October 26, 2020
The COVID-19 pandemic has placed enormous strain on health care delivery. As providers have scrambled to deliver patient care while meeting new sanitization and social distancing requirements, telemedicine consequently exploded into popularity as both patients and doctors gladly traded physical visits with virtual ones whenever possible. While, overall, this is a positive advancement for health care, it does come with additional and relatively new risks for providers.
Risk vs. Reward
Telemedicine is a great way for patients to follow up with doctors, consult about medications, keep up with regular therapy sessions and more. However, the sudden pandemic surge in demand meant that health care organizations implemented the technology on a large scale, very quickly. Experts warn this is now the health care industry’s biggest overall risk, resulting in a deluge of new threats and attacks.
The pandemic has made businesses and individuals in every industry more susceptible to cyberattacks. In a previous blog, we talked about how businesses need to be more concerned not just with their own cybersecurity standards, but with those of their vendors. Any third party that has access to client or patient data (even tangentially) presents a potential risk for a security breach. Telemedicine providers are exactly that: third party vendors with access to sensitive data, and they need to be vetted as such.
The increase in serious cyberattacks in health care is a result both of increasing the industry’s overall cyber footprint, and potentially from implementing new technology very quickly without proper due diligence. While there are reliable, well-established technology providers, new less experienced, or trustworthy, companies have rushed onto the scene to fill the gaps in the telemedicine boom.
Hospitals, mental health care providers, and any other industry organization should be clear when engaging a third party telemedicine provider: they are the ones responsible for data breaches. Businesses sometimes mistakenly assume that if a vendor’s subpar security exposes them to a cyberattack, the vendor will be the one held liable for any damages and costs. That is rarely the case: health care organizations, in particular, have been expressly entrusted with sensitive patient data and will be held accountable for what their telemedicine providers do with it.
Best Practices
There is always inherent risk in allowing third-party access to sensitive data. This is especially true of small businesses that are already considered easier targets by bad actors. In health care, the sudden increase in demand for telemedicine has meant a complete realignment of risk strategy. One of the best ways to reduce this risk is to do deep research on any third party vendor. We also encourage organizations that contract with any new telemedicine organization to formally vet the potential vendor and document the process, which can include an evaluation of the provider’s security controls to make sure they have proper protocols in place, as well as assessing the vendor’s privacy standards and handling of data, and bringing an external consultant or organization in to perform an IT security audit.
Organizations should also make sure they have the correct internal processes in place. If proper employee training is the first line of defense against an attack, then multifactor authentication is the second! By far the most common cyberattacks are phishing scams where an employee clicks on a bad link or responds to a fraudulent email, giving hackers access to system login credentials for employees with administrative rights to company systems and data. Multifactor authentication (MFA) provides one more additional step for a bad actor to have to circumvent, as it requires an additional verification code which is often sent directly to the administrator’s phone or email when there is an attempted login. It is easy to find, steal or crack usernames and passwords, but it is much more difficult for a bad actor to beat the MFA process.
As always, the best recipe for success when adopting any kind of new technology is to be clear and thorough during the vetting process and back it up with a confident and well-trained internal staff. As the health care industry adopts these measures to meet new challenges, our team will work with clients to ensure that that they are protected against the accompanying risks as well.
Want to learn more?
Find me on LinkedIn, here.
Connect with the Risk Strategies Cyber Risk team at cyber@risk-strategies.com.
Email me directly at zaltneu@risk-strategies.com.
The contents of this article are for general informational purposes only and Risk Strategies Company makes no representation or warranty of any kind, express or implied, regarding the accuracy or completeness of any information contained herein. Any recommendations contained herein are intended to provide insight based on currently available information for consideration and should be vetted against applicable legal and business needs before application to a specific client.