Telehealth privacy and security: Investment and education are key, attorney says
The size, scope and rapidity of new telehealth and remote patient monitoring rollouts since the onset of the coronavirus crisis has been remarkable.
Hospitals and practices that had never before deployed virtual-care tools learned quickly how to integrate them. Those that had experience saw massive increases in the number of video visits.
But if telehealth is relatively easy to roll out and scale up, keeping the massive amounts of structured and unstructured data it generates is something more of a challenge.
Even though the HHS Office for Civil rights offered wide latitude back in March for the types of consumer technologies that can be used for virtual visits, effective privacy policies and security strategies are still imperative for telehealth rollout.
But whether it's clinicians or staff who may not be used to the new tech and workflows, or the new X-factor of patients using their own devices and home WiFi for virtual consults, the challenges are many.
Geoffrey Lottenberg, a partner with Berger Singerman, focuses on the intersection of technology and privacy, and has some useful perspective for providers who may be trying to get their arms around the cybersecurity implications of telehealth.
When it comes to getting a good handle on telehealth security, a fundamental first step is figuring out how those virtual visits work.
"The biggest thing is selecting the appropriate means by which to conduct telemedicine," said Lottenberg.
Recent allowances made by the HHS Office for Civil rights, which said it won't impose penalties on providers who use non-HIPAA-compliant consumer platforms such as FaceTime, Facebook Messenger or Skype, were game-changers for many small practices and outpatient providers, enabling them to connect with patients quickly and easily.
Even so, "I don't feel like the traditional or video-conferencing stuff is enough." said Lottenberg, adding that practices "have to be really, really careful with that, because while you may think that they are private in the sense that public users on those sites cannot necessarily access them, those systems tend to be much more prone and exposed to hackers."
Providers truly committed to robust telehealth security "have got to spend the money to find an encrypted, password-protected teleconferencing means," he said. "I would stick with the mainstream (vendors) because they tend to spend more money on security.
"We saw what happened with Zoom pretty quickly," he added, by way of example. "Everybody realized about a week in that the system wasn't strong enough from a security standpoint to really address all the issues that we're going to come at it. You've got to spend the money. Go out to get a master service agreement that ensures you're getting access to the maximum level of security."
Provider and patient education is key
Effective education for clinicians and staff about the new processes and workflows for this new care paradigm is also essential.
Lottenberg said to consider "actual logistics of scheduling telehealth and running into issues where you're trying to use the same password and login when you're seeing patients in succession. You can run into problems where people are inadvertently accessing sessions at the wrong time and jumping in the middle of somebody else's session."
Effective and secure virtual care deployment "requires a lot of attention on the front end, and then a lot of maintenance throughout the process of actually using it, to make sure you're controlling who can get in and get out of any session at any given time," he said.
""It requires a lot of attention on the front end, and then a lot of maintenance throughout the process of actually using it, to make sure you're controlling who can get in and get out of any session at any given time."
Geoffrey Lottenberg, Berger Singerman
"Providers need to be educating the nurses and doctors that are doing the consultations on how to use these systems. Their assistants and their staff need to be trained on how, and when, and why to send out credentials. It just requires a lot of maintenance, and training, and knowledge to get it done right."
That's not just on the provider side. Patients, too, are now key players in the data-privacy equation. It's imperative that they be educated about security best practices and the role they can play in keeping their own health data safe as they connect from home on their own WiFi networks.
"You have to have your patients accepting those policies and understanding what the risks are: 'We're launching this new way of telehealth. Here's how it works. Here are the do's and don'ts, and here's some frequently asked questions,'" said Lottenberg.
"You have to just go through that process. It's another thing that your compliance department has to worry about."
RPM: Data (lots of it) in motion
Going forward, as telehealth becomes the new normal, so will its close cousin, remote patient monitoring – for which, even though it's much more complex than most video-based consults, with multiple streams of real-time data at rest and in transit, "all the same concerns apply," said Lottenberg – just at a larger scale.
"When you're talking about monitoring data, you're talking about long-term transmittal, storage and access to all of this PHI which is covered by HIPAA," he explained. "The volume of data is going to increase substantially. Which means that the exposure to breaches is going to do the risk becomes much higher because you can only control so much data."
Telemetry systems and medical devices "are going to have to be more advanced," said Lottenberg. "You're going to have to have stronger protection for all that data. And then the providers are going to have to figure out: 'What is the minimum number of people who actually need access to this information, in order to maintain general data privacy?'
"That information should all be accessed by the minimum number of people required to have a need to know," he explained. "So it's just going to extend, again, the compliance and the time spent to actually analyze these things, understanding that many more patients are going to have these digital devices that are going to be constantly sending data on the internet."
Unlike more traditional medical-device management – a patient with a pacemaker going in once every three months to the doctor's office and somebody specific reading the data and storing it locally – RPM is internet based, which means it's prone to attacks. And remember, a lot of people are using their home internet to send that data. So what systems can the healthcare providers put in place to address all those issues?"
For more perspective on telehealth and RPM security strategies, tune into my new on-demand HIMSS webinar, The Cybersecurity Implications of Telehealth: Safeguarding the New Normal of Virtual Care, where I speak with the deputy director of NIST's National Cybersecurity Center of Excellence, the chief information security officer of Sentara Healthcare, and a UK-based physician and cybersecurity expert about providers' new privacy and security responsibilities, now that virtual care is widespread.
Security in the COVID-19 Era
This month we look at how the COVID-19 pandemic is fundamentally changing healthcare organizations' approaches to security, now and in the future.