As reported in a post by security consulting firm, Halock, titled "Taking Care With Telehealth: Health Care. Cyber Care. Duty of Care", virtual visits to physicians doubled from 14% in 2016 to 28% in 2019 according to the American Medical Association. Since then, the spread of COVID-19 has led to a dramatic increase in telehealth, both to comply with social distancing and relieve overcrowding in medical facilities.
Telehealth services can alleviate the healthcare crisis by caring for patients remotely though video conferencing, apps and mobile phones. Remote monitoring can take the place of office visits for routine checkups. With increased use comes the danger that personal health information can be compromised or stolen if proper security is not followed. Security failures could result in HIPAA penalties or other sanctions.
Existing telehealth providers should review their security protocols. Organizations which are starting or considering telehealth must include security in their planning. Some of Halock's suggestions:
- If services are or will be managed by a third party, make a Business Associate Agreement.
- Make sure systems are adequate to handle increased use.
- Make it clear who has access to the system, and what rights each user has (should be based on "least privilege").
- Make sure physician-patient communications are secure.
- If the facility has a "bring your own device" (BYOD) policy, all devices must have proper security and be HIPAA compliant.
- Have an incident response plan ready if your system is hacked.
If your organization has Cyber insurance, review it with your insurance adviser or underwriter to be sure it adequately covers your operations. If you don't have a policy, you will need it now.