50% of Patients are Opting for Telehealth – What does that mean for cybersecurity?
Telehealth and remote healthcare work have rapidly increased due to the COVID-19 pandemic. While healthcare organizations quickly adapted to ensure continued patient care, many also deployed remote systems that had security flaws, leaving them more vulnerable to cyber-attacks. Amidst this massive acceleration of telehealth, some providers report a nearly 50% increase in patients opting to be seen virtually rather than in person.
How Is Telehealth Challenging HIPAA Compliance?
Telehealth is the distribution of health-related services and information via electronic telecommunication technologies. Telehealth allows for long-distance patient and clinician contact, care, advice, reminders, education, intervention, and monitoring.
While expanding telehealth has allowed for the safe care of patients during the pandemic, it has also increased concerns over patient privacy. One concern has been the temporary suspension of penalties for noncompliance with HIPAA regulations. The Department of Health and Human Services’ Office for Civil Rights announced on March 18th that it would not impose penalties for noncompliance with HIPAA regulations against providers leveraging telehealth platforms during the COVID-19 pandemic. This allowed providers to use popular teleconferencing apps, such as Microsoft Teams, Skype, and Zoom. This concession did not extend to public apps such as Facebook, Instagram Live, or Tik Tok. The concession will likely have an ending date in the near future, which means healthcare organizations should be ramping up their strategy for cybersecurity in telehealth and Mobile Device Management.
New reports indicate that the rapid adoption of telehealth vendors has led to a significantly increased attack surface that leaves both patients’ and providers’ personal data at risk. Threats include strains of ransomware that are created to take down entire healthcare IT networks. Ryuk ransomware, for example, infected Universal Health Care Systems networks in September and rendered them without functional IT systems, which meant they had no way to view patient records.
Security Scorecard and Dark Owl researched 148 most-used telehealth vendors and found that these providers experienced an increased in targeted cybersecurity attacks. Their research found that:
- There was a 117% increase in IP reputation security alerts, such as malware infections, phishing attempts, and other attack vectors causing IP reputation issues
- 65% increase in their patching cadence findings
- 56% increase in endpoint security findings
- 42% increase in FTP issues
- 27% increase in RDP issues, likely from Remote Desktop Protocol use increasing with remote workers.
- 16% increase in application security findings.
“There was evidence of prolific and emerging threat actors selling electronic patient healthcare data, malware toolkits that specifically target telehealth technologies, and strains of ransomware that are uniquely configured to take down healthcare IT infrastructure,” according to a joint press release from the two firms.
How Does Mobile Device Management Help Telehealth Providers?
With the expansion of telehealth providers there has also been a commensurate increase in remote workers. This means that the digital footprint these organizations need to protect has become much larger than what they were previously used to. Mobile Device Management (MDM) is a technology that provides monitoring, management, and security for mobile devices such as laptops, smartphones, and tablets. Such devices are frequently used to access, modify, and transmit sensitive data such as electronic Protected Health Information (ePHI), which is any information personal health information (PHI) that is created, store, transmitted, or received in any electronic format or media.
Healthcare organizations can more securely accommodate a broader Bring-Your-Own-Device (BYOD) strategy during this age of remote work by leveraging in MDM tool in their cybersecurity and HIPAA compliance strategies. Implementing and properly configuring an MDM tool helps to mitigate your risk of a data breach.
MDM can also help your organization maintain HIPAA compliance by allowing you to set various restrictions on managed mobile devices. HIPAA compliance requires an organization to have policies and procedures to protect information systems—and the ePHI they contain—from unauthorized access. MDM tools help to enforce these policies and procedures by setting restrictions such as device passcodes, app restrictions, encryption, compartmentalization of the organization’s data (that is, keeping it separate from the user’s personal data and preventing it from being shared to apps outside the organization’s control), and many other useful security parameters. When implemented correctly, MDM helps and organization to minimize the likelihood of an intentional or accidental HIPAA violation.
How Does Mobile Device Management Help Healthcare Workers with ePHI?
Electronic communication has become an integral tool in the healthcare industry, especially in modern-day remove work. Remote workers are now able to perform activities such as appointment setting, processing payments, submitting insurance claims, patient referrals, and retrieving lab results. As discussed above, privacy is a major concern when working with ePHI, particularly remotely. But because MDM protects ePHI without impeding the aforementioned conveniences, it truly presents a win-win outcome for the organization and its remote workers.
As a healthcare provider, your number one priority is patient care. Partnering with a healthcare IT provider like Corsica Technologies helps you focus on that goal by guiding you to the best path forward. Our number one priority is ensuring that your systems are protected and reducing the risk of your organization becoming a news headline for a data breach. If you are interested in learning more about our services and how MDM can help you workforce, you can read more here or schedule a call with one of our security professionals.
Ross is the CISO at Corsica Technologies. He has achieved CCIE Security and CISSP certifications, an MBA from the University of Notre Dame, and has 20 years of experience in the fields of computer and network security engineering and consulting. Ross provides virtual CISO services for clients and helps them to identify information security risks and implement administrative, procedural, and technical controls to mitigate. He works effectively with both technical and managerial personnel and is a trusted resource for our clients.