Data Security: Telehealth's Achilles Heel?

— Cyberattacks on the rise, can only get worse if problems aren't fixed, experts say

MedicalToday
A computer monitor displays a skull and crossbone built from numbers and the word HACKED

Recently , a medical malpractice insurance firm, published a report entitled "" Among the five "foreseeable major risks" listed in the report: Telehealth "increases cyber liability, especially when providers are seeing patients from a variety of devices in a variety of locations."

In other words, providers are now opening themselves up to cyberattacks on an unprecedented scale.

Cyberattacks seeking to steal patient data are not new to healthcare or telehealth. But prior to the pandemic, telehealth comprised only a small fraction of medical visits. Beginning in March, however, much of medicine suddenly shifted to the telehealth model, aided by the federal government's temporary relaxation of HIPAA restrictions on telehealth. Many providers began conducting visits on unsecured lines at home.

So, while physicians don't have to worry at the moment about legal liability for cyberprivacy breaches, they still face this and other risks in the future as telehealth becomes part of routine practice.

"We don't really have strong rules of the road; we have healthcare providers operating under really extreme conditions," said Albert Fox Cahn, JD, executive director of the . "It's the wild west right now."

Indeed, hackers have taken to dueling with healthcare providers running the telehealth visits. It is often an unfair fight; providers busy adjusting to and keeping up with telehealth appointments are often a step behind their attackers in preventing damage. "These are medical providers; they're not expected to be IT specialists," said Patricia Carreiro, JD, a cybersecurity and data privacy litigator with Carlton Fields in Miami.

This trend follows growing data security concerns within healthcare at large, including telehealth. Within the industry, more than 41 million patient records were breached last year, according to the patient care analytics firm , with reported hacking incidents up 48.6% over 2018.

The number of data breaches have been growing steadily since 2010, setting a new record in 2019, , with the records of 12.6% of the U.S. population "exposed, impermissibly disclosed, or stolen." Hacking and IT incidents comprised 59.4% of healthcare breaches last year while accounting for 87.6% of breached records. Unauthorized access and disclosure incidents made up 28.8% of data breaches and accounted for 11.3% of breached records.

And those could be undercounts, according to experts and reports; many healthcare entities do not report events, fearing public backlash and harm to their brand.

The size of telehealth's role in data security breaches is unclear, but it is certainly a key factor of what experts and reports are calling a serious runaway problem.

"Ensuring the underlying systems are free from intrusion and that they properly secure patient information is not only critical for providers and patients, it is a regulatory requirement in the United States under [HIPAA]," according to a report by .

A single health record is worth $250-$1,000, of Dassault Systemes, making EHRs an attractive target for cybertheft. Comprehensive examinations of the telehealth data security landscape during the pandemic could not be found. Carreiro noted that public disclosure often lags, in part because victims often aren't immediately aware of attacks.

Still, some recent incidents hint at trends.

'A trembling high wire'

In mid-August, the of some of its clients. The attack targeted remote desktop protocol accounts, which made "tons of personally identifiable information" available across about 200 separate hosts, said Andy Wagoner, a Nuspire director.

A large medical institution was one of the victims, Wagoner confirmed, declining to name it. Other victims include "a Japanese medical university, a [U.S.] hospital, a large EU hospital, a Brazilian medical organization," published Aug. 31.

The attacker captured and sold the accounts -- for $3,000 each, Wagoner said -- across numerous online outlets, and also offered "domain admin" access to the accounts for an additional fee. Wagoner rated the attack an 8 out of 10 "on the egregious scale," noting anyone with access could roam freely on the network.

Nuspire also said total exploitation events for all its clients were up 12.8% in the second quarter over Q1, including several healthcare organizations, while botnet events increased by 29% (to 1.6 million).

"COVID-19 introduced new threats as organizations and administrators were forced to protect a sudden and large [work-from-home] model," according to Nuspire's quarterly threat landscape report. "While employees scrambled to build their home offices and get operations back up and running smoothly, attackers did their best to take advantage of the chaos."

The report shows hackers favor targeting older systems that lack the latest security, Wagoner said.

that none of five patient-facing mobile iOS apps it reviewed provided protection against tampering, debugging, or reverse engineering. These apps offer on-demand virtual visits.

The firm also found insecure data transmission methods and authentication vulnerabilities in telemedicine providers' data flows and encryption schemes.

"The baseline performance of most of the apps we evaluated provides adequate levels of security," the report's authors wrote. "In most cases they met the key requirements for transmitting data securely."

But, they added, "It's clear to us that these apps can be reverse engineered, re-packaged and modified to steal data, intellectual property, enable ransomware attacks and could be tampered with in order to disrupt service in a way that would cause damage to their providers' brands and revenue, as well as have negative impact on clinical outcomes."

"The current state of cybersecurity for telemedicine iOS mobile apps used by millions of Americans is alarming and requires immediate attention.... By delivering cybersecurity measures that are not up to the task expected from such apps that collect and transmit PHI [protected health information] data, telemedicine vendors are walking on a trembling high wire."

They concluded: "While we caution readers not to draw too many conclusions from our findings, we do think that many of the results from our research could be safely interpreted to apply to other relevant segments within the emerging connected health industry."

