By Emily Newton, Editor-in-Chief at Revolutionized Magazine
Telemedicine has redefined the healthcare sector. While remote care technologies existed before the COVID-19 pandemic, their adoption surged as in-person health visits fell out of favor. Now that these solutions are common and the initial hype has quieted, telemedicine security has taken center stage.
Like many recent tech trends, telehealth’s adoption outpaced any concerns around it amid the pandemic. Now, medical organizations and security professionals must reflect on these systems and ensure their use doesn’t jeopardize their users’ security.
Telemedicine’s Rapid Growth
Many technologies grew as the pandemic altered demand, but few surged as dramatically as telemedicine. Telehealth Medicare visits experienced a 63-fold increase, rising from 840,000 in 2019 to more than 52 million in 2020. These virtual meetings accounted for as much as a third of total visits in some specialist sectors.
While this growth has since slowed, telemedicine will remain a staple across the healthcare industry. Usage of these platforms is still 38 times higher than pre-pandemic levels, accounting for 13-17% of all visits. Regulations have also adapted to enable longer-term telemedicine usage and more insurers cover virtual visits now.
These trends point toward telemedicine remaining a standard practice within American healthcare. As the technology develops and the regulatory landscape continues to clear, it will likely grow more, albeit not at pandemic levels. This growth is good news for tech companies and the patients it helps, but it brings telemedicine security into question.
Telemedicine Security Concerns
Despite its many advantages, telemedicine carries several significant security risks. Medical information is highly sensitive, so sending it between various potentially unsecured devices should raise alarms.
Ensuring patient privacy is easier in conventional settings. The only people who hear medical info are the patient and doctor in the room, and packets hide information by design to keep senders’ and receivers’ info private.
With telemedicine, this information must travel over the internet, making it vulnerable to man-in-the-middle attacks. To keep data safe and compliant, health care providers and laboratory specialists can use software to make sure protected health information (PHI) is removed before the data is transmitted. Removing this information protects patient data keeps people safe in the event of a security breach.
Telemedicine also means there are more endpoints with access to this sensitive data. Consequently, as telehealth adoption grows, so do hospitals’ attack surfaces. These attack surfaces include remote patients’ personal devices, not just hospital hardware, making networks harder to secure.
Attackers could intercept patient data from telehealth services and hold it for ransom or sell it on the Dark Web. Alternatively, they could breach third-party apps’ databases and alter patient information, potentially leading to medical mistakes in the future.
Has Security Kept Pace?
The healthcare sector was already a prime target for cybercrime, and telehealth could increase its vulnerabilities. Worryingly, early signs suggest the industry’s cybersecurity hasn’t evolved as rapidly as its telemedicine adoption.
Data breaches in healthcare rose by 35.6% in the second half of 2020, with the number of breached patient records increasing by 180%. While this rise is likely the result of many factors, not just telehealth, it paints a poor picture of telemedicine security. Even if the attacks don’t stem from telemedicine, their increase makes telehealth’s vulnerabilities more concerning.
Telehealth-specific security remains largely insufficient, too. More than half of telehealth providers say their clinicians have used insecure apps like Zoom or FaceTime to conduct appointments. Similarly, 72% run legacy operating systems on their equipment and 32% have experienced cybersecurity issues from third-party vulnerabilities.
Improving Telemedicine Security
Telemedicine security must evolve if this technology is to be more beneficial than risky. Thankfully, as cybersecurity has become a more prominent issue, more apps and providers have taken steps like encrypting telemedicine communications. Here are some other steps the industry should follow to improve these services’ security.
Identity and Access Management
One of the most important controls for telemedicine systems is identity and access management (IAM). Given medical data’s sensitivity and telemedicine’s dispersed nature, these networks need strong IAM measures to ensure only authorized parties have access. That means verifying the identities of both the doctor and the patient.
Multi-factor authentication (MFA) remains a top IAM strategy, as it’s virtually impossible to compromise all three factors needed to sign in. Consequently, all telehealth accounts should use MFA by default to prevent unauthorized access.
IAM controls should apply to devices, too. If patients’ or hospitals’ endpoints can’t verify their identity, the telehealth system should deny their access to patient records. The more closely these networks can resemble zero-trust architecture, the better.
Verifying Device and App Security
Next, medical organizations should verify the security of their devices and apps before using them. Mainstream consumer apps like Zoom are too vulnerable to use in these applications. Hospitals must use healthcare-specific solutions that provide sufficient protections, like end-to-end encryption and HIPAA compliance.
Healthcare providers must also review apps’ data policies before using them. It’s important that these third parties collect as little data as possible to mitigate any potential breaches.
Similarly, hospitals should ensure the devices they run these apps on are secure. Moving past legacy hardware, keeping all operating systems up-to-date, and using reliable anti-malware solutions are crucial security steps.
Any staff members using telemedicine platforms should also undergo cybersecurity training. Basic human error accounted for 31% of all healthcare data breaches in 2019, even before telehealth introduced new vulnerabilities. Reducing the likelihood of these errors is critical to telemedicine security.
Anyone with access to these solutions should practice strong password management and know how to spot phishing attempts. Regular refresher training sessions can help ensure good practices remain at the top of their minds, too.
Since breaches can also come from the patient side, telehealth apps should inform users of the current best practices. Requiring strong passwords and MFA by default is a good first step, but these platforms should also warn users of threats like phishing and teach them how to stay safe.
Telemedicine Must Become More Secure
Telemedicine could help make healthcare more accessible and efficient than ever before. However, all professionals involved should address the technology’s security risks to ensure they don’t jeopardize this future.
The healthcare industry’s security practices have yet to keep pace with its telemedicine adoption, but sufficient defenses exist. If more telehealth apps and healthcare providers realize the need for and implement these controls, telemedicine can become secure enough to use safely.
Emily Newton is the Editor-in-Chief at Revolutionized Magazine. A regular contributor to Brilliance Security Magazine, she has over four years of experience writing articles in the industrial sector.