Securing the Digital World

Who is Responsible for Securing Telemedicine?

May 06, 2020 | by Patrick Potter |

There are areas of our lives and society that might not go back to exactly the way they were before the pandemic.  Those could include working from home versus in an office.  Retail will likely begin to transform digitally in ways not seen before.  Corporate travel might decrease as more people work from home.  I’m not sure how I feel about those changes, but one area I have embraced is telehealth or telemedicine.

I don’t know about you, but whenever I can avoid a trip to the doctor’s office, I’ll do it.  I still go – don’t get me wrong.  But, if I can talk to my doctor from the comfort of my home, I’ll take that every time.  This is called telehealth or telemedicine and its use has increased according to some studies during the pandemic.  For example, Charlotte, North Carolina–based Atrium Health, which operates 40 hospitals and 900 care locations in the Carolinas and Georgia reported a 500% increase in telehealth usage. Now, the downside is the medical provider can’t physically evaluate me in the same manner as if I were in their office, but they can ask me questions about my symptoms.  In addition, I can take my own temperature, weigh myself (and fudge a little bit) and check my own blood pressure.  All things considered I’d say telehealth is a win for me.  But is it a win for medical providers?

There are benefits to providers, such as load-balancing their time and attention across patients and locations, reducing their exposure to contagious disease, and being able to use quarantined providers to see patients.  However, there are also risks to telehealth.  What if the medical provider mis-diagnoses me, or if my estimations of temperature, weight, blood pressure and anything else I’ve measured myself aren’t right and the provider misses something.  There are IT risks too – telemedicine has been thrust upon the healthcare industry who is already playing catch-up with technologies; there is a lack of hardware with the right technologies for the types of exams that still have to be performed; and access to broadband, especially in makeshift medical facilities or tents is limited.  We’ve also heard lately about the security risks of teleconferencing platforms.  What if my data is stolen via the platform we’re using?  I’m likely dialing into the platform from my home computer or smart phone.  Are those endpoints secure or can they introduce vulnerabilities to the medical provider’s systems or data and compromise my own data?  Healthcare is the most targeted industry by hackers, and they’ve increased their efforts during the pandemic.  All these gaps give those bad actors even more ways and means to introduce phishing campaigns or ransom someone’s data. 

The question becomes, who is responsible for security over telemedicine
The answer is – all of us.  We, as recipients of telemedicine, must make sure we’re exercising good security hygiene in the form of strong passwords, updated security and systems, not clicking on unknown email sources, and securing our own medical data by holding appointments in secure places like our home.  Medical providers must continue, and even increase security over their systems and data – including the platforms used to perform telemedicine appointments with patients.  It also entails keeping an eye on the methods third parties are using to access your systems and protected health data.  Finally, the push toward interoperability of healthcare systems, medical devices and data only adds more importance to improve security because of the richness and completeness of healthcare data that will be accessible in one place.  Right now, medical records are one of the most valuable commodities hackers look for and these advancements will only increase the value.  These advancements are adding risk and actually changing risk profiles for healthcare organizations.  Risk and security teams must work together to address this changing dynamic.

During this pandemic, telemedicine is helping mitigate the potential bottleneck of intensive care and reducing non-urgent procedures – freeing up providers to focus on urgent needs.  Telemedicine also helps limit the exposure of at-risk populations such as the elderly and those with preexisting conditions, as well as enables more diagnosis and self-management at home which helps reduce or delay spread of the virus.  However, for telemedicine to be a viable long-term option, once the dust clears from this pandemic, risks including security and patient data privacy need to take a front seat. 

Learn more about how to manage security and risk in a time of disruption with RSA.