Telehealth has skyrocketed in use because of the pandemic, and therefore any cybersecurity issues that come up are not just data-related – they’re patient-safety issues. Because telemedicine technology has been adapted so quickly, it’s made the industry an even bigger target for hackers.
Ransomware, data theft, and fraud were just some of the issues plaguing healthcare cybersecurity as telehealth took off in the pandemic’s face. In March of 2020, Health and Human Services Secretary Alex Azar reported that hackers were attempting to access the federal health agency’s network. This attack caused the servers to overload because they were receiving millions of hits – presumably from bots. This attack was unsuccessful, but if it had been successful the consequences could have been massive.
Cybercriminals made another attempt at data theft with a website that had a fake COVID-19 map. This map held no accurate information, and when users visited it, it infected their computers with programs that were funneling sensitive data to the hackers.
Telehealth is an important part of patient care, especially in a post-pandemic world, so taking steps to protect the availability of telemedicine, patient data and other information is just one step towards taking care of your patients.
What is telehealth and why is it important?
Telehealth is a way to receive physician care without making an in-person appointment and can be done by general practitioners all the way to vision care. This option is great for people who are busy, out of town or burdened with financial or health restrictions that may keep them from going to the doctor in-person.
This option is great for patients who may need to return to the office multiple times a month, as it keeps their daily life more regular. Patient monitoring is just one aspect of telemedicine that’s available to physicians and mental health professionals; some things, like vision exams, can be done entirely over the phone or computer.
If you’re a patient, you can also have your prescriptions renewed via telehealth, upload images of things such as moles or other dermatology related ailments, and even video call with your physician on-demand from the comfort of your home.
Cyber Risk 1: Billing Fraud
Billing fraud is when employees submit personal invoices, fake invoices, or inflate the cost of their services. This might look like getting charged twice on your invoice or receiving invoices that are outrageously priced. Fraudsters may generate multiple invoices or payments to vendors that are non-accomplices.
This is a cybersecurity issue, because when you use telemedicine, your financial information is given to a system, and that system can be hacked, and sometimes the person stealing information is someone who works with the system.
In October 2020, the Department of Justice charged 345 people with healthcare fraud, which included doctors, nurses, and other medical professionals in 51 federal districts. This represented $6 billion in losses, and about $4.5 billion of those losses were in telemedicine.
According to the documentation that was presented to the judges, 86 telemedicine executives paid doctors and nurse practitioners to have them do unnecessary procedures, testing, and fulfillment of pain medication scripts without patient interaction of any kind.
Cyber Risk 2: Ransomware Attacks
According to the Cybersecurity & Infrastructure Security Agency, the healthcare field is a huge target for ransomware attacks due to the sheer amount of information that healthcare facilities store. The ransom will almost always be paid because that information is vital to patient care.
Ransomware attacks start out as malware and this malware encrypts files so that they are inaccessible to the victims. The user will receive instructions on how to receive a decryption key, and the cost may range from hundreds to thousands of dollars. Most often these ransoms are requested as Bitcoin.
Cyber Risk 3: Social Engineering Schemes
A social engineering attack is a form of psychological manipulation. This is often seen in the form of phishing attacks where patients are tricked into giving confidential information, and it is also seen with water-holing. Water-holing is a social engineering attack that infects both the user’s computer and the website they visited.
These types of attacks prey on people’s psyche, hoping to convince them they’ll be in trouble if they don’t do whatever the email says. The one thing every social engineering attack has in common is that there is a very human element to it.
Cyber Risk 4: Data Theft
Unlike social engineering, data theft is more automated. Bots are created to infect computers, breakthrough firewalls, and steal data. This is crippling to the healthcare community, but especially to the telehealth community, where all of their patient data is stored on servers.
Recently, The Doctors Company, an insurance firm that focuses on medical malpractice, published “Your Patient is Logging on Now: The Risks and Benefits of Telehealth in the Future of Healthcare.” According to this report, data theft in telehealth opens a new door for those in the telemedicine business to be sued for malpractice regarding people’s data once HIPAA restrictions are placed back on telehealth services.
Cyber Risk 5: Phishing Scams
Phishing scams are such a threat to the telemedicine community because these scams use video, emails, voice messages, and texts to appear as if they’re from a legitimate provider. This means you have to be diligent about what you answer and the information you give. It can cause trust issues among patients and their telemedicine providers.
Phishing is the most common type of cybersecurity scam, often sent as emails or voicemails. These emails or voicemails seem like they’re from a provider, perhaps from a payroll service, the help desk, or some other service you might deal with.
They’re trying to lure you into giving them information – either by clicking a link in an email or by calling back a phone number and providing information to them over the phone.
These emails or voicemails show up when you least expect them. Always research the email that sent you something if they’re requesting important information from you.
What Can Telehealth Providers Do?
Telehealth providers must protect their client’s data. Remote or local unauthorized access to data is a threat to confidentiality agreements and can further compromise the telehealth provider’s ability to be available for patients. The following are cybersecurity recommendations to help protect the telehealth community, patients, and businesses.
According to Clearwater Compliance, healthcare IT should “follow NIST Standards by implementing the NIST SP 800 series and the NIST Cybersecurity Framework,” which is a type of government-sponsored business security framework. If you cannot implement both, implement at least one of them.
You should be constantly assessing the risk of anything that receives, sends, or maintains electronically protected health information, or ePHI, within your business. Your assessment needs to continue to your network, infrastructure, and data storage departments as well. Discover all the weak links and how best to fix them.
You should assess your system’s cybersecurity with a focus on what would garner a hacker the most money versus the least, and how vulnerable areas might be attacked; design and implement a plan in case of attack.
Telehealth providers should also design a risk-response system or program that can accept, avoid, transfer, or mitigate the risks you identify in your system. It should take steps to repair the issues and quarantine areas of infected infrastructure.
Telehealth providers should also try their best to monitor, assess, and respond in real-time. These threats are ever-changing, especially with COVID-19 forcing the world to change. Telemedicine is a great thing, and the cybersecurity risks don’t change that. Teach your patients to be diligent in protecting their information, and ensure that your systems are constantly being prepared against attacks.
Be the first to comment