Telehealth IT Security: What Clinicians Need to Know & Tips to Keep Your Practice Secure

While the surge in online medicine has increased accessibility, allowed greater flexibility, and helped medical practices remain operational at this time, the rapid expansion of telemedicine presents its own set of risks. Data privacy, online patient safety concerns, and other cybersecurity threats are on the rise, as the pandemic has many emerging telemedicine solutions entering the market before proper vetting and without proven safety records.

As new technologies are introduced to meet increasing patient demand and a growing number of medical professionals switch to digital care delivery, protecting online patient data and ensuring compliance with federal regulations are paramount. Telemedicine has been shrouded in security and privacy concerns since its inception, with several large-scale, high-profile data breaches threatening to diminish patients’ and providers’ willingness to trust emerging solutions. In addition, more patients are now readily exchanging their privacy online for the benefit of immediate care and to avoid the public healthcare setting due to virus-related fears.

“Telehealth was trending upward before the pandemic, and there were already privacy and security concerns,” Dr. Stephen Hyduchak, CEO of the identity-verification service Aver, told Managed Healthcare Executive “But those are heightened now as people want the immediacy of care and are ready to accept the exchange of privacy to receive that.”

Data Privacy and Regulations 

To ease the implementation of telehealth solutions, federal regulations have lessened the enforcement of HIPAA restrictions throughout the pandemic to ensure patients can access the care they need while curbing the spread of COVID-19. Practitioners are now able to utilize popular telecommunications services, such as Zoom and Skype, which allow for easy patient-provider communication but present potential data privacy concerns.

In recent weeks, a growing number of hacker attacks have been reported on Zoom domains and other similar platforms used in telemedicine, underscoring possible threats associated with these popular services. There has also been an increase in COVID-19 fraud schemes and supply chain attacks as cyber criminals take advantage of increased online activity.

Telehealth IT Security Best Practices 

Threats to IT security in the clinical setting can range from phishing attacks and ransomware to loss of equipment and accidental data loss. While the risks depend on the type of service being provided, virtually all telehealth interactions are susceptible to cybersecurity breaches.

The increased cybersecurity risks affecting digital health services result from expanded lists of users accessing networks and software from different locations as well as a surge in untested solutions brought to market – all of which exacerbate online security, data privacy, and regulation compliance threats.

Healthcare professionals and organizations must remain aware of and alert to the multitude of cybersecurity concerns threatening their online practice; following some of the telehealth IT security best practices below can help practitioners better protect themselves and their patients.

Invest in Cybersecurity Insurance

Prior to adopting a telemedicine practice, healthcare providers should consult their malpractice insurance company to ensure digital services are covered by their current policy. It may be a good idea to purchase cyber protection insurance along with the standard business insurance package to help cover any potential repercussions associated with a data breach. These can include the costs of forensics, notification and call center costs, credit monitoring fees, as well as public relations and legal fees. Purchasing an effective cybersecurity policy can also help prevent data breaches as they provide protective software, employee training, and IT security support.

Ensure VPN Security

While establishing a telehealth practice, it is essential practitioners use virtual private networks (VPNs) as part of their protected communications while connecting remotely to enterprise networks. The use of these networks can help ensure sensitive data is encrypted and passes through appropriate corporate channels before being disseminated through internet-hosted software. Per recent data reported by Health IT Security, the use of VPNs has surged by 124% in the past several weeks alone leading to growing concerns over network safety.

Healthcare professionals and organizations must ensure their VPN software is functioning and up to date and to mitigate any potential system vulnerabilities in order to protect sensitive patient information.

Encrypt Mobile Devices

With lessened restrictions, practitioners can access protected health information and telemedical technologies from their personal devices allowing them to deliver virtual care easily and effectively. However, the use of non-corporate devices carries several potential cybersecurity risks and providers are urged to employ appropriate device management strategies to offer secure medical services. These include segregating personal devices and applications from healthcare applications and data – a solution that can significantly reduce the risk of data leaks – as well as encrypting all devices.

Lost or stolen devices – mobile phones, desktop computers, laptops, and USB drives – are the leading cause of data breaches. While HIPAA regulations provide some protection for the loss or theft of encrypted data, the vast majority of electronic breaches result from unauthorized access to unsecured devices. Medical practices and providers are urged to ensure that all mobile devices, software, communication systems, and stored data are encrypted and that telemedicine security policies are followed by all employees.

