Telehealth and Cybersecurity: 3 Best practices to ensure data security in remote patient care

Telehealth refers to the remote access and delivery of healthcare by integrating digital devices, healthcare equipment, and healthcare systems. The pandemic has accelerated the reach and adoption of telehealth.

There are many telehealth products in the market today. Here are a few examples  –

• Sesame care –  Provides listings of healthcare providers with affordable pricing, which varies with region. Patients can book appointments for the same day and for a future date.
• Klara – Enables real-time video visits between caregivers and patients. Includes scheduling appointments, insurance verification, sharing reports during the consultation, and documenting instructions for individual care. It also provides a virtual waiting room for the patient.
• HealthTap – Another telehealth product that enables patients and families to find an affordable virtual care provider for primary health.
• MeMed – Provides virtual healthcare in several areas such as general health, mental health, child care, etc. It works with businesses to develop solutions that bring down the cost of healthcare services for their employees. 

While there is greater adoption of telehealth services, there is reluctance from patients worried about their data privacy, while others are not comfortable going virtual. While the latter can be resolved through user education or caregiver-assisted consultations, cybersecurity is a bigger problem.

Read more: How to transition to telehealth

Access to healthcare and information from anywhere increases the threat surface and the associated security risk. With the increase in telehealth traffic, cyber-attacks have increased exponentially.  American legislation provides for the Health Insurance Portability and Accountability Act (HIPAA) which is the cornerstone of governance around healthcare. Any telehealth service must be HIPAA and HL7 (Health Level 7) certified as it holds patient data.

HL7 is a set of international standards around transferring electronic information on health between healthcare providers and related systems. One of its key protocols, FHIR (Fast Healthcare Interoperability Resources), defines how healthcare systems can share data,  irrespective of how it is stored in these systems. It is web-based, with REST being one of its standards. This makes it possible for easy integration with healthcare-based consumer apps providing lightweight data as per need. 

You may also like: FHIR – The winning edge for successful patient engagement

Three best practices to ensure data security in remote patient care are:

Multi-factor authentication of identity

Healthcare providers, patients, and payers can access health records outside the network via cloud-based solutions. Simple user/password authentication and authorization will not suffice in such scenarios. A hacker can quickly gain entry. Multi-factor authentication that requires at least two pieces of information to enable user access from different networks will significantly reduce potential threats. It could be a 2F authentication or token from a verified phone number associated with the account and a strong password. Biometric authentication using fingerprint, voice recognition, or facial recognition are other means of multi-factor authentication. 

Cloud Infrastructure security

Today serverless architectures take away the load from developers to scale their applications based on load, with the additional benefit of reduced costs. A serverless application or service gets triggered by different data sources, i.e., distributed cloud services. Each data source comes with its event data format, each with a potential data injection loophole. Additionally, there are no firewalls protecting these services. 

Adequate serverless security would include: 

1. Least privilege access for serverless services. Default deny approach by the service being accessed unless the necessary permissions are granted.
2. Implementing a Web Application Firewall to protect against attacks like SQL injection.
3. Cloud Encryption (or cloud storage encryption) – Data is encrypted before being stored in files and databases so that only authorized personnel can access this data.
4. Continuous checks on third-party integrations
5. Continuous monitoring of services auditing logs to take quick action or prevent cyber attacks
6. The shared responsibility model between the user and service provider keeps the environment secure.

Network and data security 

Telehealth services over the internet, insecure connections, and lag in security updates pose a considerable security threat to patients’ health data. 

Using a VPN that restricts access to users with the proper credentials is one way of preventing such issues.

Striking the right balance between security and complexity of use is essential. Having said that, there are other systems that a telehealth service would need to interact with. Specifically, remote devices and sensors are being used for monitoring a patient’s health. All of this data that goes to the telehealth service and out of it would need to be encrypted at rest and in motion. Ensuring the data is transmitted on SSL, and secured storage reduces the possibility of a leak. Enabling periodic anti-malware and virus scans will also check cyber threats. Over and above application and network-level security, patients must be educated on the importance of cybersecurity while maintaining a  relatively lower complexity.

Ensure cybersecurity for your organization

Cyber-security is a crucial parameter to telehealth adoption. Therefore to manage this, an organization could  – 

1. Partner with cyber-security providers, 
2. Set up the proper framework and governance around telehealth,
3. Adopt the latest security measures and tools, 
4. Enable security at the application level,
5. Continuously monitor all devices, data handshake points, and the overall network.
6. Have scheduled virus scans and update anti-malware installed.
7. Ensure solid passwords and meeting ids while using third-party tools such as Zoom to not compromise the patient’s identity.
8. Keep the patient and caregivers well-informed on the usage of devices, password management, and enabling virus scans on their devices.
9. Have an eye out for new security loopholes cited in the market.

Reach us at Trigent to evaluate the existing and build new secure telehealth application(s) and apps for your organization.

Build secure and efficient telehealth applications for your organization. Call us now!