5 Security Best Practices Every Healthcare Organization Should Know Before Setting up Telemedicine

By Rahul Varshneya, Co-Founder and President, Arkenea
Twitter: @Arkenea

In 2020, healthcare practices across the United States rapidly scaled their virtual offerings in order to make care more accessible during COVID-19. As a result, traffic volumes soared to unmatched levels, with practices seeing 50 to 175 times the number of patients with telehealth than before the outbreak.

While the rapid shift to virtual care has been bringing about never-seen-before transformations in the healthcare space, like in the case of most other positive changes, this one doesn’t come without its unique set of challenges either.

Recent cybersecurity news suggests that healthcare organizations are top targets for cyberattacks and providers continue to be the most compromised section of the healthcare niche, accounting for close to 75% of reported breaches.

Fortunately, a few security best practices can help healthcare providers keep pace.

1) Furnish Optimal Adherence to HIPAA Rules and Regulations
Compliance is one of the processes that forms the crux of and drives security, especially when it comes to healthcare. Therefore, the tools and technology you select for your telemedicine platform should reflect above average expertise with all necessary regulations, with compliance functions permeating processes.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is one of the most important federal laws that regulates exchange of all sensitive patient information in the US and furnishing optimal adherence to it is a must for healthcare providers looking to integrate telemedicine with their practice.

Some of the ways this can be done include:

  • Standard web hosting providers do not have the necessary protections in place. In addition, most times, standard web hosts do not understand what those protections will be needing through their end. Therefore, one best practice here would be to make sure that the hosting service you choose for your telemedicine platform provides HIPAA compliant hosting.
  • Deciding how your telemedicine consultations and other related communications will be secured in transit,
  • Putting thought into how all clinical documentation and recorded consultations will be stored securely after the consultation session has been concluded,
  • Establishing continual monitoring of virtual patient communications and putting enough effort into preventing malicious data breaches involving electronic protected health information (ePHI) from occurring through your end,
  • Establishing a clear set of procedures and policies around who among your healthcare staff is going to be authorized to access ePHI related to telehealth services, as well as when and why this individual is going to be permitted to do so.

Ensuring that you have protocols in place to keep your telemedicine practice in compliance with the changing rules and regulations at all times will help you avoid HIPAA violations and the resultant penalties.

2) Perform Frequent Risk Assessments
Trying to comprehend specific risk issues and the risk level associated with each one of them happens to be one of the most critical components of a robust data security plan. A number of healthcare providers misjudge their level of risk, in part because it is usually difficult to evaluate.

Risk assessments should form an essential part of your security check routines and they should be performed on a frequent interval.

Several established cloud service providers such as Microsoft Azure, Amazon Web Services (AWS), and Google Cloud furnish automated security assessment services that aid healthcare organizations in enhancing the compliance and security of applications deployed on their hosting platforms.

These platforms can usually assess applications for vulnerabilities, the rate of exposure, and deviations from best practices. The ideal inspection service should point out programs that allow for potentially malicious access, and produce a comprehensive list of findings prioritized by level of severity.

3) Deploy Proactive Network Security
Cyber threats have steadily become more sophisticated in dodging conventional security measures and more harmful once they get past network perimeters.

For this very reason, providers looking at integrating telemedicine today require a proactive and multi-tiered approach to avert theft of intellectual property, malware-based outages, and exfiltration of ePHI.

A combination of application control, intrusion prevention systems (IPS), and network anti-malware is often recommended by industry experts when it comes to deploying robust network security.

Such proactive solutions are usually a part of managed cloud services that automatically recognize system changes that come across as suspicious, thereafter isolating affected resources and preventing further damage by locking down any server whose configuration varies from the original settings.

4) Encrypt Data Storage
Data encryption is usually the last line of cyber-defense for protected health and other critical patient information. Even if an attacker somehow manages to move past the proactive network security measures in place and exfiltrate data from a particular healthcare provider, that data is going to be absolutely useless for the hacker if it has been encrypted in an efficient manner.

Hence, encrypting all applications and web servers being utilized by your telemedicine platform using a unique master key from a key management system is considered to be a good practice.

Encryption operations generally occur on the servers that host cloud database (DB) instances, ensuring the security of both data-in-transit and data-at-rest between an instance and its block storage. In order to furnish added security, you can also try encrypting DB instances at rest, underlying storage for DB instances, its automated backups, and read replicas.

5) Harden Operating Systems
Linux and Microsoft Windows Server are the most widely used operating systems in telemedicine. Given their popularity, they also both happen to be attractive targets for cybercriminals. The reason: they provide frequently remediate vulnerabilities, complex capabilities, and are extremely common (increasing attackers’ chances of finding an unpatched system).

Hackers often leverage OS-based techniques such as elevation of privilege and remote code execution to take advantage of unpatched operating system vulnerabilities.

Hardened images of Linux virtual machines (VMs) and Windows Server should be therefore employed, using default configurations recommended by the Center for Internet Security (CIS). Such hardened images make gaining OS administrative a daunting task, and coordinate well with proactive security bundles described earlier.

Apart from the ones mentioned above, there are many other security best practices that you can try researching about before integrating telemedicine with your practice. Also, try speaking to other healthcare providers who already have such solutions in place. Doing this will provide you with a brief idea of the things you should be doing and the ones you should keep away from.

Remember, maintaining optimal security for the smooth functioning of your organization is going to be an ongoing process. Therefore, don’t get too heavy on your pocket and try to deploy only those solutions that cater to your practice’s requirements.