Establish Telehealth Guidelines

Telehealth cybersecurity guidelines are essential to protecting against potential breaches as employee access is one of the most challenging risk factors to manage. A recent IBM study reported that nearly 95% of all data breaches resulted from employee error – including the loss or theft of devices, accidental sharing of information with incorrect recipients, sending sensitive patient data in unencrypted formats, or falling victim to ransomware attacks.

Establishing and training staff on effective telehealth practice guidelines is necessary to ensure optimal cybersecurity at this time; all staff members should be aware of practice policies regarding online care, HIPAA compliance requirements, data handling procedures, and personal health information protection strategies.

Use Reputable Software

The sudden popularity of telehealth services has prompted the introduction of novel software technologies, many of which have yet to be adequately tested. Healthcare providers should only download applications from reputable sources and utilize only those which are approved and deemed safe. Organizations may already have telemedicine systems in place, however, practitioners are encouraged to double-check with their human resources department before connecting to new platforms.

Understand How Platforms Manage Data 

Having a robust understanding of the data collection, storage, management, and destruction practices of your chosen telehealth platform is essential to ensuring compliance with regulations and patient data safety. The majority of reputable providers should feature codes of conduct and explicit information regarding their data use policies and HIPAA compliance.

“Look for telemedicine providers that explain their use of data that you share, usually doing this in writing with a code of conduct,” Dr. Hyudchak added. “You have to make sure the telehealth service is reputable and that it’s following all HIPPA rules. Also, only disclose relevant information that is absolutely essential.”

Protect Against Unauthorized Access

The use of identity authentication systems is a critical tool for online safety. To protect against unauthorized access to sensitive data, many healthcare organizations use multi-factor authentication which is reported to block up to 99.9% of all automated cyberattacks. This strategy allows users to log in only after they present two or more pieces of evidence confirming their identity, thereby significantly decreasing the risks of breaches.

A common method hackers use to obtain access to protected health information is by capturing or guessing passwords. This threat can be reduced via identity authentication and the use of strong passwords that are frequently changed to prevent against password theft. Systems should lock users out of their accounts after three failed attempts and limit user access to sensitive databases.

While telehealth is a necessary and beneficial solution during the COVID-19 crisis and beyond, its growing use can jeopardize the safety of sensitive patient data and their privacy. As the majority of non-emergency patient-provider encounters are now occurring in the digital space, cybersecurity threats have reached an all-time high. Many emerging technologies are still new to most users yet cyber criminals have already begun to exploit vulnerabilities in networks and software, leveraging the widespread expansion of telemedicine as a platform for attack. The number of telehealth interactions will continue to increase as the COVID-19 pandemic reshapes the healthcare system, prompting the need for medical professionals and organizations to prioritize personal and patient cybersecurity.

Medicare COVID-19 Telemedicine Factsheet

The COVID-19 outbreak has not only disrupted daily life across the globe, but the contemporary healthcare model as well, with an urgently needed shift to digital medical solutions. Federal regulations are changing continuously, insurance coverage has greatly expanded, and the use of telemedicine is growing at a tremendous rate assisted by new policies and a widespread loosening of restrictions previously impeding access to care.

As part of the battle against the novel coronavirus pandemic, the Centers for Medicare & Medicaid Services (CMS) have expanded access to Medicare telehealth services on a temporary and emergency basis and lessened HIPAA enforcement effective as of March 6, 2020. These updates offer Medicare beneficiaries – many of whom are at an increased risk for serious COVID-19 illness – a safe, alternative model of care in the form of a wider range of remote services. During the COVID-19 crisis, innovative uses of telemedicine technology are driving routine care, keeping vulnerable demographics safe, and expanding access to health care. 

“The benefits are part of the broader effort by CMS and the White House Task Force to ensure that all Americans – particularly those at high-risk of complications from the virus that causes the disease COVID-19  – are aware of easy-to-use, accessible benefits that can help keep them healthy while helping to contain the community spread of this virus,” a statement from the CMS on the promotion of telemedicine reads. Further information about the newly implemented guidelines for patient care and their implications on telehealth services during the COVID-19 outbreak are outlined below.

