Naturally, the COVID-19 pandemic has put a spotlight on our health care system, the needs of hospitals and doctors, and the care of patients. Although questions about health care inevitably spark spirited public policy debates, there is widespread agreement on the two major factors that get in the way of achieving our goal of better, more efficient health care delivery. One, of course, is cost, and I think it’s safe to say we’re not going to address that here.
The other one is manpower. What, you may ask, does cybersecurity strategy have to do with addressing the large and growing gap in health care providers for our societies? In a word: Telemedicine.
Telemedicine is a game-changer. It allows our already-stretched legions of doctors and nurses to “see,” diagnose and treat patients in a digital environment, rather than forcing a patient to come into a physical office, clinic or emergency room. And while in-person care is obviously essential for many health issues, telemedicine is ideal for many other scenarios.
Maybe a harried parent can’t take her sick child to an emergency room. Maybe you have a chronic condition that needs close monitoring, but you don’t need to go to a doctor’s office every month. I regularly use an oximeter and blood pressure cuff, and my data is safely and securely streamed to my doctor for evaluation and, if necessary, action.
This not only benefits the patients, but also the practitioners and their business organization. Whether health professionals work for a large hospital or a small private practice, telemedicine allows them to help more patients within a given timeframe, while being freed up to devote more in-person time for problematic cases that require face-to-face interaction.
Telemedicine is getting popular, especially as the healthcare industry is forced to adapt to remote work.
In New York, the Hospital for Special Surgery—widely acclaimed as a leading orthopedic surgery center in the world—transitioned the vast majority of its 400 doctors and nurses onto a telemedicine platform within days of ceasing all elective surgeries. And in the United Kingdom, the health care system went from handling fewer than 1% of appointments via a video link to a scenario where 100% of doctor assessments took place by phone.
Of course, telemedicine is not new. Much of the dramatic uptake in telemedicine adoption can easily be attributed to the pandemic. But don’t make the mistake in thinking this is a temporary development: This is the beginning of a new normal for health care delivery. This is not a stop-gap for the next year or two; it is a permanent shift.
Which brings us to a critical point: Cybersecurity in a telemedicine environment. There are a few key considerations that health care leaders must pay attention to.
For healthcare industry administrators, chief medical officers, chief information security officers and tech-savvy practitioners undoubtedly centers on the devices. After all, many doctors and nurses working remotely are likely accessing telehealth applications and patients’ health care data through personal devices, home networks and personal cloud services. It’s impossible to expect every health care professional to always follow responsible cybersecurity hygiene. Without an on-site security or IT professional, medical professionals working from home must take extra care to ensure that their devices have the proper security controls, identity authentication and security patches.
But the cybersecurity issues go beyond devices. While we all may worry that we are being eavesdropped upon, the bigger issue is the data itself. Yes, it’s true that hackers will try to exploit any weakness in the security chain by listening to conversations, but we should be much more concerned with the data. For hackers, medical records are tasty.
However, the biggest concern is that medical professionals are pushing data from devices over networks to data centers and to the cloud. Vital signs, insurance information, identities—all of these are prime targets for hackers.
There is also a lot of Dark Web behavior to account for. Think about your own consumer online browsing and buying experiences. For instance, if I go to Amazon and buy a tent to go camping, the next thing I know, I’m being served camping-related ads from Facebook and Google. That unwanted inundation could easily take place in health care, and from less-than-reputable sources. It may be annoying to be served with ads for quack remedies and fake cures, but think about what happens when your spouse starts receiving ads for life insurance after you have received a tele-diagnosis of acute heart disease that you have not yet disclosed.
Patients Have to Be Secured
Fortunately, while these are legitimate concerns, the current state of cybersecurity for telemedicine applications is solid, and it will get even better as adoption spreads. It comes down to thinking through all potential weak points in the telemedicine workflow for protected health information (PHI) data. This must include making well-thought-out choices on who should have access to that data.
First, make sure you know what the organization is doing to ensure that its systems, workflows and devices are not the weak link. While you can’t control everything (like the security settings on a doctor’s Android device), you can understand where data is coming from, where it is going, and how it is behaving from the device to the network to the cloud to the data center.
Second, you may want to think about partnering with device manufacturers on improved telemedicine security controls and protocols. I’m not just talking about well-known computing endpoints like notebooks, tablets and smartphones. Think about “smart” Internet of Things devices like dialysis machines, heart monitors and pacemakers. If you have the right ecosystem, it will be a lot easier for practitioners to embrace the technology and use it responsibly.
Everyone must keep in mind that if the patient is not safe—or does not feel secure—you’re going to have bigger problems than cleaning up a data breach or dealing with a compliance audit. You’ll be facing a crisis of confidence by the very patients that telemedicine is designed to help.
Good luck, and please be safe.