Just Be Careful –
JULY 13, 2020 – “Most telehealth practitioners do not receive formal information security and privacy training,” said Leming Zhou, a professor of health informatics at the University of Pittsburgh. “It is very difficult for them to follow very technical guidelines” to safeguard information collected during these visits.
Zhou said, however, that the security issues are solvable and that patients and doctors should not have to choose between privacy and the increased convenience of telemedicine. He and other researchers developed a questionnaire to help telehealth providers assess the security of the software they use. It prompts them to ask questions about whether and how the data are encrypted, where it is stored, and who is authorized to access it.
Ensuring those protocols are followed is especially crucial right now, given that hackers who have accessed health data in the past have introduced ransomware into hospital information systems and threatened to expose patients’ data to extort them for payments. That can hamstring a hospital at any time, but could be particularly devastating as health providers try to care for an onslaught of patients during the pandemic. “If the bad guys get in through the telemedicine weak link and then plant ransomware, it’ll shut down an entire hospital, and then you can’t care for patients,” said Lynn Sessions, head of the health care privacy and compliance team at the law firm BakerHostetler, which publishes an annual report on data breaches.
She said she is not aware of any specific breaches related to the use of telemedicine in recent months, but said those kinds of attacks are inevitable. “I fully expect that as the year goes on, we will hear that the way the bad actor got into my hospital information systems was through a telemedicine platform,” Sessions said.
Telemedicine use has also been tied to fraud and abuse. The $1.2 billion Medicare fraud led the government to pay between $17 million and $22 million per week to companies participating in fraudulent practices over five years. A federal indictment resulted in charges against three prescribing medical professionals and 21 owners or executives of telemedicine and medical equipment companies. Five months later, an executive of another telemedicine company was charged with fraud, in this case for allegedly billing Medicare $424 million for a similar scheme in which telemedicine doctors were paid kickbacks for prescribing unnecessary orthopedic braces.