Expansion of Telehealth Services

1135 Waiver

As part of the program, the 1135 waiver was introduced to lessen prior restrictions and promote wider access to remote care. Prior to the waiver, Medicare was only able to pay for telehealth on a limited basis, for example, when a patient was receiving care in a designated rural area or when received the service in a healthcare facility. Under this waiver, the following changes have taken effect:

•   Office, hospital, and other telehealth visits will now be covered and reimbursed for the same amount as an in-person visit.
•   A wide range of providers can offer telehealth services across the nation, including nurse practitioners, psychologists, and licensed social workers.
•   Medicare beneficiaries are now be able to receive a wider variety of services through telemedicine – such as evaluation and management visits, mental health counseling, and preventative health screenings.
•   The HHS Office of Inspector General is providing flexibility for healthcare providers to reduce or waive cost-sharing for telehealth visits paid by federal healthcare programs during this time.

Virtual Services 

Medical professionals can provide their Medicare patients with a range of virtual services as part of the telehealth program, including Medicare telehealth visits, virtual check-ins, and e-visits. Specific requirements for each service are outlined below.

Medicare Telehealth Visits

Throughout the course of the COVID-19 outbreak, Medicare patients may use digital technology for office, hospital visits, and other services previously rendered in-person. The recent changes include:

•   A wider range of practitioners is now able to get payment covered for telemedicine services – including physicians, nurse practitioners, physician assistants, midwives, anesthetists, psychologists, clinical social workers, registered dietitians, as well as nutritional professionals.
•   Virtual visits will now be paid at the same rate as regular, in-person visits.
•   Providers must use an interactive audio and video system permitting real-time communication during Medicare telehealth visits in order to be reimbursed appropriately.
•   New CMS guidelines remove the requirement of an established patient-provider relationship for the duration of the public health emergency, further details below.

“The Department of Health and Human Services (HHS) is announcing a policy of enforcement discretion for Medicare telehealth services furnished pursuant to the waiver under section 1135(b)(8) of the Act.  To the extent the waiver (section 1135(g)(3)) requires that the patient have a prior established relationship with a particular practitioner, HHS will not conduct audits to ensure that such a prior relationship existed for claims submitted during this public health emergency,” the CMS statement reads.

Virtual Check-ins

In all areas of the country, Medicare beneficiaries will be able to have brief online check-ins with practitioners – or brief communication technology-based services. Policy changes related to this include:

•   Medicare will now pay for virtual check-ins for patients with established relationships with their physicians to prevent unnecessary travel and office visits.
•   Brief virtual check-ins can be conducted using a broader range of communication methods than Medicare telehealth visits; medical practitioners may bill for virtual check-in services provided via several telecommunication technologies – including telephone, audio/video, secure text messaging, email, and patient portals.
•   Services cannot be related to a medical visit within the previous 7 days or lead to a medical visit within the following 24 hours, or the soonest available appointment.
•   Patients must verbally consent to receive virtual check-in services.
•   Patients can submit video/images using store and forward methods to be interpreted by physicians within 24 business hours.
 

E-Visits

As part of the updated guidelines, established Medicare patients in all types of locations can have non-face-to-face patient-initiated communications with their providers using online patient portals. These services can only be rendered in accordance with the following guidelines:

•   E-visit services can only be reported to Medicare if the billing practice has an established relationship with the patient.
•   E-visits must be initiated by the patient although, practices may educate patients on the availability of these services prior to their initiation.
•   Communications can occur over a 7-day period and only after the patient provides verbal consent to receive telehealth services.
•   These services may be billed using CPT codes 99421-99423 and HCPCS codes G2061.
More information on relevant billing codes for e-visits and other virtual care services can be found on the CMS’ website.

Health Insurance Portability and Accountability Act (HIPAA) Updates 

In addition to the amendments above, the HHS Office for Civil Rights will lessen restrictions and waive penalties in association with HIPAA compliance for health care providers that serve patients in good faith through virtual communication technologies during the COVID-19 outbreak. More information on the latest HIPAA updates can be accessed here.

Although Medicare already offers flexibility to states that wish to implement telehealth services, the most recent developments signal a major step forward in the direction of telemedicine, despite the temporary nature of federal guidelines. With the help of changes in regulations and the strategic expansion of telehealth, patients can now reach providers easily via a range of tele communication options from the comfort and safety of their homes, while medical professionals can readily provide care without reimbursement concerns. As the COVID-19 public health emergency continues to evolve rapidly, regulations and guidelines may change; clinicians are encouraged to stay up-to-date on the latest medical guidance.

