Incorporating cybersecurity into the DNA of telemedicine

What can my organization do to embody the best cybersecurity practices?
By Keith Tyson
08:45 AM
Share

Mahatma Gandhi is often attributed to a quote advising citizens to "be the change you wish to see in the world." This concept is also echoed in Smokey Bear's 20th century Ad Council campaign that proclaimed "only YOU can prevent forest fires." These memorable lines both imply that in order to secure our safety, and create lasting change, we must individually incorporate the best practices and habits that will benefit the greatest good. In healthcare cybersecurity, this can mean embedding, and acting on, those security measures that will have the greatest benefit for all, regardless of immediate incentives and what our peers are doing.

In healthcare organizations today, many tools have been developed that create additional risk, including financial and reputational risks for providers and identity theft risks for patients. Remote biometric monitors that are Wi-Fi or Bluetooth enabled can enhance communication between clinicians and patients, but can also increase security risk because they often use unsecured connections to transmit data. This means the data can be hijacked by cyber thieves. In the worst case, these technologies can enable hackers to use malware to hold data hostage, or change the data en route, creating an inaccurate view of the patient's condition or the potential to harm patients. At the very least, they offer the risk of exposing private patient data that can be used for identity theft.

Despite these inherent dangers, many of the most appropriate cybersecurity measures are currently not mandated, but simply recommended by federal guidelines. For instance, guidance from the FDA on connected medical devices "encourages manufacturers of such devices to identify the cybersecurity risks associated with the devices." An article in the February 2014 issue of Health Affairs notes that "no federal agency currently has authority to enact privacy and security requirements to cover the telehealth ecosystem." This reality, coupled with HIPAA's limitations in addressing patient- facing telehealth systems, means that healthcare organizations must take the onus to "be the change" that will best secure their organizations' and their patients' privacy and security. To neglect this responsibility could create disaster for patients and providers.

The question then is: What can my organization do to embody the best cybersecurity practices? First, understand that you don't need to take a defensive stance that restricts data exchange. In the 17th annual HealthCare's Most Wired Survey, produced by the American Hospital Association's Health Forum and the College of Healthcare Information Management Executives (CHIME), the "most wired" organizations were found to:

  • Incorporate patient-generated data

  • Offer self-management tools for chronic conditions

  • Offer patient-specific education in multiple languages

  • Enable physicians to view and exchange other facilities' results in the portal

  • Use the portal and electronic health record (EHR) to exchange results with other EHRs and health information exchanges

  • Communicate with patients via email or alerts

Although these organizations create additional points of security risk with these enabling technologies, they are also focused on embedding security into the DNA of the organization to prevent catastrophic damage. The "Most Wired" survey also noted that the top areas of growth in telehealth include the addition of privacy audit systems, provisioning systems, data loss prevention, single sign-on and identity management. The "most wired" organizations also implemented the following security mitigation techniques:

  • 96 percent use intrusion detection systems compared to 85 percent of all respondents. Privacy audit systems (94 percent) and security incident event management (93 percent) are also widely used.

  • 79 percent conduct incident response exercises or tabletop tests annually, a high-level estimate of the current potential for success of a cybersecurity incident response plan, compared to 37 percent of all responding hospitals.

  • 83 percent include hospital board oversight of risk management.

In the foreseeable future, the burden of implementing optimal security will fall largely to individual healthcare organizations. Although a holistic federal policy framework is necessary to respond to threats as they grow exponentially through telehealth, the Internet of Things, and other connected health technologies, currently such a framework presents ongoing challenges. However, such a framework is necessary due to the sheer volume of devices present in many organizations. For instance, in one hospital facility with 5,000 user access devices (including PCs and laptops), there were an additional 19,000 endpoint devices (including intelligent medical equipment devices) for which security needed to be addressed.

Further complicating matters, telehealth models involve physician-patient interactions (such as mobile health apps on patients' phones, or interactive implantable devices) which present unique security concerns. HIPAA's reach does not extend to guidance on how devices should be secured. For these devices, breaches of confidentiality, unauthorized access to ePHI, and uncontrolled software intervention by insiders or outside hackers remain a very real threat.

To be exemplary role models, and to "become the change" that is required to create lasting change in cybersecurity, healthcare organizations should implement measures that include:

  • End-to-end encryption

  • Comprehensive identity and access management controls

  • Distribution of telehealth applications in-person to patients

  • Implementing intrusion detection systems

  • Developing an incident response and remediation plan

  • Conducting ongoing training and IT governance measures that empower all stakeholders to prevent phishing attacks and maintain good security "hygiene" practices

As agencies such as the FDA focus on security only as it relates to medical device safety, individual organizations must prioritize and invest in security for the greatest impact. As the late anthropologist Margaret Mead has stated, "Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it's the only thing that ever has." Even though breaches can and will continue to grow in scale and scope in the short term, each organization can strengthen healthcare data security by prioritizing and investing in those measures that will sustain the health of its patients, reputation and financial viability for the long term.