In response to the pandemic, healthcare systems around the world have brought down many of the regulatory barriers to telehealth. More patients than ever have been able to reach their doctors from their homes, using popular video chat platforms like FaceTime, WhatsApp, Zoom, and Facebook Messenger.
For the most part, that’s a good thing: Patients can see doctors from the comfort and convenience of their own homes, without raising their risk of contracting the deadly coronavirus. Healthcare providers benefit from continuing to see non-Covid patients, who bring in a much-needed stream of revenue.
But the rise of telemedicine also brings at least one big risk: All these virtual visits are generating a mountain of digital healthcare data, which has to be secured against increasingly aggressive cyber attacks. Now, healthcare providers have to worry about the security of their own IT systems as well as that of all the devices in their patients’ homes. Patients may not think about cybersecurity very much, but there’s a lot they can do to protect their data.
Ever since healthcare providers started storing data digitally, their systems have been juicy targets for hackers. Health records store tons of sensitive, personal information—medical histories, payment information, and a wealth of details like addresses, birthdates, and family members—that can be used to steal patients’ identities.
As a result, cyber criminals can extort higher ransoms from hospitals they hack into, or sell that data at a premium on the black market. Stolen healthcare records, in fact, are more valuable than stolen credit cards.
In recent years, healthcare hacks have been on the rise—and during the pandemic, hospitals have been hit with a fresh deluge of attacks. Hackers targeted European hospitals in April and again during Covid-19 vaccine trials in December. Scores of South African hospitals were compromised in a wave of ransomware attacks in June, as were hundreds of US hospitals in October. State hospitals and other healthcare organizations were also targeted during the massive SolarWinds attack that was revealed in December, although the full extent of the damage is not yet public.
The incidents highlight just how many things can go wrong in a healthcare provider’s cyber defenses. Hospitals, clinics, and other practitioners need to encrypt their communications with patients, protect the data stored on their servers, train employees not to fall for scams that might give hackers a way in, and vet the cybersecurity of the suppliers that sell them devices and software. If a single vendor screws up, a hospital and its data could be exposed.
“People who had what I would call rock solid security programs [got hacked during the SolarWinds breach], all because that one device they had in their organization could be compromised,” said Christopher Logan, who heads healthcare strategy for the business software firm VMware.
Because many patients are now using their personal devices to connect with their doctors, hackers have even more targets to attack—and those targets aren’t usually very well defended. “The [healthcare] providers have their work cut out for them, but I worry about the consumers on the other end of that connection,” said Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center. “What are they doing to secure their systems?”
Globally, the rules for what’s allowed in the realm of telehealth vary widely. Some countries, such as Italy and Australia, have no restrictions on using consumer-facing apps for telehealth visits. But in the US at least, a crackdown is likely coming. The rule that allows doctors to see patients on popular video call platforms like FaceTime is temporary, and is expected to expire once the federal government declares an end to the pandemic public health emergency. At that point, doctors and patients will be required to use specialized video chat platforms that comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The main HIPAA requirement is end-to-end encryption, which ensures that no hacker can intercept a call between a patient and their doctor. Among the video chat companies that say their platforms meet HIPAA requirements, there some platforms that specialize in telemedicine, like Zoom for Healthcare, Updox, and Doxy, and a few general-purpose video calling tools with high security standards like Cisco’s Webex and Microsoft Teams.
But encrypted calls can only offer so much protection. “If I share a file with you, I feel good about the file moving from point A to point B, but what happens after I give it to you?” asked Weiss. “If your system has malware on it and cybercriminals are there lurking and they see that file and they grab it, it’s gone.”
Hospitals can control every aspect of their own IT systems and train their employees in cybersecurity practices, but they can’t stop their patients from pirating movies on the same laptop on which they do their telehealth visits. Logan and Weiss say that, now more than ever, healthcare providers are in the uncomfortable position of trusting patients with the security of their own data.
Fortunately, consumers aren’t totally helpless. Weiss says there are a few basic things that anyone receiving telemedicine can do to reduce their risk of getting hacked:
- Make sure your device’s operating system is fully updated. Those updates contain security patches that plug known gaps in your cyber defenses.
- Use multifactor authentication. Most sites (Facebook, LinkedIn, Paypal, etc.) let you add your phone number to your account, so that when someone tries to log in on a new device they won’t get access unless they have a code that’s been texted to your phone. Take advantage of this—especially for your email account. It’s the holy grail of hacking targets, because if someone can get in there, they can reset your passwords on all your other accounts.
- Get a virus scanner and run it regularly. You can get a decent one for free for Windows or Apple.
- Learn to recognize a scam. It’s not always easy to spot a phishing email. But as a rule of thumb, you should be very reluctant to send your account information to anybody.
- Use a password manager. There are several free options out there that will make sure you have unique, strong passwords for each account, without having to memorize them.