Healthcare data security issues: Best security practices for virtual healthcare sessions
The healthcare sector has, and still is, undergoing a digital transformation — the Covid-19 pandemic exacerbating this change. Telehealth (healthcare is delivered by remote methods) has been used successfully during the Covid-19 pandemic to deliver health services safely, but telehealth also raises important healthcare data security issues.
A Center for Disease Control and Prevention (CDC) report noted a 154% increase in telehealth visits in March 2020, over the previous period in 2019. But digital mechanisms for data access, sharing and storage put these data at risk. The 2021 X-Force Threat Intelligence Index report placed healthcare in seventh place in its “Top 10 industries by attack volume.” A “barrage of ransomware attacks against hospitals” was at least partly responsible for placing healthcare in this most egregious of top 10 lists.
With more telehealth and related digital mechanisms to deliver health, the sector looks set to experience further cyberthreats. That’s why healthcare data security standards are more important than ever.
Implementing HIPAA Controls
What is ePHI?
Telemedicine requires that health data is shared, viewed, stored and worked on as electronically protected health information (ePHI). ePHI comes under the remit of protected health information (PHI), and in the United States, ePHI is protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
What are some of the common data security threats in healthcare telemedicine?
A recent poll of 159 healthcare industry participants from Threatpost explored the best practices in delivering telemedicine healthcare. The poll pointed out some of the biggest security threats in healthcare when using telemedicine to deliver healthcare services. Some of the highlights from the report include:
Increasing risks of telemedicine: 72% of respondents noted an increase in targeted cyberattacks on telehealth devices and networks in the previous nine months.
Increase in attack volumes: In line with the X-Force report, the Threatpost poll found a general uptick in attack volumes, with 37% of respondents seeing an increase of 25%.
Risky business: 58% see virtual healthcare visits as a cybersecurity risk.
Areas of risk: 58% of respondents said that data breaches were the biggest risk area.
Virtual meeting platforms: The platforms used to deliver telemedicine, including Zoom, may have security vulnerabilities with 35% of respondents saying that insecure video-conferencing platforms were a risk.
HIPAA delivery portals: The portals used to deliver medical images and prescriptions could have exploitable vulnerabilities and 25% of respondents agree that these platforms were a risk.
Home networks: Patients using home networks may be accessing telemedicine devices via insecure connections and in privacy compromised settings.
Data in the cloud: Telemedicine means that patient data is moved and stored using cloud technology and 58% of poll respondents believe this increases the risk of that data. The result is that the data is at risk from Business Email Compromise (BEC) and phishing attacks as well as insecure APIs. Also, and in line with the data coming from X-Force, ransomware was another major challenge identified in the Threatpost poll. 17% of respondents of the poll believed that the digitization of patient data placed that data at risk and 11% of respondents pointed out that purpose-built telemedicine IoT devices were an added risk to patient data.
Telemedicine best practices to mitigate cyber risk
The risk to patient data is evident in the move to cloud-based systems that depend on sharing and storing data that may be carried out over insecure networks. The Threatpost poll was able to elicit the views of the respondents into their own best practices for dealing with these risks.
The poll delivered five key areas that should be prioritized as a best practice to protect telemedicine-based healthcare:
- Data integrity and proper cloud configurations: 22.6% of respondents suggest this as a best practice priority. Cloud misconfiguration is behind many cyberthreats and attacks. This is backed up by a McAfee report that found an enterprise has around 2,269 misconfiguration incidents, on average, per month.
- Patching: Ensuring prompt security patches was seen as a best practice priority by 21.3% of respondents of the poll. A report from Edgespan concurs and suggests that patching needs to be consistent but can be a challenge in live production environments. The Edgescan report found that the average time to patch an internal system is 50 days, but this increased to 71 days for an internet-facing system.
- Third-party app vetting: Any telemedicine apps must be checked as a priority for vulnerabilities according to 20.8% of those polled. An investigation by Approov into mobile health apps found that 30 of these apps, all from large healthcare technology companies, had vulnerabilities making them susceptible to a broken object level authorization (BOLA) attack.
- Endpoint protection: The remote healthcare methodology of telemedicine means that more endpoints are needed. This naturally expands the attack surface. Robust endpoint protection, smart enough to deal with polymorphic and fileless malware, is seen as a best practice priority by 20.1% of the Threatpost poll respondents.
- Insider threats: 13.2% of those polled said best-practice efforts to prevent insider threats should be a priority. Insider threats cover a whole gamut of incidents and are accidental as well as malicious. With patients being an integral part of sharing and potentially storing sensitive data, this adds a complex layer to protecting data.
Implementing HIPAA Controls
Making telemedicine safer
Healthcare is a challenging area to work in and the technology needs of that discipline need to work with a wide variety of stakeholders. The data that is used to transform patients’ lives and help medical practitioners deal with the needs of patients must be protected, both for compliance and as an ethical stance.
Best practice implementation can help alleviate the risks to these data but must be done as a layered approach and not in isolation.
Sources:
Threatpost Poll into Telemedicine Best Practises, Threatpost
IBM 2021 X-Force Threat Intelligence Index, IBM
Trends in the Use of Telehealth During the Emergence of the COVID-19 Pandemic, Center for Disease Control and Prevention
McAfee Cloud Adoption and Risk Report, McAfee
Edgescan 2020 Vulnerability Statistics Report, Edgescan
Approov mobile health app investigation, Approv
OWASP API Security Project, Broken Object Level Authorization OWASP
8 of the world’s biggest insider threat security incidents, Infosec
Implementing Controls for HIPAA
Learn how to maintain the confidentiality, integrity and availability of PHI and ePHI. What you'll learn:- HIPAA models and protocols
- Best practices for controls
- Privacy rule standards
- HIPAA compliance plans
- And more
In this Series
- Healthcare data security issues: Best security practices for virtual healthcare sessions
- Genetic testing "hottest" new form of health insurance fraud, FBI warns
- Analysis of ransomware used in recent cyberattacks on health care institutions
- Top cyber security risks in healthcare [updated 2020]
- How to satisfy HIPAA awareness and training requirements
- What Is Protected Health Information (PHI)?
- The Most Vulnerable and Hackable Medical Devices
- How to Comply with HIPAA Regulations – 10 Steps
- 5 Security Awareness Tips for HIPAA Compliance
- How WannaCry Ransomware Crippled Healthcare
- Breach Notification Requirements for Healthcare Providers
- Top 10 Threats to Healthcare Security
- Top 10 Ways Your Healthcare Organization May be Violating HIPAA and Not Know It
- NDG Pt. 3: The Impact of new data security standards and opt-out model on the IG Toolkit
- NDG Pt. 2: Government Views On Opting Out - Health Data and Security in The UK
- NDG Pt. 1: Data security standards and opt-out models in health and social care
- Patient Privacy in Healthcare: A Security Practitioner's Approach
- How Healthy is Security Across Healthcare?
- HIPAA Security Rule
- Regulatory Compliance for HIPAA Security Officers
- HIPAA and IT Security
- A Detailed Look Into the World of Clinical Decision Support Systems
- Top Clinical Application Systems
- Who is Hacking Healthcare?
- Types of hospital information systems
- HIS/HMIS
- The Healthcare IT Stack
- Medical Device Regulation
- Security Risk Assessment in Health Care
- Risk Management in Healthcare
- Security Technologies in Healthcare
- Medical Data Protection
- Healthcare Attack Statistics and Case Studies
- Security Leaders in Healthcare
- The Internet of Things in Healthcare
- Top 5 Emerging Security Technologies in Healthcare
- Emerging Technologies in Healthcare
- 10 Best Practices for Healthcare Security
- IS Best Practices for Healthcare
- Hospital Security
- Security Awareness for Healthcare Facilities
- Hospital security policies & procedures
- What Does Security Awareness Mean for Doctors, Nurses and Hospital Staff?
- Security Awareness for Healthcare Professionals
- Hackable Medical Devices
- Other Healthcare IT Regulations
- HITECH Act and IT Security
- HIPAA Security Checklist
- Healthcare HITECH Act
- HIPAA Overview and Resources
- Overview of Regulations and Compliance
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Healthcare information security
Genetic testing "hottest" new form of health insurance fraud, FBI warns
Healthcare information security
Analysis of ransomware used in recent cyberattacks on health care institutions
Healthcare information security
Healthcare information security