Among the many industries affected by the COVID-19 pandemic, healthcare was suddenly transformed. Providers struggled to deal with an influx of coronavirus cases while managing the flow of patients needing treatment for non-COVID conditions. Given the highly contagious nature of the virus, more medical professionals and patients have opted to use telehealth services for routine care. By all accounts, telehealth has shown it can work at scale and is here to stay.
However, remote healthcare comes with its share of security concerns and potential vulnerabilities. These weak spots can result in HIPAA violations, put patients’ data at risk, and ultimately diminish trust in the technology as a means to seek medical help. People need to be aware of the risks and adopt measures to ensure their private information can be protected.
Cyber criminals capitalizing on telehealth
Much of telehealth revolves around patient monitoring devices. These include devices attached to the body, like pacemakers, as well as smartphone apps used to track and transmit critical health information. While monitoring devices like these existed well before the pandemic, they are more ubiquitous now because they help limit the physical interaction between medical practitioner and patient. While these are positive steps for telehealth, cyber criminals are finding ways to disrupt this process and access proprietary information by using medical monitoring as a major threat vector.
One way bad actors access private information is through social engineering, a well-known tactic to take advantage of those who are unaware or vulnerable. The most common social engineering attack is phishing, which is commonly a texted or emailed link that misleads a victim into providing sensitive information like credit card details.
Another common trick is pretexting. In the context of telehealth, a cybercriminal poses as a trusted ally, like a medical assistant or an insurance provider, looking to obtain patient information like date of birth, a social security number, or financial details. Once the criminal has personal details, they use them to pass security hurdles and access protected accounts.
The main difference between phishing and pretexting is that phishing attacks use fear and urgency, while pretexting is built off of a false sense of trust. Yet the outcome is often the same.
Hospitals and medical facilities play a major part in protecting health information. The first step is ensuring the facility’s infrastructure — including IT systems, software, and hardware — complies with HIPAA and security measures. Telehealth isn’t new and proper protocols are largely in place, but the rapid adoption of telehealth services comes with risks like ransomware. A single ransomware attack or social engineering attempt can cripple a medical facility, so it’s important that employees have basic cybersecurity training. They should learn to identify a potential threat and understand how to protect private information to make sure any attack has a minimal chance of success.
The thing for hospitals and medical facilities to keep in mind is that when it comes to cybersecurity, the human element is a top concern. All medical workers with access to sensitive or personal information should have comprehensive security knowledge and training in best practices to thwart a cybersecurity attack.
What to do
There are many simple steps the average person can take to reduce the risk of falling victim to a cyberattack of any kind. These steps aren’t limited to telehealth but can be applied to other industries that deal with private information.
- Always update connected devices as soon as updates are available. Most updates are centered around security and fast adoption ensures protection.
- Use long, unique passphrases across all accounts. If you fall victim to an attack where a bad actor learns your passphrase, the damage will be limited to that single account.
- Enable 2-factor authentication or multi-factor authentication such as biometrics, security keys, or a unique, one-time code through an app on your mobile device, whenever it is offered on insurance accounts, patient portals, financial accounts, and others.
- If you receive an email or text message requesting you to confirm or submit sensitive health information, your login information, or any other sensitive personal information — don’t. Immediately contact the organization to verify the request without using the contact information contained in the email. You can also visit the company’s legitimate website and log into your patient account to see if you have any messages or action items.
- When submitting sensitive information to a medical professional, make sure the website or lane of communication is secure.
- If using telehealth applications, communicate with your doctor and ask questions about what data is collected, how it’s shared with the doctor, and how it will be used. Make sure any accounts tied to telehealth apps are protected with a strong passphrase and monitor them regularly for discrepancies.
- When connecting with a doctor or physician over a video conference, make sure the connection is secure. Whether it’s a password-protected Zoom conference or an encrypted connection through a telehealth focused service, always feel free to ask the medical professional about meeting security measures taken before proceeding with the appointment
These are just a few simple tips to protect healthcare information when using telehealth services, but they can go a long way in keeping private information secure. The most important step for most people is to stop and think before acting. Most cyber criminals try to involve a sense of urgency in their scams in the hope of moving people to act quickly. Always question why and how a request is made, and if you’re unsure about any aspect of an interaction, contact your medical provider immediately to validate the request.