New Guidance on Securing Telehealth Data Issued
Asset management, endpoint protection, implementing monitoring capabilities, encryption, and data loss prevention tools can all help reduce the risk of cyberattacks on telehealth systems.
In the healthcare industry, one byproduct of the pandemic has been the popularity of telehealth, fostered by technology that allows patients and medical practitioners to meet face to face in lieu of in-person visits.
Much like the work from anywhere trend, post-pandemic, telehealth isn't going anywhere. In fact, in Congress, the American Medical Association is backing a bill that would ensure all Americans can access telehealth services once the pandemic ends.
With telehealth's continued usage, it makes sense that organizations are still trying to reiterate the importance of safeguarding patient data during these exchanges. To that end, this week, a public health group circulated new guidance for industry organizations, vendors, and service providers to follow in order to ensure patient data is kept secure during remote care.
The Healthcare and Public Health Sector Coordinating Council (HSCC) - a working group comprised of industry associations, issued the guide, Health Industry Cybersecurity – Securing Telehealth and Telemedicine (HIC-STAT). It was shared by the American Hospital Association, which acknowledged the importance of telehealth expansion and how all stakeholders share responsibility for ensuring their services don't negatively impact the privacy or security of patient data.
While only 33 pages, the HIC-STAT is a lot to digest; replete with valuable guidance, attack scenarios, and guidance from both a basic and technical standpoint.
In the first section, the council digs into why telehealth is a target for hackers – mainly the problem is that providers are easy targets but also because protected health information (PHI) and personally identifiable information (PII) can be lucrative on the black market. As part of the section, HSCC included some statistics on the uptick in malicious attacks telehealth providers experienced in 2020:
- 117% increase in website/IP malware security alerts
- 65% increase in security patching of known vulnerabilities
- 56% Increase in endpoint vulnerabilities that enable data theft
- 16% increase in patient-accessed web application vulnerabilities
- 42% increase in file transfer protocol vulnerabilities that expose information travelling between a client and a server on a network
- 27% increase in remote desktop protocol security issues given the widespread adoption of remote work
The guide also digs into how policies should be deployed in order to address environments that conduct telehealth sessions, and best practices for maintaining telehealth programs.
To ensure sensitive data is kept secured, the council is encouraging organizations to carry out continuous monitoring, to roll out end user training and awareness if possible, ensure users are required to provide unique credentials to access it, and that user/event activity can be logged.
In addition to the above, it’s important to understand the risks and controls to data in the first place, by prioritizing whether confidentiality protections need to be applied to it, if its PHI or PII, and what type of encryption needs to be deployed, the council writes.
While there isn't technically a federal agency with the authority to establish and enforce privacy and security requirements with regards to telehealth, according to the paper, organizations should apply the HIPAA Privacy and Security Rules so they, at a minimum can "maintain security and privacy consistent with those of all other forms of care." This means implementing safeguards like authentication, data protection, and data encryption.
Data loss prevention tools in particular can help ensure sensitive data management by identifying and tracking movement and usage, the document says.
The HIC-SAT can also serve as a helpful guide for organizations when it comes to performing an audit of how their IT systems measure up. There's guidance on how to assess and evaluate telemedicine solutions and how organizations can comply with state-specific data privacy and telehealth cybersecurity laws, of which there are many.