity challenges long before the pandemic.  And then 2020 brought new cybersecurity challenges. The sector shifted to remote health services including telehealth services and created remote COVID-19 testing sites; pharmaceutical and life sciences organizations focused on developing and manufacturing vaccines. Meanwhile, many organizations had to revamp their security infrastructure to support these remote users as cybercriminals seized the opportunity to exploit the pandemic. Their security teams struggled to ensure security, performance and compliance in the midst of these changes. 

As usual, cybercriminals made the best of a bad situation. In fact, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Department of Health and Human Services released a joint advisory in October specifically warning about the rise of ransomware in the healthcare space. 

An article published in the Journal of the American Medical Informatics Association described how telehealth is particularly vulnerable to cybersecurity risk. This vital service faces significant threat at the time of its greatest expansion. Frost & Sullivan analysts predict that telehealth will 

see a sevenfold growth from now until 2025. This will include things like providing remote appointments via video, combined with user-friendly sensors and remote diagnostic equipment, to enable better patient outcomes. But at the same time, as FortiGuard Labs research shows, IoT and IoMT devices continue to be the front lines in the battle for the internet, and hackers will continue to try to exploit them. This is all the more reason healthcare organizations’ security posture needs a shot in the arm.

Implementing the right technologies

Knowing that telehealth is a growing security issue isn’t enough; there have to be collaborative efforts to address these dangers. Healthcare IT leaders need to be prepared to address these concerns. Healthcare organizations’ quick response to COVID-19 challenges used cloud technology, secure mobile workforce enablement and virtual patient platforms at an accelerated rate that demonstrated healthcare organizations can more quickly and effectively enable digital transformation to solve challenges. 

In addition, these same organizations have been targeted and impacted by an increase in ransomware threats that will continue to rise in 2021, requiring organizations to invest in solutions that will help reduce organizational risk. 

SD-WAN is one example of such a solution. By ensuring high-bandwidth connections to support real-time video and diagnostics information to pass between patients and healthcare providers, secure SD-WAN stands to play a critical role in this industry. It enables quality healthcare to be extended to remote locations while also ensuring that patients receive the care they need without exposing them to undue health risks. Concurrently, data and transactions can be reliably secured, ensuring compliance with regulations governing the privacy of medical records and patient PII. And the efficiencies provided by SD-WAN also help ensure that these new services can be provided without the usual skyrocketing costs associated with healthcare services. 

Teaching and implementing cyber hygiene 

Telehealth security really comes down to people. The importance of good cyber hygiene must be taught and reinforced in order to empower employees to be part of the solution instead of the problem. Healthcare organizations must ensure all employees receive training; this will be a key security element for healthcare CISOs to enforce.

Make sure that every employee receives significant cybersecurity training, both as part of the onboarding process and periodically throughout their tenure. Training must include how to spot and report suspicious cyber activity, maintain cyber hygiene, and now, on how to secure their personal devices and home networks. By educating individuals – especially remote workers – on how to maintain cyber distance, remain vigilant about suspicious requests and implement basic security tools and protocols, CISOs can build a baseline of defense at the most vulnerable edge of their network that can help keep critical digital resources secure. This can involve workshops with experts and online learning.

Overcoming complexity with the basics

As healthcare organizations focus their efforts on cybersecurity education and awareness, 

employees will be better able to perform basic security tasks such as updating devices, identifying suspicious behaviors and practicing good cyber hygiene. Following on from that, it is essential that organizations invest in the right systems and solutions – from SD-WAN to anti-malware software and encryption technologies – that enable clear visibility and granular control across the entire threat landscape. Complexity is the enemy of security, so the best response to an increasingly complicated and highly dynamic digital world is to get back to the basics – beginning with cyber hygiene.