What’s Wrong with Telehealth Cybersecurity?

Health facilities rapidly implemented telemedicine in 2020 to respond to COVID-19. Did the speed of the action expose patients to undue cybersecurity risk? Provider organizations—and the technology developers who support them—need to address the secondary cybersecurity crisis created by the rapid implementation. Fortunately, best practices and new solutions abound.

Many care facilities rushed into implementing easy telehealth solutions once regulators lifted regulatory restrictions, but they had to act so quickly that there wasn’t time to adequately address data security.

Imagine the unreasonable cybersecurity risks that would occur if the government decided that financial institutions no longer needed to protect their customers’ banking information for the next year. That’s exactly what happened in healthcare in 2020.

Similarly, many application developers never expected that their tools would be so rapidly implemented at such a scale. Consequently, many developers may now need to quickly address the inherent vulnerabilities in their toolset before customers call to cancel accounts due to potentially catastrophic cybersecurity vulnerabilities. Healthcare professionals are demanding that the developers harden the security of their applications. This is especially the case in telehealth.

From Coronavirus to Telehealth Cyber Threats

"We are empowering medical providers to serve patients wherever they are during this national public health emergency"

Roger Severino,
Director of OCR for the HHS

On March 30, 2020, the Department of Health and Human Services in the United States issued a notice that changed the balance of regulatory requirements for care professionals to use simple, non-compliant telehealth solutions. Other countries similarly relaxed regulations, but we’ll focus on the American context in this post.

“OCR will exercise its enforcement discretion and will not impose penalties for non-compliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” — HHS

The week before the new enforcement provisions from the HHS, the CDC saw a 154% increase in telehealth visits from the year before. By April 2020, 43.5% of Medicare primary care visits were telehealth, up from 0.1% in February of 2020. The demand for telehealth skyrocketed when the regulations were relaxed, a move that was mostly responsible for maintaining access to care providers for low-income families.

What this meant for care providers was a rush to implement telehealth in a matter of days, not months or years. Developers worked hard and fast, like the gold miners in California in 1849. Millions of lives were on the line unless they figured out how to scale for capacity. As they rushed to save lives, they may have inadvertently thrown out the cybersecurity baby with the bathwater!

Health systems rose to the challenge, and many people are alive today who would otherwise have perished. Now that the situation has stabilized, care providers must recognize that the tools they implemented to save all those lives (such as quick-hit telehealth solutions via Zoom, FaceTime, and Skype) exposed their organizations and patients to significant cyber risk.

What is the Risk Profile for Telehealth Solutions?

All software has vulnerabilities that are baked into the code, often from the first few lines. While software vendors and developers will happily describe the security layers they included in the program, the truth is that cybersecurity risks exist at the heart of the code. While it is easy for healthcare leaders to ask about the security features, they are increasingly diving deeper into specifics about how the developers are protecting the software from attacks at the level of the first few lines of code upon which the solutions are built.

The challenge of applying consumer apps designed for unregulated industries in the context of healthcare is that they were never meant to protect PHI. Unlike internal-facing or healthcare only applications, the consumer apps that HHS approved for temporary use were never intended to be robust enough to withstand the types of hacking that regularly occur in healthcare settings. As you may remember, Zoom got hacked to bits like a scene in a horror movie almost immediately after COVID-19 came to town. Hundreds of thousands of profiles were for sale on the dark web by April 2020. This hack shouldn’t be surprising, since Zoom’s value proposition was that it was better than Skype, not that it was a secure solution for telemedicine! 

What this fact means is that not only is the source code of Zoom filled with vulnerabilities like every app (the ingredients), the way the team mixed and baked their Zoom cake built a whole host of vulnerabilities into the tool we know and, sometimes, love. Of course, Zoom has done excellent work to level up their security in recent months, and continue to work on these areas.

The final risk to care providers with their telehealth solutions is the fact that HIPAA, HITECH, Meaningful Use, and PHI protections are still the law of the land in the USA, and in other countries similar laws apply. Note that the quotation above from HHS does not permit the disclosure of PHI. Instead, the OCR is saying they will not impose penalties for violating the standing law and existing rules. This shift means that the second the HHS declares the public health emergency “officially over” and normal behavior resumes, thousands of facilities could be immediately at risk of non-compliance penalties.

Approaches for Telehealth Security Review

The approaches that healthcare providers will take to secure their Telehealth solutions will depend on how quickly they implement the solutions. Similarly, the level of security analysis will depend on whether or not the solutions have been vetted by third party security experts.

Was the facility able to scale existing telemedicine capabilities from one department or unit to other units? If so, then the tools have already been put through a cybersecurity assessment. These facilities will simply need to review existing security processes to ensure they apply to the new workflow.

Did the provider organization start using multiple tools designed for other industries because the regulators were no longer paying attention? In that case, the organization may not have thoroughly evaluated the security aspects of their toolset. For them, the time is now to dive deeply into the security and workflows of their telemedicine capabilities.

