When the world went (almost) fully remote in 2020, so did healthcare. In the past few years alone, telehealth applications have skyrocketed as a result of increased investments, favourable consumer perception and, of course, ease of accessibility. McKinsey & Company even determined that telehealth use has increased 38X since pre-pandemic times.
The same study by McKinsey & Company also determined that regulatory changes allowed for expanded use of telehealth, and investment in virtual care had tripled in 2020 as compared to 2017. Telus, a Canadian internet provider, also expanded use of it’s telehealth platform in 2020. Originally called Babylon, and now named Telus MyCare, the platform tripled in customer usage in 2020.
During the pandemic, cyberattacks on healthcare applications have taken a bigger focus. According to a 2018 study, a cyberattack on healthcare IT systems takes place every three days around the world. Cybersecurity breaches include stealing healthcare information, attacks on hospitals, and could even include attacks on implanted medical devices.
In the US, the Department of Health and Human services lifted several restrictions on communication apps (such as Apple FaceTime, Facebook Messenger, Google Hangouts, Zoom and Skype) to allow increased use of telehealth services. While this does benefit accessibility for users, it does prevent new privacy and data security concerns.
Telehealth applications, much like video conferencing applications, have risk areas such as software development risk, loss of personal information, interception of communications, illicit access to stored data, damage to privacy and use for influence operations. Zoom, one of the world’s biggest teleconferencing applications, recently experienced privacy concerns including inadequate encryption of communication. This leaves room for bad actors to eavesdrop on conversations that they’re not authorized to access.
Additionally, other areas of concern are discussed below:
Possibly the biggest risk with telehealth applications is the room for human error. Untrained or ignorant medical professionals, including doctors, nurses, or health receptionists, can mean that sensitive personal health information (PHI) is inappropriately uploaded or shared, leaving the patient at risk of attack. Outside of the medical office, an untrained professional could risk personal health information by using personal email accounts to send information or through uploading documents to network-attached storage (NAS) devices.
Lack of standardization on security policies for medical professionals working from home leaves a massive gap in security of PHI. How to manage test results, prescriptions, consultation notes, and more, should be specifically identified in a security policy. Proper security training can also keep medical professionals informed on how to correctly encrypt data and the importance of using multi-factor authentication (MFA) and antivirus software to further protect sensitive data.
Awareness of cybersecurity concerns is an important first step to mitigating this risk in the healthcare field. Making doctors and health receptionists aware of proper handling for sensitive data will ensure that this data is better secured within a network that is appropriately set-up to protect from bad actors.
Phishing is common to any industry, and even within the everyday lives of people. In the healthcare industry, this holds true. If a bad actor can intercept enough communication (email, physical mail, text messages, etc.) to piece together answers to security questions, they may be able to gain access to personal health information stored in telehealth applications.
Training organizations and users to look out for phishing attacks can be a great way to keep cybersecurity top-of-mind.
A healthcare company’s supply chain is a particularly susceptible area for hackers to break in. Typically, telehealth applications connect with an extensive network of suppliers and external services. As mentioned above, phishing, email breaches, employee conversations and other ways of transferring customer data are common areas where the hacker can break in. These areas are much easier to target than breaking into the main database. As such, additional care and security measures should be provided to these areas.
In September 2020, a ransomware attack on the IT system of a hospital in Germany led to temporary data loss. At the time, it was suspected this led to a patient’s death as she was unable to receive care in time. In another case, a baby died in hospital in the USA, also due to a ransomware attack. In the second case, hackers had shut down the computer system of an Alabama hospital. Both cases prove telehealth security risks are beyond just ensuring data is secure for the sake of patient confidentiality. In fact, telehealth applications also need to consider the security of data for maintaining proper care and security of the network for providing medical support to critical patients.
Many telehealth applications rely on a set of proprietary applications or systems that link together within an IT framework. Correctly and efficiently logging and auditing in this framework is essential for ensuring patient information is protected.
In December 2020, a Harvard Medical Team wrote a letter on the topic of cybersecurity in telehealth, in which it said, "To leverage these technologies, healthcare organizations need to partner with telemedicine and cybersecurity vendors to understand how to best implement and use their infrastructure and products.”
This article by CodeCoda discusses the role of artificial intelligence (AI) in providing better security for an application. AI technologies can better identify and mitigate possible vulnerabilities earlier in the SDLC, sometimes even before a patch is developed or released.
Penetration testing as a service (PTaaS) is a manual security testing procedure that regularly tests applications and networks in a simulated real-life attack. The penetration tester (also called an ethical hacker or security engineer) develops a threat model which identifies specific attack scenarios based on your unique business logic. From there, the penetration tester uses a combination of manual and automatic processes, as well as their creative perspectives in an attempt to hack into your system. They’ll report the vulnerabilities in a detailed report which will help you to patch vulnerabilities before a real bad actor gets into your system.