COVID-19 has ushered in the mass acceptance of telehealth, with so much optimism and excitement around the technology. But like many new technologies, the initial use is rushed and not well thought out with many providers trying to figure out the right technology, best practices, and optimal patient experience. We have seen temporary waivers to telehealth laws to accommodate this need, with some of those becoming permanent policy. This gives confirmation that telehealth is here to stay.
With the rush to deploy, accommodate, and acclimate users to the process of telehealth, HIPAA enforcement discretion was relaxed, which ultimately led to usage being less than secure. Healthcare organizations know that using FaceTime to administer telehealth is not ideal or secure, but they were trying to do the best that they could, with the resources that they have.
A good parallel example is electronic health records (EHR). Meaningful use drove mass adoption, and EHRs were quickly rushed to ensure maximum reimbursements. Many of these initial EHRs had failed implementations or since initial deployment, have been replaced by better systems. The initial patient experience was not optimal as providers struggled to use these new technologies while providing a similar patient experience that they had in the past. Subsequently, providers complained they had to focus too much on using the technology and not enough time talking and listening to patients.
Patient and provider experience was not the only issue. Cybersecurity and safeguards around the treasure trove of electronic PHI was not a priority during the rush to implement EHRs 10 years ago. Fast forward, and today healthcare is under attack by cybercriminals. Data breaches and ransomware of healthcare clinics and hospitals dominate the headlines. Healthcare is desperately trying to catch up and implement the cybersecurity needed to protect the enormous amount of patient information that has been created.
Some may view telehealth as an extension of EHRs. Regardless of your view, cybersecurity around telehealth is absolutely critical. Imagine if recorded private sessions between providers and patients were stolen and disclosed publicly. The damage to a patient that had their sessions publicly exposed can be orders of magnitude more damaging than electronic charts in an electronic health record. Intimate details that patients share with trusted providers could reveal information that could lead to blackmail, loss of employment, or even worse, depending on how damaging or embarrassing the information is. The impact to a medical practice or hospital could be so great, that these organizations may not be able to recover from the damage to their reputation.
Unlike the rush to implement EHRs to satisfy meaningful use requirements, Telehealth implementations need to be well thought out, and cybersecurity needs to be planned alongside the technology and not treated as an afterthought.
Employees are the leading cause of data breaches. The ease in which employees can be socially engineered and tricked is well known to cybercriminals. Cybercriminals will continue to target weak and untrained employees. They will use phishing to trick employees into revealing credentials, downloading ransomware, or providing access to sensitive patient and telehealth resources.
Telehealth offers so much promise to both patients and providers. But healthcare needs to learn from EHR miscues and ensure that providers’ and patients’ experiences are optimized, and that cybersecurity is implemented alongside the technology and not an afterthought.
Welcome to the brave new world of telehealth medicine. We have an opportunity to do it right, let us maximize that opportunity and ensure that we are using updated and secure platforms, that our policies and procedures are in place to not only protect the patient but our businesses as well.
When COVID-19 subsides, and enforcement discretion disappears with it, it will be the businesses that were forward-thinking and planning NOW for a secure future that will be standing strong. The medical industry has to provide progressive, safe, and forward-thinking healthcare, and today that means incorporating smart and updated cybersecurity in their practice.
This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.
HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.
Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE