In order to still be able to provide care to patients without exposing them to COVID-19, healthcare providers are flocking towards telehealth during the COVID-19 global pandemic. It allows patients to receive healthcare consultations and check-ups from the safety of their own homes while limiting the potential exposure of COVID-19 to both patients and healthcare providers. While this technology provides many benefits, there are security risks with telehalth.

The use of telehealth services, including video chat, in dealing with the coronavirus can help lessen the demands on on-site healthcare resources while keeping sick or quarantined patients at a safe distance. There is some confusion among healthcare providers when it comes to how HIPAA laws apply when healthcare services are rendered via telehealth.

A bill providing federal funding to fight the COVID-19 pandemic was passed earlier this year by Congress and signed into law by President Trump. In that bill are provisions known as the ‘Telehealth Services During Certain Emergency Periods Act of 2020,’ which allows the secretary of the Department of Health and Human Services to waive certain requirements in order to allow for some telehealth services , including treatment services via the use of smartphones, standard telephones, fax machines and e-mail  to be reimbursed by Medicare.

While some restrictions were lifted on Medicare billable telehealth services that healthcare providers can offer amid the coronavirus outbreak, expectations for safeguarding patient’s protected health information were not watered down in any way. So, it is imperative that healthcare providers do all they can do properly safeguard patient information, even when offering telehealth services throughout the pandemic.

Security measures

It is extremely important that healthcare entities take the proper security precautions when using telemedicine applications. That includes ensuring all healthcare information and data that is transmitted over the internet is encrypted.

Evolving risk

As the use of telemedicine expands, due to technological advancements and availability and during COVID-19, the risks evolve too. For example, if non-essential healthcare employees are told to work from home, that’s just that many people that will be using remote access services to work and deal with patient information and records. This could slow down the organization’s internet connection, which is why it’s important to have a plan in place for situations like these.

Hospitals are continuously working to ensure their networks are secure, especially after ransomware attacks in the last few years. Individual devices, at-home patient monitors, and remote-care devices have no embedded security and remain vulnerable. These remote devices even lack the network security a hospital can provide for them if they were in a controlled environment. 

Telehealth uses and constraints

Telemedicine’s most prevalent use is still a phone call and/or email to a primary care provider. Other components of telehealth that are increasing in popularity include direct monitoring systems like wearable devices that monitor a patient’s vitals which then feed the information virtually to the healthcare provider. 

Securing patient information is so incredibly important because human lives depend on the wearable devices and an attack could damage a patient’s health and even result in death. The thought of malicious attacks on connected medical devices is a very scary thought because in addition the impact on a patient’s health, the hackers can also steal personal health information and even demand ransom from device manufacturers and use the devices as gateways to infiltrate larger networks.

Any connected medical device could be at risk. This includes remote monitoring devices, pacemakers, insulin pumps, implanted defibrillators, glucose monitors and so on. All it takes is one vulnerability.

The advances in telemedicine will continue to be constrained by the deployment of technologies and the bandwidth to support video. Many rural areas, especially those that would benefit the most from telemedicine because of their physical distance from medical centers, simply don’t have adequate broadband coverage. 

The point-to-point solution, including phone calls and texting photos, are the easiest methods to secure since there are minimum points that a third party could monitor the call. The exception is the storage of photographs texted to the physician, since they will either be on a mobile phone, or even on a computer application that links to a mobile number. This is why it’s important that patients are aware of the potential risk of sending sensitive photos to their physician because these are stored outside of a typical electronic health record. 

Limiting security risks with telehealth

HIPAA guidelines on telemedicine are contained within the HIPAA Security Rule:

  • Only authorized users should have access to patient health information.
  • A system of secure communication should be implemented to protect the integrity of patient health information.
  • A system of monitoring communications containing patient health information should be implemented to prevent accidental or malicious breaches.

In order to minimize security risks with HIPAA, you should also only communicate with patients on a secure platform, don’t use Skype, FaceTime or email to communicate patient health information. 

  • Make sure that all information, data, photos and videos sent between the provider and patient are encrypted. 
  • Make sure that you and the patient are using a secure WiFi network

Final thoughts

Understanding security risks that are associated with telehealth and all HIPAA rules and regulations is vital for healthcare providers that are making the switch to telehealth. We offer a HIPAA course where you can learn everything from privacy laws, security risks to safeguards and more in one convenient place online. For more information, please don’t hesitate to get in contact with us today.