In this Telehealth Feature Series, we’re going to cover the long list of potential telehealth features available today. As you’re considering your own approach to telehealth, we will provide you a look at all the possible features telehealth companies are offering on the market. Plus, we’ll offer our insight into the nuances of each feature so you can select the right telehealth company or companies you use. Not all telehealth is created equal, so taking the time to understand all the possible features and options is worth the effort.
The next feature we’re going to cover is HITRUST Certified, Full Encryption, and Security.
While some may think that we already covered this topic in our previous write up of HIPAA compliant telehealth, there’s a lot more to this topic than just HIPAA. The first point is that just because something is HIPAA compliant doesn’t mean it’s secure. Those are two separate ideas. HIPAA can help an organization or software become more secure, but there’s always more a software vendor can do to make their application more secure.
Needless to say, ensuring that a telehealth or other application in healthcare is fully secure is more than we’re going to cover in this article and likely deserves it’s own series. In fact, we’ll ask our resident CISO author, Mitch Parker to do a series of articles on this subject for those interested in a deep dive into evaluating health IT application security.
Until then, suffice it to say that your organization should have a process for evaluating every health IT application’s security efforts so you know what they’re doing to secure your application and what are the best practices for you to secure the application. Securing an application requires effort from both the software developer and the healthcare organization. If both parties aren’t working together to make sure the application is secure, that’s the recipe for a breach.
Telehealth should be subject to the same security evaluation you give every application. However, it does add a few layers of security that your other applications don’t necessarily have to think about. First, telehealth by its very nature includes patient endpoints. That means that your risk profile expands in a big way since you are now subject to the security efforts of your patients. Luckily, most telehealth platforms have planned for this, but it definitely is something you have to think in mind since it does expand the risk.
While we won’t dive in to every aspect of security here, let’s look at one very popular security topic when it comes to securing your telehealth platform: Encryption.
I’ve written previously that healthcare has kind of treated encryption as your get out of jail free card. While not a perfect analogy, if the data is encrypted, then you’re going to be a lot safer when it comes to security and HIPAA. However, we’ve learned recently that just because a telehealth company says that it encrypts doesn’t mean it encrypts everything.
Does the telehealth vendor encrypt the data in transit (most do)? Does the vendor encrypt data at rest (ie. in their storage)? I could go on, but you get the point. Telehealth companies have access to and are transferring some of the most private health data that exists and they’re connecting more and more data to more systems. Not all encryption efforts are equal and so it’s worth the effort to make sure that your telehealth company is using encryption in all of the places necessary to ensure security of the patient’s data.
Finally, let’s talk about HITRUST certified. Similar to HIPAA, HITRUST Certified is a good thing, but let’s not confuse HITRUST Certified with secure. The problem we have in healthcare is our RFP’s love to provide a checklist of questions that easily assess and compare various health IT software and systems. However, you can’t just ask “Is your product secure?” That’s too abstract. However, we can ask “Is your produce HITRUST Certified?” That’s a measurable item that can be answered the same across every application. That’s why it makes sense to include a question like this on an RFP.
While verifying if an organization is HITRUST certified is not a bad thing, you shouldn’t assume that because they’re HITRUST Certified that they’re fully secure. We all wish that it were that easy, but it’s not. That’s a nice baseline, but going beyond this standard is where you’re really going to learn how your telehealth company approaches security.
While your CISO should take a serious and uniform effort to evaluate the security of every health IT application you purchase including telemedicine, I also like to evaluate the security posture of the company since security is always changing. Is security at the core of everything the company does or is it an afterthought? If you can assess this in a vendor, then you know the company with security at its core will continue to improve over time as security challenges evolve. You don’t want to be stuck dealing with a breach because your telehealth vendor treats security as an afterthought.