A version of this article was updated on April 19, 2024.
Many health care organizations turned to telemedicine, telecare, telehealth, and other video-teleconferencing (VTC) platforms to serve their patients during the COVID-19 pandemic. These platforms provided remote services while protecting patients and health care workers and ensuring social distancing.
Since then, these telemedicine services have become more reliable and popular due to the advances in information and broadband technologies, allowing medical and other health and care professionals to offer remote, interactive services to consumers, patients, and caregivers. However, it also opened a door to many new cybersecurity threats.
Telehealth options may have changed how health care providers can offer care, but remaining privy to cybersecurity threats in a landscape that continues to change is crucial.
Below is an overview of cybersecurity threats associated with telehealth and how to manage them.
Background on Rising Cybersecurity Threats
Due to the increased use of VTC platforms that began during the pandemic, cybercriminals have shifted to innovative attack methods that focus on VTC and telemedicine platforms. Cybercriminals are attracted to new technologies as vendors sometimes don’t properly patch or secure the systems to get them to market, making for easier targets.
Telehealth systems use internet connections to host meetings and send sensitive information, such as personally identifiable patient information, protected health information, and payment information, all of which make them prime targets for attackers who can sell this information or use it for identity theft.
The use of these tools also increases the attack surface of the health care provider to the following:
- Patient home network and device
- Third-party vendors hosting platforms
- Provider networks and systems
There are a number of risks with using and relying on the platforms, such as:
- Increased exposure to ransomware attacks
- Denial of service attacks
- System failures
- Identity and access management complexities
- Increased compliance scope
- Interoperability issues with legacy IT infrastructure
- Unpatched software in patient and provider environments
- Increased third-party vendor risk
Cybersecurity Solutions to Match the Threats
With the increased use of VTC, it’s important to have a business associate agreement (BAA) in place with your vendors and sound cybersecurity practices in place to help mitigate the risks accompanied using these platforms.
Combat Cybersecurity Threats in Online Meetings
The following list of actions can help organizations to maintain security and privacy:
- Set meetings to private—not public
- Require a meeting password or use the waiting room feature to control admittance
- Require multifactor authentication when accessing the system
- Manage screen-sharing options
- Ensure users have the most up-to-date version of their VTC application
- Use end-to-end encryption during communications—often not included in free versions of software
- Provide meeting links directly, not on social media
Apply Better VTC Practices
Below are some VTC practices that could assist in improving cybersecurity.
- Notify patients of privacy risks associated with the application or platform
- Ensure the platform has enabled end-to-end encryption capabilities and privacy modes, so only the intended parties can participate in communication
- Use HIPAA-compliant vendors
- Don’t use services that don’t have a BAA
Train Employees to Tackle Cybersecurity Threats
Ensure employees have been trained and cybersecurity awareness training is updated to include instructions on how to use the telemedicine and telehealth software in addition to precautions concerning:
- Emails and files received from unknown senders
- Opening unknown attachments or clicking on links within emails
- Lookalike domains and spelling errors in emails and websites
- Sharing teleconference links on unrestricted, publicly available, social media posts
Other Cybersecurity Practices for Health Care Providers
There are many threats and risks with using telemedicine and telehealth products that can be mitigated with sound cyber hygiene and best practices.
- Ensure that third-party risk management practices will remain in place
- Establish user and event auditing and monitoring solutions that provide real-time alerts
- Employ strong encryption for data at rest and when transmitted
- Require multifactor authentication for any administrative tasks and all employees when connecting remotely
- Conduct frequent third-party assessments to test and evaluate systems for vulnerabilities
- Back up data to an offsite location in an immutable state
- Limit access to sensitive data
- Patch all devices and systems regularly
We’re Here to Help
If you have any questions or concerns about telehealth cybersecurity risks, please reach out to your Moss Adams professional.