Self-Care Strategies For Medical Practitioners

As the population enters another month of social distancing and self-isolation in an effort to combat the COVID-19 outbreak, it is becoming increasingly important for individuals to prioritize their physical, mental, and emotional health. The so-called “new normal” many find themselves living in has been characterized by heightened stress levels, long work hours, increased feelings of loneliness and hopelessness, as well as a persisting need to support and care for loved ones. During such an overwhelming time, it is important to take the necessary self-care measures that can work to mitigate negative emotional and physical responses to the pandemic – many of which may be happening subconsciously.

Both deteriorating physical and mental health can impede the ability to provide much-needed medical and home care, give and receive support, and to fulfill the needs of a growing number of patients. Whether you are one of the healthcare providers braving the crisis and fighting the virus on the front lines, a first-time telemedicine practitioner, or a medical professional with a practice currently closed, it is essential to take the time to incorporate some of the self-care strategies listed below when possible.

Self-Care Strategies

Boosting both physical and mental health requires regular check-ins throughout the day. Make sure to check in not only with your family and friends, but equally as importantly with yourself – how are you feeling physically, mentally, and emotionally? Paying attention to your current state will help identify what you may need at that moment, whether that is a walk around the neighborhood, a nutritious meal, or some physical exercise. The recommendations below are simple to incorporate into a daily routine yet may prove tremendously effective in improving overall wellbeing.

Physical Health

Supporting physical health is vital to ensure a well-functioning immune system and to protect it from the risk of COVID-19 infection. Several ways to maintain a healthy lifestyle despite the circumstances – inclusive of regular physical activity and a well-balanced diet – are listed below:

•   Maintain a sleeping schedule and get enough rest; aim to sleep for around 7 to 8 hours per night.

•   Engage in physical activity every day – this can include walks around the block, jogging, or exercising at home.

•   Spend time outside (following social distancing guidelines) and in nature; studies have found that being outdoors is one of the quickest methods of improving health and wellbeing.

•   Eat regularly and fuel your body with a healthy, nutritious diet.

•   Make sure to hydrate as dehydration can have noxious effects on physical health; aim for about 2 liters of water per day.

•   Avoid substance use and destructive behaviors; abusing alcohol or drugs at this time may worsen both physical and mental health, take a toll on the immune system, and lead to other repercussions.

Mental Health 

Taking care of your mental health is equally as important; the heightened stress levels and rising feelings of loneliness can contribute to declines in immune system functioning as a result of related hormonal changes.

•   Find ways to connect with yourself and those around you – this can include regular phone or video calls, communicating throughout the day, and mindful personal check-ins.

•   Set a routine and try to maintain it; devoting specific times of the day to work, chores, home life, and self-care can help provide much-needed structure.

•   Instead of worrying about the public health crisis at hand, focus on things you can control, including work-related tasks, healthy lifestyle habits, and time spent connecting with the people around you.

•   Consider introducing relaxation techniques throughout the day, such as deep breathing, stretching, meditation, and yoga practice.

•   Use technology mindfully; many individuals are increasingly turning to social media, television, and their computers as a way of spending idle time. While it is needed to maintain social interactions and continue business operations, the amount of unnecessary time spent in front of a screen should be minimized.

•   Listen to music, read books, and pursue other stimulating activities instead.

•   Explore online resources and applications for managing anxiety and other mental health concerns at this time; the CDC has compiled a list of helpful coping strategies, accessible here. 

To be best equipped to provide health care and other support services, medical practitioners must prioritize their physical health and emotional wellbeing, which can be extremely difficult for those working within the healthcare system. While the consistent efforts of healthcare practitioners of all backgrounds are invaluable, the demands of the oft-dysfunctional healthcare system can take a significant toll on their physical and mental health. Many are struggling with traumatic stress responses or battling the infection themselves. As integral members of our shared communities, medical workers are encouraged to remember that they are not alone and to seek the therapeutic support and medical care they need.

Regardless of specialty, finding the time to practice self-care is now more important than ever; introducing some of the above strategies into your daily routine can significantly improve overall health and wellbeing. Additional recommendations, including specific tips for first responders and health care providers, have been made available by the CDC and can be found here.

If you or someone you know is considering suicide please contact the National Suicide Prevention Hotline at 1-800-273-8255 or through chat on https://suicidepreventionlifeline.org/