A recent Department of Health and Human Services’ Office of the Inspector General audit revealed a number of challenges providers are facing when attempting to employ telehealth for behavioral health services, which directly impacted the providers’ ability to effectively use the platform to support patient care.
Of the 37 state Medicaid providers audited by HHS, 27 reported privacy and security challenges when using telehealth, including issues with obtaining patient consent, securing data, and protecting patient privacy. The biggest challenge was provider and enrollee training.
Most programs also reported connectivity issues caused by limited internet connectivity and concerns that stem from the cost of implementing and maintaining the telehealth infrastructure. The challenges reported by these state-based programs reflect the issues faced by non-profit and other private sector healthcare organizations, as well.
In response to the COVID-19 national emergency, HHS issued enforcement waivers for the use of telehealth technologies that would typically fall outside of The Health Insurance Portability and Accountability Act compliance.
The move led to a boom in telehealth adoption across the country, which is expected to last long after the end of the pandemic. However, there’s no standard for securely adopting telehealth. HIPAA has some platform and security requirements, while stakeholder groups have key recommendations for a secure infrastructure, such as the American Telehealth Association.
But what about the organizations that swiftly adopted telehealth in response to COVID-19, or those with limited staffing and resources?
As Mohammad Jouni, chief technology officer of Wellframe, explains, the trouble is some of the organizations that adopted telehealth technologies weren't really equipped around best practices for engaging with telehealth, including providers and states offering telehealth care.
“The infrastructure and technology they have in place, doesn’t match the privacy and security needs of these platforms,” said Jouni. “From an evaluation perspective, there are also vulnerabilities in the efficacy of the chosen telehealth solutions.”
Low-resourced providers face uphill battle
The companies that have successfully adopted telehealth platforms have done so by building infrastructure to support the solution and employing managed services through cloud offerings. The entities found it was easier to scale from the performance element, as well as the privacy and security requirements, explained Jouni.
For example, a cloud vendor could scale up controls to address privacy concerns, offering the best privacy and building new products that specifically targeted the data element in healthcare verticals. Major vendors like Google, Amazon, and Microsoft Azure have been marketing these managed services to secure and standardize healthcare data that enables healthcare vendors to ensure best practices and privacy and security is top of mind.
“If we were deploying that infrastructure ourselves, or we weren't following these stock companies, it would have been really hard for us to match the security offerings,” said Jouni.
That’s all well and good for the healthcare delivery organizations with ample budgets able to more readily adopt large-scale tech adoptions. But what about the majority of small- and medium-sized providers, or rural healthcare systems that have been driven into the red financially as a result of the pandemic?
“It’s not going to be feasible for the IT teams at these providers to deploy and manage this type of infrastructure,” said Jouni. “This is where adequate vendor management comes into play. What they have to do is offload the [infrastructure project] to vendors.”
By reviewing the list of current vendors and the controls they have in place, lower-resourced providers can determine if they have adequate controls in place and to effectively monitor telehealth services. What’s truly missing, however, is a standard framework for what is expected by those providers from HHS or another government agency
“The challenge is that without a framework that spans every entity and informs best practices, it's very hard to implement [the needed telehealth infrastructure],” said Jouni. “And HIPAA isn’t enough.”
Effective technical controls
Without a standard, how then can providers be expected to securely adopt these necessary technologies?
To Jouni, this is where it’s critical for providers to ensure that any data in transit is secured. One way to accomplish this is by leveraging TLS that supports the highest standards applied for any communication shared via telehealth or other remote technologies.
Encryption is another important element for telehealth. Providers must leverage end-to-end encryption, as well as encryption for shared files or via other secured challenges, like a file transfer service.
Ideally, APIs would be standardized and secured using TLS and other capabilities, already in use for consumer environments. As previously reported, HHS is moving the healthcare sector toward an API-based data movement for interoperability and info blocking initiatives
But as recent data shows, the lack of a standard leaves security to the app developers and API implementers — with mixed results. The vast majority hold a number of vulnerabilities that directly place patient privacy and security at risk. As APIs become more standardized, Jouni believes it will “become easier to implement and adopt.”
But one of the largest problems right now is how the data is segmented and laid out. Once the data leaves the secure environment, such as an electronic health record, the provider doesn’t “have control over that data anymore.” As providers often have to overshare data with vendors, the risks are further amplified.
The best case scenario would mean outside parties and employees only have access to the data they need to perform their duty or contracted service, which would substantially reduce unnecessary access points and overall risk.
Addressing human risks
Providers must routinely provide staff with supplemental training on phishing and social engineering threats, along with other security best practices “because people are the weakest link in the security chain,” Jouni explained. At a minimum, the training should be performed annually and during the onboarding process.
As telehealth solely relies on provider interactions with patients, it’s important they understand these risks, the common threats posed by the technology to the healthcare infrastructure, and how to respond to cyber incidents, like phishing attacks.
John Riggi, American Hospital Association’s senior advisor for cybersecurity and risk, recently explained that reducing user-induced risk “is a never-ending challenge.” Providers with limited budgets must understand that continuous education of end users on the nature and targeting tactics of cyber threats is “the most cost effective means to reduce end user risk.”
Previous data published in JAMA confirmed that user education successfully reduces cyber risk in healthcare. Riggi explained that “educating end users as to the latest tactics and techniques being used in phishing emails and credential theft social engineering schemes has proven very effective in reducing end user induced cyber risk.”
“Of course, this education must be reinforced through constant phishing tests and a wide array of end point technical protection tools such as behavior-based and signature-based antivirus programs,” he noted.
Duke Health leadership also provided insights into their successful phishing and enterprise-wide security awareness training at the recent ISC2 conference.
A recent survey from the American Medical Association shows telehealth use around 20% as patients shift back into in-person, a steep decline in numbers from the high 80% seen during the pandemic height. But stakeholder groups are urging Congress and HHS to expand telehealth use, further amplifying the need to tackle the privacy and security challenges now.
