The coronavirus pandemic accelerated telemedicine exponentially as patients and doctors switched from in-person visits to remote consultations. Health providers rapidly scaled virtual offerings in March and April and traffic volumes soared to unprecedented levels, with practices “seeing 50 to 175 times the number of patients by telehealth than before the outbreak,” according to McKinsey. By early August, the U.S. Department of Health and Human Services expanded the list of allowable telehealth services in Medicare and there was an executive order supporting permanent telehealth provisions for rural areas.
But the surge in telemedicine adoption comes with a host of cybersecurity risks and regulatory compliance requirements unique to the healthcare sector.
As telemedicine traffic increases, so does the volume of hacking attempts. Recent cybersecurity news indicates healthcare organizations are top targets for cyberattacks and “providers remain the most compromised segment of the healthcare sector, accounting for nearly 75 percent of reported breaches.” The consequences are chilling: “The average cost of a healthcare data breach is $7.13 million globally and $8.6 million in the United States.
Further, whenever patient information is involved, HIPAA compliance is required. While HHS temporarily suspended pursuing HIPAA penalties on providers for “good faith provision of telehealth during the COVID-19 nationwide public health emergency,” such permissiveness will not last.
Luckily, most telemedicine providers can utilize managed services and cloud infrastructure to keep pace. Here are some best practices to meet IT compliance and cybersecurity demands for telemedicine.
Telemedicine Compliance Best Practices
Compliance should be viewed as a real-time process that drives security. Telemedicine tools and technology should therefore reflect significant expertise with all healthcare regulations (HIPAA, HITRUST, HITECH), with compliance functions permeating processes. Recommended compliance best practices include:
1. Automate Remediation
Healthcare applications cannot offer high reliability if every potential compliance problem is remediated manually; there’s just too much that can go wrong and never enough staff to address it when needed. The solution is to automate everything that can be automated, and rely on people to handle exceptions or potential violations that don’t impact reliability. Cloud-based services can integrate AI and operational intelligence to automatically remediate anomalies when possible, present recommendations to operations staff for cases that cannot be resolved automatically, and present clear choices such as:
· Do Nothing: Take no action, delete ticket after [x number of days]
· Fix Now: Implement the recommended actions immediately
· Schedule: Perform the recommended actions during the next maintenance window
This approach speeds resolution and decreases service disruptions, and improves the reliability of telemedicine delivery. The automated response also plays a critical role in security (which will be discussed shortly).
2. Perform Formal Risk Assessments
Understanding the risk level and specific risk issues are critical components for an effective compliance plan. Many providers of healthcare services underestimate their level of risk, in part because it is difficult to quantify. The HHS has published guidance in its Quantitative Risk Management for Healthcare Cybersecurity, which offers insight. There are also cloud solutions that can aid the process. Cloud services providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud offer automated security assessment services that help improve the security and compliance of applications deployed on their cloud hosting platforms. They can generally assess applications for exposure, vulnerabilities, and deviations from best practices. A good inspection service should highlight network configurations that allow for potentially malicious access, and produces a detailed list of findings prioritized by level of severity.
3. Reduce Attack Surface
To provide secure access to sensitive information, hybrid architectures supporting telemedicine applications need a virtual private network (VPN) gateway between on-premises and cloud resources. However, developers, test engineers, remote employees, and others who need access to cloud-based protected health information (PHI) may bypass a VPN gateway by either cracking open the cloud firewall to allow direct unencrypted internet traffic or using peering connections. To prevent such potential exposures, secure desktop-as-a-service (DaaS) solutions provide an elegant way to allow cloud-based access to PHI without exposing connections or records. A DaaS is generally deployed within a VPC providing each user with access to persistent, encrypted cloud storage volumes using an encryption key management service. No user data is stored on the local device, which reduces overall risk surface area without impeding development capability.
Telemedicine Security Best Practices
While the full scope of cybersecurity strategies is beyond the scope of this article, here are three best practices that telemedicine providers can use bolster their security profile:
1. Deploy Proactive Network Security
Modern cyber threats have become steadily more sophisticated in evading traditional security measures and more devastating once they penetrate network perimeters. For that reason, telemedicine providers need a highly proactive, multilayered approach to prevent malware-based outages, theft of intellectual property, and exfiltration of protected health information (PHI).
A combination of network anti-malware, application control, and intrusion prevention systems (IPS) is recommended. Such proactive solutions are generally bundled in managed cloud services that should automatically detect suspicious system changes in real-time, isolate and quarantine affected resources, and prevent the spread of exploits by locking down any server whose configuration differs from the installed settings.
2. Encrypt Data Storage
Data encryption is the last line of cyber-defense for PHI and other critical information. Even if an attacker can penetrate the perimeter and proactive network security and exfiltrate data from the provider, those data are useless to the hacker if encrypted. It’s good practice to encrypt all web and application servers running on cloud instances using a unique master key from a key management service when creating volumes.
Encryption operations generally occur on the servers that host cloud database (DB) instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its block storage. For additional protection, you can also opt to encrypt DB instances at rest, underlying storage for DB instances, its automated backups, and read replicas.
3. Harden Operating Systems
Both Microsoft Windows Server and Linux are ubiquitous operating systems in telemedicine. They are also both attractive targets for cybercriminals because they provide complex capabilities, frequently remediate vulnerabilities, and are so common (increasing attackers’ chances of finding an unpatched system). Hackers use OS-based techniques such as remote code execution and elevation of privilege to take advantage of unpatched operating system vulnerabilities. Hardened images of Windows Server and Linux virtual machines (VMs) should be used, employing default configurations recommended by the Center for Internet Security (CIS). Such hardened images make gaining OS administrative extremely difficult, and coordinate well with proactive security bundles described earlier.
Additional resources for telemedicine compliance and security are available from the American Medical Association (AMA), the US Department of Homeland Security, the U.S. Department of Health and Human Services, and HITRUST.
While these best practices are targeted primarily at telemedicine companies, they can also be applied to a wide range of healthcare providers and organizations delivering vital services in the face of 2020’s dramatic swings in demand.
About Gerry Miller
Gerry Miller is the founder and chief executive officer at Cloudticity. He is a successful serial entrepreneur and healthcare fanatic. From starting his first company in elementary school to selling his successful technology consulting firm in 1998, Gerry has always marched to his own drummer, producing a series of successes. Gerry’s first major company was The Clarity Group, a Boston-based Internet technology firm he founded in 1992. Gerry presided over seven years of 100% aggregate annual growth and sold the company in 1998 when it had reached $10MM in revenue.
He was recruited by Microsoft to become their Central US Chief Technology Officer, eventually taking over a global business unit and growing its revenue from $20MM to over $100MM in less than three years. Gerry then joined ePrize as Chief Operating Officer, where he grew sales 38% to nearly $70MM while improving operating efficiency, quality, and both client and employee satisfaction. Gerry founded Cloudticity in 2011 with a passion for helping healthcare organizations radically reshape the industry by unlocking the full potential of the cloud.