Category Archives: Telemedicine

Telehealth IT Security: What Clinicians Need to Know & Tips to Keep Your Practice Secure

While the surge in online medicine has increased accessibility, allowed greater flexibility, and helped medical practices remain operational at this time, the rapid expansion of telemedicine presents its own set of risks. Data privacy, online patient safety concerns, and other cybersecurity threats are on the rise, as the pandemic has many emerging telemedicine solutions entering the market before proper vetting and without proven safety records.

As new technologies are introduced to meet increasing patient demand and a growing number of medical professionals switch to digital care delivery, protecting online patient data and ensuring compliance with federal regulations are paramount. Telemedicine has been shrouded in security and privacy concerns since its inception, with several large-scale, high-profile data breaches threatening to diminish patients’ and providers’ willingness to trust emerging solutions. In addition, more patients are now readily exchanging their privacy online for the benefit of immediate care and to avoid the public healthcare setting due to virus-related fears.

“Telehealth was trending upward before the pandemic, and there were already privacy and security concerns,” Dr. Stephen Hyduchak, CEO of the identity-verification service Aver, told Managed Healthcare Executive “But those are heightened now as people want the immediacy of care and are ready to accept the exchange of privacy to receive that.”

Data Privacy and Regulations 

To ease the implementation of telehealth solutions, federal regulations have lessened the enforcement of HIPAA restrictions throughout the pandemic to ensure patients can access the care they need while curbing the spread of COVID-19. Practitioners are now able to utilize popular telecommunications services, such as Zoom and Skype, which allow for easy patient-provider communication but present potential data privacy concerns.

In recent weeks, a growing number of hacker attacks have been reported on Zoom domains and other similar platforms used in telemedicine, underscoring possible threats associated with these popular services. There has also been an increase in COVID-19 fraud schemes and supply chain attacks as cyber criminals take advantage of increased online activity.

Telehealth IT Security Best Practices 

Threats to IT security in the clinical setting can range from phishing attacks and ransomware to loss of equipment and accidental data loss. While the risks depend on the type of service being provided, virtually all telehealth interactions are susceptible to cybersecurity breaches.

The increased cybersecurity risks affecting digital health services result from expanded lists of users accessing networks and software from different locations as well as a surge in untested solutions brought to market – all of which exacerbate online security, data privacy, and regulation compliance threats.

Healthcare professionals and organizations must remain aware of and alert to the multitude of cybersecurity concerns threatening their online practice; following some of the telehealth IT security best practices below can help practitioners better protect themselves and their patients.

Invest in Cybersecurity Insurance

Prior to adopting a telemedicine practice, healthcare providers should consult their malpractice insurance company to ensure digital services are covered by their current policy. It may be a good idea to purchase cyber protection insurance along with the standard business insurance package to help cover any potential repercussions associated with a data breach. These can include the costs of forensics, notification and call center costs, credit monitoring fees, as well as public relations and legal fees. Purchasing an effective cybersecurity policy can also help prevent data breaches as they provide protective software, employee training, and IT security support.

Ensure VPN Security

While establishing a telehealth practice, it is essential practitioners use virtual private networks (VPNs) as part of their protected communications while connecting remotely to enterprise networks. The use of these networks can help ensure sensitive data is encrypted and passes through appropriate corporate channels before being disseminated through internet-hosted software. Per recent data reported by Health IT Security, the use of VPNs has surged by 124% in the past several weeks alone leading to growing concerns over network safety.

Healthcare professionals and organizations must ensure their VPN software is functioning and up to date and to mitigate any potential system vulnerabilities in order to protect sensitive patient information.

Encrypt Mobile Devices

With lessened restrictions, practitioners can access protected health information and telemedical technologies from their personal devices allowing them to deliver virtual care easily and effectively. However, the use of non-corporate devices carries several potential cybersecurity risks and providers are urged to employ appropriate device management strategies to offer secure medical services. These include segregating personal devices and applications from healthcare applications and data – a solution that can significantly reduce the risk of data leaks – as well as encrypting all devices.

Lost or stolen devices – mobile phones, desktop computers, laptops, and USB drives – are the leading cause of data breaches. While HIPAA regulations provide some protection for the loss or theft of encrypted data, the vast majority of electronic breaches result from unauthorized access to unsecured devices. Medical practices and providers are urged to ensure that all mobile devices, software, communication systems, and stored data are encrypted and that telemedicine security policies are followed by all employees.

Establish Telehealth Guidelines

Telehealth cybersecurity guidelines are essential to protecting against potential breaches as employee access is one of the most challenging risk factors to manage. A recent IBM study reported that nearly 95% of all data breaches resulted from employee error – including the loss or theft of devices, accidental sharing of information with incorrect recipients, sending sensitive patient data in unencrypted formats, or falling victim to ransomware attacks.

Establishing and training staff on effective telehealth practice guidelines is necessary to ensure optimal cybersecurity at this time; all staff members should be aware of practice policies regarding online care, HIPAA compliance requirements, data handling procedures, and personal health information protection strategies.

Use Reputable Software

The sudden popularity of telehealth services has prompted the introduction of novel software technologies, many of which have yet to be adequately tested. Healthcare providers should only download applications from reputable sources and utilize only those which are approved and deemed safe. Organizations may already have telemedicine systems in place, however, practitioners are encouraged to double-check with their human resources department before connecting to new platforms.

Understand How Platforms Manage Data 

Having a robust understanding of the data collection, storage, management, and destruction practices of your chosen telehealth platform is essential to ensuring compliance with regulations and patient data safety. The majority of reputable providers should feature codes of conduct and explicit information regarding their data use policies and HIPAA compliance.

“Look for telemedicine providers that explain their use of data that you share, usually doing this in writing with a code of conduct,” Dr. Hyudchak added. “You have to make sure the telehealth service is reputable and that it’s following all HIPPA rules. Also, only disclose relevant information that is absolutely essential.”

Protect Against Unauthorized Access

The use of identity authentication systems is a critical tool for online safety. To protect against unauthorized access to sensitive data, many healthcare organizations use multi-factor authentication which is reported to block up to 99.9% of all automated cyberattacks. This strategy allows users to log in only after they present two or more pieces of evidence confirming their identity, thereby significantly decreasing the risks of breaches.

A common method hackers use to obtain access to protected health information is by capturing or guessing passwords. This threat can be reduced via identity authentication and the use of strong passwords that are frequently changed to prevent against password theft. Systems should lock users out of their accounts after three failed attempts and limit user access to sensitive databases.

While telehealth is a necessary and beneficial solution during the COVID-19 crisis and beyond, its growing use can jeopardize the safety of sensitive patient data and their privacy. As the majority of non-emergency patient-provider encounters are now occurring in the digital space, cybersecurity threats have reached an all-time high. Many emerging technologies are still new to most users yet cyber criminals have already begun to exploit vulnerabilities in networks and software, leveraging the widespread expansion of telemedicine as a platform for attack. The number of telehealth interactions will continue to increase as the COVID-19 pandemic reshapes the healthcare system, prompting the need for medical professionals and organizations to prioritize personal and patient cybersecurity.

Medicare COVID-19 Telemedicine Factsheet

The COVID-19 outbreak has not only disrupted daily life across the globe, but the contemporary healthcare model as well, with an urgently needed shift to digital medical solutions. Federal regulations are changing continuously, insurance coverage has greatly expanded, and the use of telemedicine is growing at a tremendous rate assisted by new policies and a widespread loosening of restrictions previously impeding access to care.

As part of the battle against the novel coronavirus pandemic, the Centers for Medicare & Medicaid Services (CMS) have expanded access to Medicare telehealth services on a temporary and emergency basis and lessened HIPAA enforcement effective as of March 6, 2020. These updates offer Medicare beneficiaries – many of whom are at an increased risk for serious COVID-19 illness – a safe, alternative model of care in the form of a wider range of remote services. During the COVID-19 crisis, innovative uses of telemedicine technology are driving routine care, keeping vulnerable demographics safe, and expanding access to health care. 

“The benefits are part of the broader effort by CMS and the White House Task Force to ensure that all Americans – particularly those at high-risk of complications from the virus that causes the disease COVID-19  – are aware of easy-to-use, accessible benefits that can help keep them healthy while helping to contain the community spread of this virus,” a statement from the CMS on the promotion of telemedicine reads. Further information about the newly implemented guidelines for patient care and their implications on telehealth services during the COVID-19 outbreak are outlined below.

Expansion of Telehealth Services

1135 Waiver

As part of the program, the 1135 waiver was introduced to lessen prior restrictions and promote wider access to remote care. Prior to the waiver, Medicare was only able to pay for telehealth on a limited basis, for example, when a patient was receiving care in a designated rural area or when received the service in a healthcare facility. Under this waiver, the following changes have taken effect:

•   Office, hospital, and other telehealth visits will now be covered and reimbursed for the same amount as an in-person visit.
•   A wide range of providers can offer telehealth services across the nation, including nurse practitioners, psychologists, and licensed social workers.
•   Medicare beneficiaries are now be able to receive a wider variety of services through telemedicine – such as evaluation and management visits, mental health counseling, and preventative health screenings.
•   The HHS Office of Inspector General is providing flexibility for healthcare providers to reduce or waive cost-sharing for telehealth visits paid by federal healthcare programs during this time.

Virtual Services 

Medical professionals can provide their Medicare patients with a range of virtual services as part of the telehealth program, including Medicare telehealth visits, virtual check-ins, and e-visits. Specific requirements for each service are outlined below.

Medicare Telehealth Visits

Throughout the course of the COVID-19 outbreak, Medicare patients may use digital technology for office, hospital visits, and other services previously rendered in-person. The recent changes include:

•   A wider range of practitioners is now able to get payment covered for telemedicine services – including physicians, nurse practitioners, physician assistants, midwives, anesthetists, psychologists, clinical social workers, registered dietitians, as well as nutritional professionals.
•   Virtual visits will now be paid at the same rate as regular, in-person visits.
•   Providers must use an interactive audio and video system permitting real-time communication during Medicare telehealth visits in order to be reimbursed appropriately.
•   New CMS guidelines remove the requirement of an established patient-provider relationship for the duration of the public health emergency, further details below.

“The Department of Health and Human Services (HHS) is announcing a policy of enforcement discretion for Medicare telehealth services furnished pursuant to the waiver under section 1135(b)(8) of the Act.  To the extent the waiver (section 1135(g)(3)) requires that the patient have a prior established relationship with a particular practitioner, HHS will not conduct audits to ensure that such a prior relationship existed for claims submitted during this public health emergency,” the CMS statement reads.

Virtual Check-ins

In all areas of the country, Medicare beneficiaries will be able to have brief online check-ins with practitioners – or brief communication technology-based services. Policy changes related to this include:

•   Medicare will now pay for virtual check-ins for patients with established relationships with their physicians to prevent unnecessary travel and office visits.
•   Brief virtual check-ins can be conducted using a broader range of communication methods than Medicare telehealth visits; medical practitioners may bill for virtual check-in services provided via several telecommunication technologies – including telephone, audio/video, secure text messaging, email, and patient portals.
•   Services cannot be related to a medical visit within the previous 7 days or lead to a medical visit within the following 24 hours, or the soonest available appointment.
•   Patients must verbally consent to receive virtual check-in services.
•   Patients can submit video/images using store and forward methods to be interpreted by physicians within 24 business hours.
 

E-Visits

As part of the updated guidelines, established Medicare patients in all types of locations can have non-face-to-face patient-initiated communications with their providers using online patient portals. These services can only be rendered in accordance with the following guidelines:

•   E-visit services can only be reported to Medicare if the billing practice has an established relationship with the patient.
•   E-visits must be initiated by the patient although, practices may educate patients on the availability of these services prior to their initiation.
•   Communications can occur over a 7-day period and only after the patient provides verbal consent to receive telehealth services.
•   These services may be billed using CPT codes 99421-99423 and HCPCS codes G2061.
More information on relevant billing codes for e-visits and other virtual care services can be found on the CMS’ website.

Health Insurance Portability and Accountability Act (HIPAA) Updates 

In addition to the amendments above, the HHS Office for Civil Rights will lessen restrictions and waive penalties in association with HIPAA compliance for health care providers that serve patients in good faith through virtual communication technologies during the COVID-19 outbreak. More information on the latest HIPAA updates can be accessed here.

Although Medicare already offers flexibility to states that wish to implement telehealth services, the most recent developments signal a major step forward in the direction of telemedicine, despite the temporary nature of federal guidelines. With the help of changes in regulations and the strategic expansion of telehealth, patients can now reach providers easily via a range of tele communication options from the comfort and safety of their homes, while medical professionals can readily provide care without reimbursement concerns. As the COVID-19 public health emergency continues to evolve rapidly, regulations and guidelines may change; clinicians are encouraged to stay up-to-date on the latest medical guidance.

Choosing the Right Telemedicine Provider for Your Practice

Recent changes to the practice of medicine are evident; no longer are patients coming in for routine appointments, follow-up visits, or elective procedures. Many patients and practitioners are opting for the use digital health services, while some individuals are refusing to seek needed care out of virus-spurred fears. Alongside a marked decrease in demand for in-person care has been a significant rise in telemedicine use – the number of online visits in March surged by up to 50% per data from Frost and Sullivan consultants.

With the widespread adoption of telemedicine, healthcare market analysts now anticipate to see the general number of medical care visits rise above 200 million – up from the 36 million predicted for 2020 – and estimate all virtual health encounters will surpass 1 billion by the end of the year.

A multitude of software developers has already begun capitalizing on the occasion by developing new technological solutions and telecommunication platforms to fulfill the rising demand for online medical services. Meanwhile, to ease the implementation of telehealth across specialties, federal regulations have been amended relaxing HIPAA enforcement rules, mitigating reimbursement barriers, and making other helpful policy changes. However, the widespread lessening of restrictions has also prompted cybersecurity concerns as a result of an increasing number of users sharing their protected health information and personal data online. Due to time constraints and a rushed speed of market entry, many of these novel software solutions are lacking in safety certifications and robust testing.

Changes in Telemedicine Regulations

Now that the U.S. Department of Health & Human Services’ guidance allows HIPAA-covered entities to “use any non-public facing remote communication product that is available to communicate with patients,” providers are turning to common audio or video communication technologies. Broadening access to remote care, the agency now permits providers the use of programs such as Apple’s FaceTime, Facebook’s Messenger video, and Skype. The agency notes, however, that patients should be made aware of the potential cybersecurity and data privacy risks associated with these platforms as they are not intended for telehealth-specific use.

“This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19,” the HHS outlined in a statement.

Evaluating Telemedicine Providers

Faced with a seemingly abundant amount of telehealth vendors, healthcare providers may find it difficult to determine which one will best fulfill the needs of their practice. Many may already have embedded telehealth functionality via their electronic health record (EHR) vendors or their employing organization; these solutions can allow for seamless integration into practice, be cost-saving, and tend to have proven safety records. For practitioners seeking new telehealth vendors, the selection process may be daunting although the steps outlined below can help navigate the crowded landscape of telemedicine providers.

Finding and Understanding Your Options

In beginning the search for a telehealth provider, physicians should focus on narrowing down the possible options by outlining their practice’s key criteria and goals. The evaluation of potential vendors must take into account these values and should focus on the perspective of a long-term partnership, not just that of a transactional business. The goal of integrating a telehealth provider into your practice is to develop a long-standing relationship with them in order to have an expert resource on hand, guaranteed support throughout the introduction process and beyond, as well as a reliable, secure platform for your patients.

Researching potential telehealth services and their reviews is a critical component of selecting a vendor, however, it may be challenging to choose from the 900+ platforms available. Asking for word-of-mouth referrals and recommendations from your professional network can often help narrow down a list of possible telehealth vendors. Practices can also consider consulting the American Telemedicine Association or their state medical association for further suggestions.

After sufficient research, medical providers should select a shortlist of a few quality vendors and schedule calls with each one to discuss their service offering, policies, and compliance with stat guidelines. It is also important to incorporate legal feedback and security standards when evaluating potential partners to assure any potential liabilities are minimized.

Finally, upon selecting a few prospective vendor candidates, practitioners should develop a Request for Proposal (RFP) that clearly outlines their goals and share it with the vendors that best align with them.

 

Getting to Know the Platform and Team

After receiving and reviewing RFP responses, providers and medical practices should ask telehealth vendors for case studies and referrals to determine whether they can be considered safe, reputable sources. Scheduling time to speak with product engineers and existing customers can help physicians obtain a more realistic understanding of how the platform could function in their daily practice.

The next important part of the selection process is familiarizing yourself with the platform itself as well as the vendor’s customer service team – which you will be primarily communicating with. To do this, healthcare providers should schedule live demos of the software and informational calls with the vendor team. During these interactions, physicians should focus on evaluating the software across the six key factors outlined below in order to determine whether the service will adequately address their practice’s needs.

Six Key Factors for Evaluation

Business

Important aspects of the vendor’s business to keep in mind include: tenure, funding source, financial stability, notable customers, and other affiliations. Practitioners are also encouraged to consider the company’s business model, product cost, reimbursement rates, risk sharing, and payment program options to approximate their return on investment. Does the vendor have expertise in offering telehealth to other practices in your specialty? Are they aware of federal and private insurance requirements? These are also questions to assess while investigating potential vendors.

Information Technology

From a technical perspective, the ability of the program to be integrated within a practice’s current IT landscape – and the EHR system in particular – can have a significant impact on decision making. As does the cost, process, and timeline of implementation, all of which are important factors to consider in the current environment. Other valuable considerations include: patient geolocation for licensure requirements, patient access to data, customization capabilities, biometrics/RPM integration capabilities, and the impact of regular use on internet and local network usage.

Security

With cybersecurity threats currently at an all-time high, security guarantees offered by telehealth vendors are paramount. In evaluating a potential telemedicine provider, physicians should ensure it complies with HIPAA and local regulations, has a clear liability structure in place for managing potential data breaches, and is transparent about its data use practices. Other important security factors include user authentication and authorization systems and whether it has in-platform patient consent capabilities.

Usability

The usability of the product itself is one of the most essential factors for consideration in choosing a telehealth vendor. During live demos, healthcare providers should note their personal reflections on user experience – will it be easy to use for other care team members and patients? How long does it take for the platform to launch? How many steps are required to launch the application? Other factors for consideration here are: dashboard/workflow assimilation, multi-specialty application, patient and care team engagement metrics, as well as billing and payout processes.

Customer Service

Another key variable to evaluate when selecting a telemedicine provider is the quality of the company’s customer service. Medical practices and professionals should consider the level of support that would be available to them during and after service integration, which can include staff training, patient education, project, management, data analysis, and many other practice-enhancing features. In addition, the vendor should be able to provide an adequate degree of technical support for patients who may need assistance with setting up the platform, accessing it from different devices, and troubleshooting IT issues.

Clinical Validation

The final factor healthcare practitioners should guarantee is the clinical validation of their chosen telehealth technology; this can be done by requesting any available documented clinical outcomes as well as published peer-reviewed research.

Test the Product

After selecting a telemedicine solution that best suits their medical practice, healthcare professionals are urged to test the technology with either a patient advocate, member of a patient advisory board, or other staff member to ensure it can be successfully implemented. Some platforms and services may prove to be too complicated for patients to use, requiring more time spent on training and technical assistance rather than offering an efficient method of digital care delivery.

 

Setting your practice up for success in the digital space requires careful consideration of a variety of factors, most notably the 6 key conditions outlined above. In addition, selections of telehealth vendors must be made in accordance with state and federal regulations; medical offices and health organizations can consult practices on the requirements and help them narrow down available options. Furthermore, risk and liability mitigation is essential to a safe online practice – clinicians are encouraged to incorporate legal feedback and cybersecurity best practices to mediate any potential threats.

To further assist practices and providers in determining which telemedicine service is right for them, Healthcare IT News has published an ongoing list of telehealth vendors and their service offerings, accessible here.