One of the most prominent “silver linings” of the COVID-19 crisis has been the rapid adoption and acceptance of telehealth tools. But as healthcare organizations rush to implement these platforms, they may be making themselves vulnerable to improper access and cyberattacks. Experts from LexisNexis Risk Solutions and BridgeCare Health Network say that a whole-team approach is needed to address the challenge.
Removing Telehealth Barriers
For many, the digital transformation of the traditional in-person visit has been a long time coming. Adoption of telehealth prior to the pandemic had been growing but at a slow pace – held back by technology, cultural and reimbursement barriers. All of those have been washed away when COVID-19 arrived in full force.
In March 2020, the Centers for Medicare & Medicaid Services (CMS) expanded the services that they would pay for when delivered via telehealth. With this 1135 waiver doctors, nurse practitioners, clinical psychologists and licensed clinical social workers are able to offer telehealth services to patients. In addition, these telehealth visits are now considered “the same as in-person visits and are paid at the same rate as regular, in-person visits.” With this action, CMS removed the reimbursement barrier.
The need for physical distancing removed the cultural barrier. With no other way to see patients, clinicians were forced to adopt telehealth technologies. Even those who preferred in-person visits began to see patients via video chats and telephone. It turns out that remote consultations aren’t as bad as patients or clinicians worried they would be.
As for the technology barrier? Well let’s just say that this was a perceived barrier and not an actual one. Established telehealth platforms have been stable and fully functional for a while.
HIPAA Still Applies
All of these barriers came down in rapid succession due to COVID-19, telehealth took off. Many organizations rushed to implement or expand the use of telehealth platforms. Not surprisingly, there are consequences to hastily implemented technologies.
I recently spoke with Erin Benson, Senior Director of Market Planning from LexisNexis Risk Solutions (a company that combines, analyzes and delivers data + analytics to optimize quality, performance, and impact in healthcare) and Michael Archuleta, CIO of BridgeCare Health Network – Mt San Rafael about the vital role cybersecurity and Identity management play in healthcare today.
Both experts point out that as access to health information grows – through more staff and more in-house systems like telehealth – the more effort is needed to protect that information. Simply put, more systems = more points of cyber vulnerability.
“As we all know, the Office of Civil Rights under HHS has really relaxed some of the enforcement activities on the utilization of telehealth,” says Archuleta. “Some of the issues I have seen from a cybersecurity standpoint is the promotion of tools like Facebook Live, Twitch and TikTok. What we have to realize is that the use of these tools is still not allowed. At the end of the day HIPAA still applies.”
What Archuleta is saying, is that even though HHS might not be out policing HIPAA right now, that doesn’t absolve you from the need to protect health information. He goes on to say that with telehealth in particular, it is critical that healthcare organizations be able to verify the identity of the patient. How do you do that? Identity Management.
Identity Management is Key to Telehealth
“Identity management, at its core, is making sure that the right person is getting access to their information and that the wrong people are not getting through,” explains Benson. “And not only that it’s a real identity that’s trying to get access to the system, but that you are actually who you say you are.”
Telehealth solutions represent hundreds and in some cases thousands of new access points to an organization’s systems. Not only do you have staff needing the telehealth app on their phones, tablets and desktops, but now patients need to access the system via their own personal devices.
“When you think about all those access points, you then need to find ways to authenticate those individuals,” continues Benson. “It can be as simple as looking at the device they are logging in with and determining that there is nothing suspicious about the device itself. You could also do things like one-time passwords or knowledge-based authentication questions.”
Team Effort Needed
Both Archuleta and Benson stressed that identity management is just one part of an overall cybersecurity strategy. It is important but by no means the only thing that organizations need to do. Tackling cybersecurity requires a team effort.
Benson is a strong proponent of a team approach, adding that a segmented view of cybersecurity responsibility can be a pitfall. According to Benson, LexisNexis has been hosting focus groups for a few years, and they’ve found that viewing cybersecurity as an “IT department problem” can lead to issues.
“It should be part of the overall business strategy,” Benson says. “It’s needed in order to meet patient engagement needs, and that’s really important. Trying to segment it into just one group’s responsibility is a pitfall. It needs to be in the organizational culture.”
Archuleta adds: “Cybersecurity is not only an IT responsibility. It’s the entire organizations’. Securing information in systems that support the healthcare organization truly involves more than just technology.”
He suggests that while organizations uses single sign on (SSO), two-factor authentication, RSA tokens, and other such security tools, a cybersecurity champion has to translate those technologies and security concepts into simpler terms to help executives understand the value of continued investment in it.
Watch the full interview to learn:
- How new vendors, new devices, new software, and new “middlemen” are all contributing to an increased risk of fraud
- Why EMRs are more at risk than systems that house social security or credit card fraud
- How “Zoom bombing” is just the beginning of greater security concerns
For more information about LexisNexis Risk Solutions, visit https://risk.lexisnexis.com/
This article is part of the #HealthIT100in100