A Center for Disease Control and Prevention (CDC) report noted a 154% increase in telehealth visits in March 2020, over the previous period in 2019. But digital mechanisms for data access, sharing and storage put these data at risk. The 2021 X-Force Threat Intelligence Index report placed healthcare in seventh place in its “Top 10 industries by attack volume.” A “barrage of ransomware attacks against hospitals” was at least partly responsible for placing healthcare in this most egregious of top 10 lists.  With more telehealth and related digital mechanisms to deliver health, the sector looks set to experience further cyberthreats. That’s why healthcare data security standards are more important than ever.

What is ePHI?

Telemedicine requires that health data is shared, viewed, stored and worked on as electronically protected health information (ePHI). ePHI comes under the remit of protected health information (PHI), and in the United States, ePHI is protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

What are some of the common data security threats in healthcare telemedicine?

A recent poll of 159 healthcare industry participants from Threatpost explored the best practices in delivering telemedicine healthcare. The poll pointed out some of the biggest security threats in healthcare when using telemedicine to deliver healthcare services. Some of the highlights from the report include: Increasing risks of telemedicine: 72% of respondents noted an increase in targeted cyberattacks on telehealth devices and networks in the previous nine months. Increase in attack volumes: In line with the  X-Force report, the Threatpost poll found a general uptick in attack volumes, with 37% of respondents seeing an increase of 25%. Risky business: 58% see virtual healthcare visits as a cybersecurity risk. Areas of risk: 58% of respondents said that data breaches were the biggest risk area. Virtual meeting platforms: The platforms used to deliver telemedicine, including Zoom, may have security vulnerabilities with 35% of respondents saying that insecure video-conferencing platforms were a risk. HIPAA delivery portals: The portals used to deliver medical images and prescriptions could have exploitable vulnerabilities and 25% of respondents agree that these platforms were a risk. Home networks: Patients using home networks may be accessing telemedicine devices via insecure connections and in privacy compromised settings. Data in the cloud: Telemedicine means that patient data is moved and stored using cloud technology and 58% of poll respondents believe this increases the risk of that data. The result is that the data is at risk from Business Email Compromise (BEC) and phishing attacks as well as insecure APIs. Also, and in line with the data coming from X-Force, ransomware was another major challenge identified in the Threatpost poll. 17% of respondents of the poll believed that the digitization of patient data placed that data at risk and 11% of respondents pointed out that purpose-built telemedicine IoT devices were an added risk to patient data.

Telemedicine best practices to mitigate cyber risk

The risk to patient data is evident in the move to cloud-based systems that depend on sharing and storing data that may be carried out over insecure networks. The Threatpost poll was able to elicit the views of the respondents into their own best practices for dealing with these risks. The poll delivered five key areas that should be prioritized as a best practice to protect telemedicine-based healthcare:

Data integrity and proper cloud configurations: 22.6% of respondents suggest this as a best practice priority. Cloud misconfiguration is behind many cyberthreats and attacks. This is backed up by a McAfee report that found an enterprise has around 2,269 misconfiguration incidents, on average, per month. Patching: Ensuring prompt security patches was seen as a best practice priority by 21.3% of respondents of the poll. A report from Edgespan concurs and suggests that patching needs to be consistent but can be a challenge in live production environments. The Edgescan report found that the average time to patch an internal system is 50 days, but this increased to 71 days for an internet-facing system. Third-party app vetting: Any telemedicine apps must be checked as a priority for vulnerabilities according to 20.8% of those polled. An investigation by Approov into mobile health apps found that 30 of these apps, all from large healthcare technology companies, had vulnerabilities making them susceptible to a broken object level authorization (BOLA) attack. Endpoint protection: The remote healthcare methodology of telemedicine means that more endpoints are needed. This naturally expands the attack surface. Robust endpoint protection, smart enough to deal with polymorphic and fileless malware, is seen as a best practice priority by 20.1% of the Threatpost poll respondents. Insider threats: 13.2% of those polled said best-practice efforts to prevent insider threats should be a priority. Insider threats cover a whole gamut of incidents and are accidental as well as malicious. With patients being an integral part of sharing and potentially storing sensitive data, this adds a complex layer to protecting data.

Making telemedicine safer

Healthcare is a challenging area to work in and the technology needs of that discipline need to work with a wide variety of stakeholders. The data that is used to transform patients’ lives and help medical practitioners deal with the needs of patients must be protected, both for compliance and as an ethical stance.  Best practice implementation can help alleviate the risks to these data but must be done as a layered approach and not in isolation.  

Sources:

Threatpost Poll into Telemedicine Best Practises, Threatpost IBM 2021 X-Force Threat Intelligence Index, IBM Trends in the Use of Telehealth During the Emergence of the COVID-19 Pandemic, Center for Disease Control and Prevention McAfee Cloud Adoption and Risk Report, McAfee Edgescan 2020 Vulnerability Statistics Report, Edgescan Approov mobile health app investigation, Approv OWASP API Security Project, Broken Object Level Authorization OWASP 8 of the world’s biggest insider threat security incidents, Infosec