How to protect telemedicine from cyber attacks

When it comes to healthcare targets that criminals want to hit with a cyber attack, a telemedicine consultation might not immediately come to mind. But in fact, telehealth is a ripe arena for cyberattacks.

There are critical strategies for healthcare organizations to strengthen their defenses against cyberattacks in the virtual healthcare landscape. As more patients access care virtually, organizations must prioritize timely software updates, secure communication channels, and identity verification methods to protect sensitive health data.

Healthcare providers must take a proactive stance on cybersecurity, ensuring both patient trust and compliance with industry standards such as HIPAA and HITRUST, says George Pappas, CEO of Intraprise Health, a cybersecurity company. recently acquired by Health Catalyst.

Healthcare IT news sat down with Pappas to discuss these and other topics at the intersection of telemedicine and cybersecurity.

Q. What types of attacks on telehealth programs is the industry seeing and why are criminals choosing to attack telehealth programs?

A. The healthcare industry is witnessing an increase in cyber attacks characterized by a common sequence: the first is intrusion, the first step where attackers gain access to a system, followed by lateral movement to find vulnerabilities, as attackers seek credentials to gain access to sensitive data and assets.

Telehealth programs have become increasingly attractive targets for cybercriminals due to their rapid expansion and critical role in patient care. As these programs integrate more technology and data, they may exhibit a wide variety of vulnerabilities that can be exploited.

Once inside, cybercriminals can copy, seize or encrypt data while neutralizing backups, which is a hallmark of classic ransomware attacks. Furthermore, various forms of malware can cause operational damage, in addition to data theft and corruption or damage.

The first breach often occurs through a variety of tactics, with phishing being the most common method. Phishing scams trick users into unknowingly installing malware or sharing their login credentials and email access. This allows attackers to gain access to the system.

Q. What makes telehealth a valuable target?

A. It starts with the business model. Many healthcare systems outsource their telehealth services to third-party organizations. These organizations employ physicians, physician assistants, and nurses who are connected to a patient portal or other front-end access methods. At the middle and back ends of the delivery stack, these telehealth providers are qualified to work within the electronic health record, write prescriptions, and access patient billing systems.

Additionally, the same virtual provider can serve multiple healthcare systems under different contracts, meaning that if one virtual provider is compromised, it could potentially impact the many healthcare systems they serve.

Next, consider the technical and administrative access environment. Many of these virtual providers work from home and rely on personal devices and home networks to perform their tasks: using a PC with a personal mobile phone for authentication (a situation often called BYOD or Bring Your Own Device – times two).

This creates numerous vulnerabilities, such as the risk of home network intrusions, device compromise, and unauthorized access to login credentials. Questions arise about the security of home networks: are routers and WiFi sufficiently protected? Do family members have access to other online services that could lead to burglary? While virtual private networks can provide some protection, they are not infallible.

Finally, the clinical and operational access rights required for telehealth increase risks. Providers need access to EHR data, electronic prescribing of both regular and controlled substances, and other support services such as imaging and laboratory work. They also process co-payments and electronic payments, exposing protected health information and payment card industry information in a single cybersecurity incident.

These factors make virtual healthcare delivery an attractive and valuable target for cybercriminals due to the many vulnerabilities in the supply chain, creating significant opportunities for exploitation.

Q. What are some of the tactics CISOs, CIOs and other healthcare security leaders should use to protect sensitive health data in telehealth programs?

A. When working with a third-party telehealth provider, the first step is to conduct a comprehensive risk assessment of their technical, administrative, and physical controls related to their virtual delivery environment.

Firstly, the management of virtual providers. Evaluate how they manage their virtual providers, including their training, credentialing, ID proofing and ongoing monitoring. How are controls at assurance level managed? These controls allow for controlled substances in place of standard prescriptions.

Second: network configuration and security. Assess how they handle the security of their distributed network. Do their providers work from home or in a controlled office environment?

Third: privacy concerns. Address privacy concerns, such as how home office environments can expose sensitive materials on screens.

And fourth, ensure their environment is continuously monitored and determine what insight you have into their compliance with established practices. This may include phishing testing and current assessment and inventory of credential access.

Implement a highly isolated network access point within your IT infrastructure to protect your primary network from potential intrusions that may arise from your telehealth provider. Additionally, define controls for services, payments and other sensitive functions within your operating agreement with the provider.

To further enhance security, continuously conduct phishing and penetration testing to assess the security of your provider’s staff and infrastructure.

Q. How can hospitals and healthcare systems adopt a proactive cybersecurity posture specific to telemedicine to ensure both patient trust and compliance with industry standards such as HIPAA and HITRUST?

A. Hospitals and healthcare systems can improve their cybersecurity by integrating their telehealth providers’ security measures into their overall security strategy. This includes continuously monitoring the risks associated with their telehealth provider and tracking their progress in mitigating those risks, just as they do for their internal operations.

In this context, the telehealth provider acts as an extension of the healthcare system, directly impacting patient interactions and access to PHI. HIPAA compliance is critical because it establishes specific controls for security risk assessments and privacy access for privacy breach risk assessments. HIPAA serves as a baseline standard that all covered entities must follow under the HITECH Act of 1996.

The increasing recognition of cyber threats to patient safety and healthcare delivery has led to several regulatory and legislative efforts. New York, for example, has become the first state to do this mandate cybersecurity practices that exceed HIPAA requirements.

This trend is likely to continue, with federal proposals from the White House and Congress aimed at improving cybersecurity risk management and increasing accountability for organizations that fail to comply with the new standards.

HITRUST is another important framework that goes beyond HIPAA and NIST 2.0. It was developed by combining multiple International Organization for Standardization standards into a coherent and comprehensive assessment tool. Current legislation and regulations initiatives suggest a move toward the standardization of these frameworks for healthcare systems of different sizes.

Follow Bill’s HIT coverage on LinkedIn: Bill Siwicki
Email him: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication