Healthcare information security

Healthcare data security issues: Best security practices for virtual healthcare sessions

July 13, 2021 by Susan Morrow

The healthcare sector has, and still is, undergoing a digital transformation the Covid-19 pandemic exacerbating this change. Telehealth (healthcare is delivered by remote methods) has been used successfully during the Covid-19 pandemic to deliver health services safely, but telehealth also raises important healthcare data security issues. 

A Center for Disease Control and Prevention (CDC) report noted a 154% increase in telehealth visits in March 2020, over the previous period in 2019. But digital mechanisms for data access, sharing and storage put these data at risk. The 2021 X-Force Threat Intelligence Index report placed healthcare in seventh place in its “Top 10 industries by attack volume.” A “barrage of ransomware attacks against hospitals” was at least partly responsible for placing healthcare in this most egregious of top 10 lists. 

With more telehealth and related digital mechanisms to deliver health, the sector looks set to experience further cyberthreats. That’s why healthcare data security standards are more important than ever.

What is ePHI?

Telemedicine requires that health data is shared, viewed, stored and worked on as electronically protected health information (ePHI). ePHI comes under the remit of protected health information (PHI), and in the United States, ePHI is protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

What are some of the common data security threats in healthcare telemedicine?

A recent poll of 159 healthcare industry participants from Threatpost explored the best practices in delivering telemedicine healthcare. The poll pointed out some of the biggest security threats in healthcare when using telemedicine to deliver healthcare services. Some of the highlights from the report include:

Increasing risks of telemedicine: 72% of respondents noted an increase in targeted cyberattacks on telehealth devices and networks in the previous nine months.

Increase in attack volumes: In line with the  X-Force report, the Threatpost poll found a general uptick in attack volumes, with 37% of respondents seeing an increase of 25%.

Risky business: 58% see virtual healthcare visits as a cybersecurity risk.

Areas of risk: 58% of respondents said that data breaches were the biggest risk area.

Virtual meeting platforms: The platforms used to deliver telemedicine, including Zoom, may have security vulnerabilities with 35% of respondents saying that insecure video-conferencing platforms were a risk.

HIPAA delivery portals: The portals used to deliver medical images and prescriptions could have exploitable vulnerabilities and 25% of respondents agree that these platforms were a risk.

Home networks: Patients using home networks may be accessing telemedicine devices via insecure connections and in privacy compromised settings.

Data in the cloud: Telemedicine means that patient data is moved and stored using cloud technology and 58% of poll respondents believe this increases the risk of that data. The result is that the data is at risk from Business Email Compromise (BEC) and phishing attacks as well as insecure APIs. Also, and in line with the data coming from X-Force, ransomware was another major challenge identified in the Threatpost poll. 17% of respondents of the poll believed that the digitization of patient data placed that data at risk and 11% of respondents pointed out that purpose-built telemedicine IoT devices were an added risk to patient data.

Telemedicine best practices to mitigate cyber risk

The risk to patient data is evident in the move to cloud-based systems that depend on sharing and storing data that may be carried out over insecure networks. The Threatpost poll was able to elicit the views of the respondents into their own best practices for dealing with these risks.

The poll delivered five key areas that should be prioritized as a best practice to protect telemedicine-based healthcare:

  1. Data integrity and proper cloud configurations: 22.6% of respondents suggest this as a best practice priority. Cloud misconfiguration is behind many cyberthreats and attacks. This is backed up by a McAfee report that found an enterprise has around 2,269 misconfiguration incidents, on average, per month.
  2. Patching: Ensuring prompt security patches was seen as a best practice priority by 21.3% of respondents of the poll. A report from Edgespan concurs and suggests that patching needs to be consistent but can be a challenge in live production environments. The Edgescan report found that the average time to patch an internal system is 50 days, but this increased to 71 days for an internet-facing system.
  3. Third-party app vetting: Any telemedicine apps must be checked as a priority for vulnerabilities according to 20.8% of those polled. An investigation by Approov into mobile health apps found that 30 of these apps, all from large healthcare technology companies, had vulnerabilities making them susceptible to a broken object level authorization (BOLA) attack.
  4. Endpoint protection: The remote healthcare methodology of telemedicine means that more endpoints are needed. This naturally expands the attack surface. Robust endpoint protection, smart enough to deal with polymorphic and fileless malware, is seen as a best practice priority by 20.1% of the Threatpost poll respondents.
  5. Insider threats: 13.2% of those polled said best-practice efforts to prevent insider threats should be a priority. Insider threats cover a whole gamut of incidents and are accidental as well as malicious. With patients being an integral part of sharing and potentially storing sensitive data, this adds a complex layer to protecting data.

Making telemedicine safer

Healthcare is a challenging area to work in and the technology needs of that discipline need to work with a wide variety of stakeholders. The data that is used to transform patients’ lives and help medical practitioners deal with the needs of patients must be protected, both for compliance and as an ethical stance. 

Best practice implementation can help alleviate the risks to these data but must be done as a layered approach and not in isolation.

 

Sources:

Threatpost Poll into Telemedicine Best Practises, Threatpost

IBM 2021 X-Force Threat Intelligence Index, IBM

Trends in the Use of Telehealth During the Emergence of the COVID-19 Pandemic, Center for Disease Control and Prevention

McAfee Cloud Adoption and Risk Report, McAfee

Edgescan 2020 Vulnerability Statistics Report, Edgescan

Approov mobile health app investigation, Approv

OWASP API Security Project, Broken Object Level Authorization OWASP

8 of the world’s biggest insider threat security incidents, Infosec

Posted: July 13, 2021
Articles Author
Susan Morrow
View Profile

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure. Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.

Leave a Reply

Your email address will not be published. Required fields are marked *