Software developers who saw a major increase in customers using their tools for Telehealth should be ready for a lot of those customers to start calling up their representatives to discuss the cybersecurity aspects of the tool. These facilities are going to need solutions to their Telehealth capabilities that have robust, secure infrastructures.

Traditional Security Frameworks

By now, all provider organizations’ CIOs and CISOs are familiar with implementing traditional frameworks for cybersecurity. Software developers may benefit, however, from a short description of each and links for more information on the depth and breadth of security concerns to which healthcare organizations are responding.

HIPAA, the Healthcare Insurance Portability and Accountability Act — This 1996 law sets out the basic requirements for protecting health information privacy. These laws apply to health plans, health care clearinghouses, and care providers who conduct health care transactions electronically. 

HITECH, the Health Information Technology for Economic and Clinical Health Act — This 2009 law, part of Obama’s stimulus and recovery package, was designed to promote and expand healthcare IT use. The larges impact of the HITECH act on hospitals and health systems was the Meaningful Use program, which incentivized care providers to adopt certified EHRS. 

NIST, the National Institute of Standards and Technology — Part of the US department of commerce, NIST produces and revises a standard framework (see version 1.1) for voluntary use by critical health infrastructure owners. 

HITRUST — This company, founded in 2007, develops and helps care providers and business leaders manage risk through assessments and certifications. As the number of cybersecurity attacks continues to increase, these certifications are becoming increasingly important as part of every organization’s 

PCI, Payment Card Industry — This set of requirements spans all industries where payments are delivered through digital transitions. Anywhere care providers get paid directly by the consumer, PCI should be an important part of the cybersecurity infrastructure.

How can we address the software problems?

The truth is, no matter how much effort providers put into sourcing and selecting tech solutions that have robust cybersecurity measures baked into the cake, they will always have to deal with the guaranteed vulnerabilities that exist inside the ingredients. And no matter how diligently providers implement frameworks for cybersecurity, the endpoints will still be vulnerable unless they and the developers have addressed the inherent vulnerabilities in the toolset.

Verimatrix uses a unique method for hardening and securing the applications used by care facilities. And the beauty is there is a simple metaphor to explain how their approach works. When looking at security, it’s best to reverse-engineer the process that the hackers will use to expose the weaknesses underlying the endpoints.

Can the hacker read the book? — Obfuscation

This first layer of security makes it difficult for the hacker to interpret the code & read the software. Because software is an open book, all you have to do is download the app and start reading the code. Verimatrix helps clients first by making the code itself much more difficult to read by the hackers and the tools they use to interpret the code. It’s the equivalent of using a whole bunch of different fonts and text sizes and shredding it all for good measure.

Can the hacker watch the movie? — Dynamic Analysis

Next, the hacker wants to move to more dynamic analysis and “watch the movie” of how it executes the processes. They make sure that the apps are only running on trustworthy devices, which prevents hackers from reviewing the application as it is being used.

Can the hacker play an interactive game? — Modification

Finally, hackers don’t just want to read the book or watch the movie. They want to play an interactive game! They want to knock out specific security features, tamper with the code, and see what happens when you interact with the tool. Verimatrix provides an anti-tamper feature that shuts down the code’s operation if any aspects are tampered with. Effectively, this prevents hackers from interacting with the software. 

What’s Next?

As our communities and care organizations respond to second and third waves of infection, security leaders are now starting to review their security risks in this new landscape of telemedicine. Thanks to the government’s foresight to relax the HIPAA regulations, many lives were spared by opening up telehealth access in the USA. But those lives were not free; they came at the cost of radically increasing cybersecurity risk to PHI.

At some point, the crisis will be over, and OCR and HHS will resume penalizing provider organizations for breaking HIPAA rules and regulations, as will regulators in other countries. Facilities know this. The forward-thinking organizations are already working with their vendors and third-party security providers like Verimatrix to reduce their risk.

For software developers, it’s worth remembering that provider organizations aren’t just trying to make the regulators happy. Real lives are at stake. Recently in Finland, a whole group of psychotherapy patients had their PHI stolen. The hackers then proceeded to blackmail the individual patients instead of the facility. Similarly, prosecutors in Germany are working to link a woman’s death to a cyber-attack on a university medical center

Ultimately, the greatest risk always lies with losing patient trust when a data breach occurs. According to studies this summer, 70% of respondents say they are interested in using telehealth once the pandemic subsides. One of the major issues that could break that trust, respondents reported, were data breaches involving virtual care. These examples show that, regulators aside, telehealth providers and medtech integrators need to ensure that systems, feeds, records, data and lives are not severely disrupted by malicious attacks on the digital infrastructure under their control.

When it comes to telehealth, there is no walking back from an unauthorized attack.