2020 Telehealth Survey – Summary of Results, Part 2

Review the original post about the 2020 Telehealth Survey for the first three observations.

Observation #4: Telehealth presents an increase in cybersecurity concerns

It is no surprise to anyone that telehealth presents an increase in cybersecurity threats which is very concerning to healthcare providers and patients alike.

47% of the survey respondents indicated they may have not appropriately addressed the cybersecurity concerns related to telehealth services.

So, what can you do to protect patients and their information from cyber-attacks? Taking a hard look at your internal practices around user management and access, workforce training, vendor selection, and strengthening your network are just a few things you can do. In each section below, we will provide recommendations to protect patients and their data.

User Management and User Access

• Deactivate accounts for personnel who are no longer employed. These accounts are opportunities that can be exploited.
• Limit access to the minimum amount of information necessary for employees to complete their job functions.
• Implement strong password management practices. For example, complex passwords and periodically requiring a password reset.
• Eliminate generic and shared usernames and passwords.
• Monitor access during unusual hours.

Workforce Training

On April 21^st, 2020, the FBI published a warning stating they have seen increases in email phishing attempts leveraging email subject lines and content related to COVID-19. The emails are attempting to distribute malicious attachments, which exploited Microsoft Word Document files, 7-zip compressed files, Microsoft Visual Basic Script, Java, and Microsoft Executables. Often bad actors will disguise themselves as someone you know to trick you into sharing sensitive information. They often pretend to be someone you trust, such as your CEO or a client.

• Train your workforce members to spot potential email phishing.
• Train your workforce members to be suspicious of unsolicited attachments, even from people they know.
• Train your workforce members to notify their IT support of anything suspicious so they can warn others and block potentially harmful websites.

Vendor Selection

In this notice from Health and Human Services they acknowledge, “Some of these technologies, and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules.” Therefore, they “will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” However, organizations should have a plan to revisit any telehealth implementation that may not have followed their typical implementation plan.

• Involve IT, Compliance, and Privacy and Security in selecting your telehealth vendor.
• Trust but verify vendor HIPAA compliance. Your vendor should have a formal documented approach to HIPAA compliance.
• Know where your data is and how it is being protected.

Network Monitoring and Management

On April 23^rd, 2020, Health and Human Services Cybersecurity Program published a document describing COVID-19 Cyber Threats, including known infected websites and examples of real phishing campaigns.

• Keep your workforce educated on how bad actors are exploiting the pandemic.
• Blacklist access to websites known to be unsafe, especially after receiving a phishing email that redirects users. This is a fast and easy way to block access in case anyone clicks the link.
• Implement an Intrusion Detection System. These types of systems provide early detection and provide you with an opportunity to stop data leakage early in an incident.

Download 31 cybersecurity tips for your business

Observation #5: Organizations have not incorporated telehealth into their compliance program

There are many areas of compliance an organization must consider when implementing telehealth. A significant amount of respondents acknowledged that their organizations have concerns when it comes to integrating telehealth within their overall compliance programs. (2020 Telehealth Survey - Summary of Results, Part 1 touches on several areas of compliance.)

• 21% of organizations have not included telehealth in their compliance program.
• 30% of organizations state they have cybersecurity concerns with telehealth
• 30% of organizations state they have privacy concerns related to telehealth

In HHS’s notice, it states, “OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” Take note of the last part of that statement; if organizations have had to react quickly to implement telehealth, they should put together a plan to step back and identify areas of non-compliance and develop a remediation plan. When the public health emergency ends, this notice of discretion will most likely be lifted. Let’s highlight some of the HIPAA standards you should review during your regular compliance committee meetings.

• Only authorized users should have access to ePHI and that access should be limited to the minimum necessary.
• Implement secure communication strategies to protect the confidentiality, integrity, and availability of ePHI at rest and while in transit.
• Develop monitoring procedures to prevent accidental or malicious breaches.

If your implementation plan initially did not include obtaining a Business Associate Agreement with your telehealth vendor, execute one as soon as possible. Covered Entities are directly liable for obtaining a HIPAA compliant agreement.Organizations and patients are both concerned about privacy while using telehealth services. Be prepared to educate patients about the steps that you are taking to secure their confidential information. It is also important to let patients know that you take your obligations to protect their information seriously.

In summary, the rush to implement telehealth solutions as a reaction to COVID-19 has placed healthcare providers and their patients at risk. As stay at home orders lift and patients attempt to return to normal, healthcare providers should shift their focus to compliance, especially if they will continue to use telehealth services to see patients.

‍Subscribe to our email list to stay tuned for the latest content, media, and discussion on telehealth.