As coughs and body aches drive anxious Americans to telemed services in record numbers, relieving the burden on medical facilities stressed to breaking with COVID-19 cases, the subsequent relaxation of privacy requirements puts them at risk of PHI compromises, cyberattacks and privacy violations.
The shift to online medicine has resulted in the dissemination of a massive amount of personal health information (PHI), a treasured target of cybercriminals, a trend that’s likely to persist until health officials get the virus in hand. American Well, a provider of telehealth services, said across all states its patient visit volume is up about 257 percent over what is normal this time of year. Two of the country’s biggest COVID-19 hotspots are showing much larger increases with Washington State up about 700 percent and New York by 312 percent.
The federal government has already taken the important step of deciding health issues outweigh other concerns. The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS), which is responsible for enforcing certain regulations issued under the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The primary change allows the agency to use its discretion as to whether to enforce HIPAA violations related to telehealth during the COVID-19 nationwide public health emergency.
“A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients,” OCR said on its website.
OCR is allowing professional medical practitioners to use several popular consumer video chat applications including, Apple FaceTime, Facebook Messenger video chat, Google Hangouts video or Skype, to provide telehealth services without risking HIPAA penalties from OCR. The agency did draw the line at Facebook Live, TikTok or similar apps, forbidding them from being used for telehealth services. Additionally, all available encryption and privacy modes should be turned on and patients should be informed that these platforms may present a privacy risk.
Patient privacy may be little more than afterthought in the development of numerous apps that are quickly springing up around the world to allow patient-doctor communication. In some cases, scraping valuable patient information might even be part of the apps business model.
Heather Federman, vice president of privacy and policy at BigID, is concerned that apps, even well-known products, haven’t updated privacy policies to explain how medical data will be handled. Apps often sell data, though some don’t sanitize patients’ PII and that is a serious issue.
“Services are collecting data for health purposes, but could they be using it for other reasons,” she said.
Privacy and data security issues are not unexpected as technology surges into the market amidst the coronavirus crisis. “With such a hasty shift from traditional on-premises health services to Telehealth, many enterprises have not been able to think through all the security, risk, and privacy implications of the transition,” said Rick Holland, CISO, vice president of Strategy at Digital Shadows. “Once security and privacy teams have had an opportunity to come up for air, they should conduct risk assessments and red team exercises of the Telehealth model.”
American Well said it has been able to scale up its current slate of products and services with an eye toward protecting security and privacy. It has boosted its virtual infrastructure with more servers, CPUs and memory and is rolling out a new cloud infrastructure to increase its ability to grow even further. Video capacity was boosted by 10 times in just the last week and technical support staffing is also growing to address the needs of clients, providers, and patients as volume increases.
But companies will have to make cybersecurity and privacy their priorities after the crisis passes since the successful implementation of telemed services now will lead to wider adoption when the pandemic has diminished. Future services, including in-home medical devices that are used in conjunction with remote medical help, must be built from the ground up with security baked in.
“For companies deploying remote monitoring devices, the devices should be built in a way that reduces their attack surface area,” said Jonathan Dixon, Principal Consultant at the Crypsis Group. “This can be accomplished by removing, disabling, or restricting services, applications, and/or user accounts that aren’t required to run the client-side application.”
That would include forcing the local admin account associated with a device to use a strong, randomly generated password that is rotated on a regular basis and requiring multifactor authentication.
The same level of care needs to be taken on the software side, Dixon said. Companies hosting web-facing APIs must include detection and prevention. This can be handled through a proxy that monitors all web requests coming in or leaving the app. This will enable firewalls to block unauthorized access and help build and store records that can then be used in the event there is a data incident.
And privacy requirements need to be firmly reiterated. Tony Anscombe, ESET’s chief security evangelist, noted lack of enforcement or allowing dicey apps to be used should not outlive the crisis.
“Unprecedented times should not result in any long-term removal of our privacy rights, especially in cases where legislation has been rushed through to allow the fulfillment of medically urgent needs for data collection or use,” he said.
This thought was echoed by Federman, who said that in times of emergency the need to roll back some privacy enforcement or civil liberties may be justified but these should be tied to a set time period and not left open ended.
“My problem is that once you have power its hard to set it aside,” she told SC Media, adding that having strict time limits in place is not even part of the conversation now.