Apps a weak link

Steeve Huin, Irdeto's vice president of marketing and strategic partnerships, said the main problem is that cybersecurity hasn't kept pace with the massive surge in telehealth use, especially with mobile apps.

"There was no malicious intent there [with the apps]; it's usually a case that developers don't have security maturity," Huin said. Typically developers would perform independent vetting checks to safeguard against breaches, however, and he doubts these apps' developers did so.

"The rapid development and deployment of COVID-19 apps in response to the COVID-19 pandemic" led officials with the , a nonprofit watchdog, 108 android healthcare apps during the pandemic -- including 20 telehealth apps.

The Council's report raises questions about a few telehealth apps accessible in the U.S. Two of those telehealth apps used "concerning" software development kits (SDKs) that may be allowing third parties to access user data, they reported, while three of the apps were actively sharing data with third parties -- primarily Google or companies owned by Google.

"SDKs that would be appropriate in a non-pandemic context were not designed to accommodate the sensitive nature of a COVID-19 app. Consequently, there is a potential for extraneous sensitive information to be sent out in conjunction with the use of these apps," according to the council.

Cybersecurity breaches are not unique to healthcare, but experts and reports note the industry is especially vulnerable because of its records' value and -- some say -- healthcare wholly has not embraced data security to the extent necessary to address the threat landscape.

"The maturity of healthcare as a whole is still relatively low, there's still a tremendous learning curve," Huin said.

While most large providers have the resources to arrange for fully functional security, smaller practices may not, especially with a pandemic underway.

"It's easy for healthcare providers to say this isn't the time," Cahn said.

Many of attorney Geoffrey Lottenberg's healthcare clients are not even aware of the security issues associated with telehealth. They are not paying close attention, he said, even though his firm -- in Florida -- tries to advise them.

"Things are a little loose" because of the HIPAA exceptions granted during the pandemic, Lottenberg said. "The real problem is when doctors use consumer-based products" such as Zoom or FaceTime that .

"That's ridiculous," he said.

Moreover, the emergency HIPAA relaxation isn't absolute, Carreiro said. Many provisions remain in effect, including one essentially encouraging providers to try to provide a secure line.

"Hackers absolutely know the guard is down," said Rachel Patrizzo, vice president of cyber liability with The Doctors Company.

If anything, said Lottenberg, providers and patients alike should be pushing for more protection than even what HIPAA requires.

Cahn agreed, noting, "It's alarming to us when looking at how weak HIPAA was in the first place."

Attention must be paid

While telehealth's new prominence is expected to outlast the pandemic, security problems could throw that into reverse if they aren't addressed.

About half of more than 5,000 adults responding to a survey published in August said they would not likely use telehealth again if their data were hacked, , a cybersecurity company that lists more than 1,000 hospitals among its clients.

Roots of the problem extend beyond healthcare, Cahn said. "People keep treating privacy as a luxury. We have failed to invest in national data protection and that undermines the reliability and security of these systems," Cahn said. "We also need enforcement agencies to actually ensure the rules are upheld. If we are not going to have active enforcement, it doesn't matter how good the regulatory structures are."

Security advocates say such measures are essential as telehealth grows. A telling point will come when the pandemic ends; then the longer-term telehealth landscape will come into focus, Lottenberg said.

"The security has to be spot on," said Lynn Sessions, a partner with BakerHostetler in Houston, who specializes in healthcare privacy and compliance. At some point after the pandemic, providers, patient advocates and others need to challenge policymakers and ask what they are doing to secure telehealth data.

Telehealth security is far from a lost cause, experts said. While Sessions has handled more than 700 breaches in nine years practicing at BakerHostetler, for example, she said less than 10 have involved telehealth.

Many issues can easily be addressed, experts said, by taking the situation more seriously and applying the right technologies.

Data right now are about as secure as could reasonably be expected, Patrizzo said, considering the circumstances. The security market already offers adequate solutions and many providers have the resources to implement them. "Over time I have no doubt everyone will come up to speed," she said.

Lottenberg recommended providers review their vendor contracts and check the indemnity clause, hire a cybersecurity firm to review their existing network and mine for flaws, and make sure they have an incident response plan. A plan is important not just to be prepared, but also to provide legal cover, he said.

Employee training is also key, Cahn said. Anyone with access to a network needs to know how to prevent an attack via entry points they can control. He also cautioned against letting employees access patient records on their personal devices, including tablets and mobile phones, while they work from home.

Carreiro encouraged providers to conduct an updated HIPAA risk assessment and adjust care policies based on results.

But the biggest obstacle could be physicians' traditional mindset.

"Doctors are notoriously bad at change; I'm as guilty as anybody," said David Feldman, MD, a former plastic surgeon who is now The Doctors Company's chief medical officer. "Technology has taken a long time to get to where it should be.... In healthcare we are years and years behind."

  • author['full_name']

    Ryan Basen reports for MedPage’s enterprise & investigative team. He often writes about issues concerning the practice and business of medicine, nurses, cannabis and psychedelic medicine, and sports medicine. Send story tips to r.basen@medpagetoday.com.