COVID-19 Response: Following Best Telehealth Security Practices
The novel coronavirus COVID-19 pandemic has changed everything: where your employees work, how they work and even how they go to the doctor. To limit in-person interactions with medical staff and to help prevent the spread, people are being encouraged to use telehealth options whenever possible. However, like any online activity, there are risks involved, for your company’s network and data and your employees’ data privacy.
Telehealth Coming Into Its Own
“The telehealth trend was already quickly growing, but the COVID-19 pandemic has greatly escalated interest in, and demand for, these types of services,” said Jonathan Dixon, principal consultant at the Crypsis Group, in an email interview. The service also got an extra boost when the Coronavirus Task Force recommended its use in place of on-site doctor consultations.
Dixon pointed out that security and privacy concerns surrounding telehealth (and other digitally provided services) have been ongoing, but the concerns are heightened now in a time when people are ready to accept the exchange of privacy for the immediacy of care and services are rushed to market more rapidly.
“For companies deploying remote monitoring devices, the devices should be built in a way that reduces their attack surface area. This can be accomplished by removing, disabling or restricting services, applications and/or user accounts that aren’t required to run the client-side application,” he advised. For example, the local administrator account should use a randomly generated password that’s rotated on a regular basis and require multi-factor authentication, and if the remote devices are required to exchange data with backend infrastructure, they should be built to secure all communications exposed to public networks.
The Data Privacy Risk
Medical data is some of the most sensitive information out there. HIPAA and other regulations have been in place for years, long before more general privacy laws were instituted. How safe, then, is the information being shared between the patient and the teledoc?
“When it comes to privacy, the overly private nature of the health industry can make things less useful; oftentimes you need to explain much more to the doctor since you have never seen them and they have limited access to your health issues,” said Thomas Hatch, CTO and co-founder at SaltStack, via email. “The privacy issues, in large part, stem from how restrictive data-sharing makes the telehealth meeting less useful. This leads to needing to share more of your medical history with the telehealth doctors.”
This, in turn, makes the entire communication more vulnerable in a variety of ways. Someone could eavesdrop on your conversation (if you are someone in an essential job and still heading to your workplace) or the application could be hacked. Also, hospitals often lag behind on IT infrastructure and cybersecurity. “Generally speaking, the further from IT that a company is, the worse job of IT they do,” added Hatch.
Best Practices
Best practices for using telehealth services should follow typical security best practices that include the following:
- Use a reputable online store to download the app. Or see if your regular health provider has a preferred app and offers a download from its website. If your company offers this service as part of its healthcare system, check with HR to ensure you have the right information before downloading or connecting.
- Get recommendations. “I have always checked out who else I know who is already using the service and made an assessment on peer recommendation,” said Steve Durbin, managing director of the Information Security Forum. “I never want to be the first up when using a new app or service.”
- Understand how the app is using your data. Make sure you are using a service that is reputable, check out how the data you share will be used (including storage and destruction) and only disclose relevant information that is absolutely essential. “Most reputable telemedicine providers will be able to point you to a code of conduct and use of data explanation,” Durbin noted. Also, make sure the telehealth service is following all HIPAA rules.
- Watch out for social engineering surrounding telemedicine. Hackers are using coronavirus-based phishing campaigns, so expect that they’ll try to trick you into clicking onto a malicious telehealth link at some point. Remember to always verify a link or attachment before opening.
Telemedicine is still very new to most users, but it is only a matter of time until cybercriminals find vulnerabilities and use it as an attack vector. As employees are encouraged to use this service now, all efforts should be in place to make sure it is accessed securely.
