In many areas of health IT, experimentation is good and may ultimately be to the benefit of users. On the other hand, when it comes to telehealth security, it’s looking more and more as though establishing routine practices and following security best practices is a good idea. At present, there’s still a lot of ways in which things can go wrong.
One of the few positives emerging from the pandemic response has been the extent to which providers have found new ways to rethink their IT change management process. I have seen more silo-smashing, data sharing, and care coordination during 2020 than I have for many years in the past.
On the other hand, sometimes racing to solve complex problems quickly can create major issues of its own. Such, I believe, may be the situation with telehealth today.
While their flexibility, portability and accessibility have offered great gifts to the healthcare industry, the still-evolving nature of telehealth schemes can be exploited en masse by cyber-criminals and doubtless will be if the situation doesn’t change.
At present, even the way providers manage patient logins to telehealth raises security questions. Speaking as a patient with more than one chronic illness, I’ve had the opportunity to observe how several providers manage telehealth processes, and the amount of inconsistency I’ve seen gives me pause.
For example, far too often I’ve been invited into what seem to be unsecured Zoom meetings with physicians, without having had the opportunity to review any notice of privacy practices or even an informal review of what protections they’d established. While I’m not myself a compliance expert, it seems unlikely to me that this would meet HIPAA standards.
Another issue that I’ve encountered is the variance in how providers validate that they’ve got the right person on the line. On the one hand, some providers have asked me to go through an elaborate fact-checking procedure before they would discuss any aspect of my case, requesting my name, full address and date of birth before proceeding with a visit. Others appear to have presumed that if you made it to the unique location set for the meeting, you must be the person that you are supposed to be.
Then there’s the technology itself. Of course, different providers will use different technologies, but even from an outside point of view, some seem to offer more sophisticated tools than others. This situation has been exploited by newer entrants into healthcare security a chance to attack telehealth security problems with fresh eyes.
Few companies provide a better example of this than Zoom, which is making a big and very public effort to demonstrated that its platform can be used securely for telehealth visits. Meanwhile, I’ve noted that when attending virtual visits through my primary provider (Kaiser Permanente) I was clearly being shunted off of the Kaiser IT infrastructure onto what looked like a hosted solution.
Of course, high-volume telehealth delivery is very new to most providers and vendors, so we’re still looking at a very fluid situation. That being said, when it comes to security, the sooner we identify best practices and bake them into every encounter, the better.