Cybercriminals seek to take advantage of rapid telehealth scale-up
The massive expansion of telehealth services in response to the pandemic is likely to change the way bad actors target data.
A new report from Booz Allen Hamilton notes that telehealth security is a patient-safety issue, considering the potentially catastrophic risks that come with service disruptions and device failures.
"Mass adoption of this technology will lead to new cybercrime focus, with an emphasis on stealing patient data to enable fraud, target health data in ransomware attacks, trick patients in social engineering schemes, and target remote patient monitoring devices," wrote the report authors.
"Cybersecurity isn’t always a priority when it comes to healthcare, but it should be. The consequences of cyber risks can be incredibly severe as healthcare data is particularly personal and sensitive," said Kelly Rozumalski, secure connected health director at Booz Allen, in a statement to Healthcare IT News.
WHY IT MATTERS
The COVID-19 crisis triggered an enormous boom in the use of virtual care, aided by federal regulatory flexibilities.
"Large U.S. technology firms are moving into the telemedicine field, pushing platforms that integrate once disparate databases used for billing, scheduling, patient data, and that facilitate patient-provider collaboration," the Booz Allen Hamilton report authors observed.
But with that boom, say experts, comes risk.
"The use of telehealth more widely will result primarily in cybercriminal activity targeting these systems or devices for monetary benefit," according to the report.
"As home-deployed medical devices assume the risks of other Internet-of- things (IoT) devices but transmit essential data used in medical diagnoses, they may pose the most significant risk for patients," the researchers added.
The risks include billing fraud, ransomware, phishing and credential theft. To keep patient and employee data safe, the authors advised, organizations should build security considerations into every layer of the telehealth ecosystem.
Health systems should also evaluate the security policies of third-party vendors, some of whom may have been unprepared for the rapid shift to virtual care; implement robust user authentication measures and device-security management; and instruct patients on how to properly configure and install RPM devices.
"In 2021, we’ll continue to see significant improvements in healthcare technologies that will advance patient care, especially as it relates to the coronavirus pandemic. Contact tracing and telehealth capabilities are remarkable innovations that will be necessary in mitigating the spread of the virus until there is a widely available, proven vaccine," said Rozumalski.
"Healthcare executives should make sure cybersecurity is involved in early conversations surrounding these developments or patients and healthcare professionals will suffer severe consequences. Cybersecurity can help accelerate, not delay, innovations in healthcare, but only if it’s at the forefront of these conversations," she added.
Booz Allen researchers also noted the role 5G availability will play in cybersecurity – important from a healthcare perspective, given potential industry reliance on mobile hotspots and the increased connectivity of smart medical devices.
THE LARGER TREND
This isn't the first time the spike in telehealth use has been flagged as a potential security concern.
In September, a study from DarkOwl and SecurityScorecard called telemedicine the biggest threat to healthcare cybersecurity. Earlier this year, experts told Healthcare IT News that the rapid rollout of virtual care solutions was like "blood in the water" for bad actors.
"Any time you make a change to an IT environment, you have the potential to increase risk," said Andy Riley, executive director of security strategy at the managed-security-services vendor Nuspire, in an interview with HITN.
"When you introduce rapid change, that potential goes up rapidly," Riley added.
ON THE RECORD
"The healthcare industry is at a critical inflection point, as connected care has the potential to transform the clinician and patient experience," said Booz Allen Hamilton researchers. "However, the rapid expansion of telehealth services creates new risks for patient safety and enterprise security.
"Including the right information technology and information security representatives in the planning process and building in end-to-end cybersecurity measures are essential to take advantage of the current telehealth momentum while mitigating potential threats," they said.