Telehealth poses big cybersecurity dangers, Harvard researchers warn

The relaxation of regulations around telemedicine has undoubtedly made it easier for patients to access virtual care – but has also presented new privacy risks.
By Kat Jercich
12:43 PM

A Harvard Medical School team published a letter in the Journal of the American Medical Informatics Association this week warning of the "substantial" information security concerns around telehealth.

The authors, led by organizational cybersecurity researcher Mohammad S. Jalali, note that the uptick in telemedicine services has undoubtedly made healthcare more accessible – but that the relaxation in regulations about virtual care combined with a heightened threat landscape can spell trouble. 

"As we continue this shift to telemedicine, new issues and risks unravel that need to be addressed, particularly in regard to information security and privacy, and ongoing work is needed to ensure that our technology infrastructure provides an environment for safe and effective care delivery," they wrote.

WHY IT MATTERS

In their letter, the researchers note that the U.S. Department of Health and Human Services lifted several restrictions on the use of communication apps – such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts, Zoom and Skype – for telemedicine.

These relaxations have of course made it easier for many patients to access virtual care. But they've also raised concerns about inadequate data protections, particularly when intruders made headlines for entering video conferences, in incidents known as "Zoom bombing," earlier this spring. 

The research team also pointed to recent warnings from government agencies about the possibility for cyberattacks against the healthcare sector. To protect against these kinds of threats requires a multi-pronged approach, wrote the researchers. 

Awareness, of course, is vital: Employees should be trained to watch out for attempted cyber threats, particularly via phishing emails. Organizations should also follow best-practice security behaviors, including encrypting data, keeping software updated, running antivirus software, using two-factor authentication and following local cybersecurity regulations.

The team also recommends transitioning from consumer video conferencing tools to healthcare-specific products. "Enterprise-grade software versions may include key security features such as encryption, and may offer additional configuration settings that can be standardized for the entire organization, such as requiring a waiting room with every teleconference," wrote the researchers.

THE LARGER TREND

Cybersecurity experts have frequently warned against the potential dangers telemedicine may incur, with one noting that the rapid spin-up of telehealth could act like "blood in the water" for bad actors.

And this threat is unlikely to abate in the new year, with forecasts predicting telehealth will continue to present security challenges (along with the rollout of COVID-19 vaccines).

ON THE RECORD

"Executives need to be willing to invest fully in cybersecurity throughout the organization. Emerging fields, such as artificial intelligence, the Internet of things, and blockchain can also be employed as prevention and detection tools to combat cyber threats more effectively," wrote the researchers.

"To leverage these technologies, healthcare organizations need to partner with telemedicine and cybersecurity vendors to understand how to best implement and use their infrastructure and products," they continued.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

More regional news

Doctor in PPE

Photo by Morsa Images/Getty Images

By
MemorialCare Saddleback Medical Center MemorialCare Health System mental health

MemorialCare Saddleback Medical Center (Credit: MemorialCare Health System)

By
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.