Pivot to Telehealth Brings New Benefits and Risks
Matthew Rosenquist
CISO at Mercury Risk. - Formerly Intel Corp, Cybersecurity Strategist, Board Advisor, Keynote Speaker, 190k followers
The Coronavirus pandemic is changing how people receive healthcare with a shift to more remote diagnosis options being rolled out as a first line of care. The advantages are many, but as an unfortunate result, healthcare data breaches will begin to spike once again!
Evolution of Healthcare Benefits
Telehealth options, where patients are engaged remotely, makes a lot of sense. If someone is feeling ill, a remote session can be setup with a medical professional for initial evaluation and diagnosis, rather than have them show up to their doctor’s office. This capability for remote preliminary assessments enables many wonderful benefits for both the patients and the healthcare system.
Remote examinations are much more convenient for all parties. Nobody enjoys getting ready and going to a doctor’s office, especially when feeling under-the-weather. It is inconvenient and time-consuming. There always seems to be a wait and sick people are not known for their patience. Physicians are under constant pressure to reduce the delays as much as possible.
Scheduling sessions with an accurate start-time creates a more structurally efficient use of medical resources. In fact, the online-doctor does not need to be the primary care physician or even geographically local to the patient. An available clinician can be paired based upon the type of ailment. For simple issues, initial triage may be good enough for a diagnosis. Seasonal colds, allergies, and simple infections may only require a prescription for medication that can be picked up by the patient, thereby avoiding the need for an office visit entirely.
Being sick doesn’t always happen during office hours. During busy periods, finding an available appointment to see a doctor may take days. For those who have children, there is always a late-night weekend fever that is nerve-racking for parents because they cannot get in to be seen by their doctor. In many cases, the only other option is expensive emergency care. Whereas an online care system may be able to staff resources from around the globe, covering all hours of every day, to provide initial care.
Centralized scheduling can match available doctors with patients to reduce wait time and give doctors in the office more time with patients that need hands-on examinations. Meeting online with a medical professional first, acts as a filter to reduce the workload on care facilities, as not everyone needs to go to the doctor’s office.
Online services may prove to be safer for everyone as well. As the recent Covid-19 pandemic has shown, people can spread contagious ailments in doctor’s offices. Care providers and other patients are at risk. Remote assessments eliminate the chances of further transmission across patients and staff.
Telehealth is much more convenient for all parties, represents an improved model of efficiency for medical resources, reduces the spread of contagious ailments, and allows for a decentralized approach to care that could allow for round-the-clock appointments! This may be the next evolution of the modern healthcare system.
The Data Risks Emerge
Such outstanding benefits and convenience will fuel a rapid adoption and in doing so, create additional risks. Patient-doctor conversations, normally made in a private room, will be done over the internet. Personal concerns, health measurements, diagnosis, prescriptions, and other sensitive data will be collected remotely and therefore have a greater level of exposure. Data will be gathered, stored, and transmitted across potentially insecure systems and networks. Patients are currently using their personal computers and phones, which may not be very protected.
Security is often left on the wayside during rapid digital transformations. The rush to deliver and scale telehealth tools and services will stress development and testing cycles. Often in such situations, the priority is to achieve first-mover-advantage, get products to market as soon as possible, keep costs low, or optimize for performance. The challenges of hardening products are complex and time-consuming. Cybersecurity is often deprioritized, ignored, or relegated to something that will be addressed ‘sometime’ in the future.
Evolution of Networks, Devices, Applications
Health data has tremendous value and has been heavily targeted in the past. The U.S. healthcare industry has seen tremendous impacts over the past few years with massive data breaches, culminating in 2015 when about 35% of the U.S. population had their health records exposed in a single year. Many hard lessons have been learned and as a result, cybersecurity efforts to secure the legacy healthcare data infrastructures have improved over the past half-decade. It has been a slow process.
Rapid innovation in remote services will spawn new devices, services, interfaces, applications, and processes. Each of which represent potential vulnerabilities for the mishandling of data or a foothold for attackers to exploit. Without well designed, tested, and maintained security, attackers will find it easy to compromise new tools and gain access to patient data and private conversations.
Patient's identities, locations, vitals, medications, diagnosis, and medical histories might be exposed. Sensor data will also be vulnerable. At first, it may be basic and limited to heart rate, blood pressure, respiration, oxygen saturation, temperature, and glucose levels.
Eventually, more advanced home healthcare devices will be commonplace, that will allow more than just vitals to be taken and sent to doctors remotely. As testing also becomes more decentralized, new solutions may be able to scan for illegal drug use, sexually transmitted diseases, contagious virus and bacterial infections, and even include scanning devices that could detect cysts, cancers, and other diseases.
Privacy risks rise with the increased quantity and sensitivity of data. More solutions create greater complexities and opportunities for attackers. In essence, the Covid-19 pandemic is driving the industry to adapt in better ways for servicing patients while simultaneously accelerating down the path where privacy is in greater jeopardy.
Proactively Managing the Risks
The security, safety, and privacy of patients must be a priority as healthcare expands to embrace remote solutions. Thinking that cybersecurity can be bolted-on after deployment, is a common mistake that many times results in catastrophic consequences. Necessary investment and commitment must be established early-on for the highest positive effect. The healthcare and insurance industries must move strategically to establish strong and sustainable protections.
10 Healthcare cybersecurity best-practices:
- A cybersecurity expert should be on either the Board of Directors or Advisory Board, to advise and drive corporate responsibility from the top.
- Have the right cybersecurity leadership to establish, oversee, and manage the program. They must represent and communicate the risks and solutions that support the overall business objectives.
- Invest in proper DevOps security capabilities and integrate them into the development process.
- Include vigorous security testing for products and services before release and bug-bounties after
- All products and services must be designed to be patched, in the event new vulnerabilities are found, and fail in a manner that is safest for patients.
- Clearly define privacy policies and institute compliance controls that will be tested and audited.
- Logically link the requirements for security, privacy, and safety to the quality assurance testing and validation processes.
- Design solutions to persistently protect patient data at rest, in-use, and in-transit with trusted industry solutions and configurations.
- Have crisis response plans defined and be capable of executing them efficiently and effectively with business partners.
- Work with the industry community of cybersecurity professionals. No company knows everything. Leverage the experts.
The healthcare industry is at an important moment of change. Tremendous benefits are within reach for patients and care providers, but the cybersecurity risks cannot be overlooked. There is an opportunity to deliver great improvements to healthcare while properly managing the accompanying risk. It takes leadership, forethought, and the skills to execute a strategy that will protect and respect the very patients that healthcare has vowed to help.