In a year that has tested our healthcare system to the brink, one of the bright spots has been a rapid increase in the use of telehealth in many regions across the country. While telehealth is not new, its availability has been spotty at best, with many providers and insurers not entirely on board. By necessity, COVID-19 has changed this. As more Americans were urged to stay home, especially the elderly and immunocompromised, there was a growing concern that healthcare conditions were being overlooked, potentially leading to serious repercussions. Providers also lost revenue as patient visits and procedures were postponed. Telehealth has helped to fill the void.
Consider the following:
- The Mayo Clinic, the nation's largest healthcare system, reported a 78% drop in in-person visits from mid-March to mid-April. During the same time period, the use of Mayo's digital healthcare services increased by an astounding 10,880%.
- A Department of Health and Human Services statistical report found that before the pandemic, more than 99% of Medicare-funded visits were in-person appointments. From March through early June, the agency reports that more than 10 million Medicare beneficiaries used telehealth services.
- S. regulatory changes facilitated telemedicine use during the pandemic. For example, a major policy change for the duration of the COVID-19 emergency is that HIPAA-covered providers may temporarily use apps that are not fully HIPAA-compliant – such as FaceTime, Zoom, and Skype – to provide telemedicine.
The downside to the rapid adoption of telehealth is an increased risk of cyber threats for healthcare providers and private patient information vulnerability.
Examining the Threats
Whenever there is accelerated adoption of technology – and a lack of training for its users – cybercriminals seize the opportunity for attacks. IBM's Cost of a Data Breach Report 2020, conducted by the Ponemon Institute, found that healthcare companies are incurring the highest average breach cost of any industry: $7.13 million per incidence, a 10% increase over the 2019 study. Earlier this year, UCSF Medical School paid $1.14 million in ransom to hackers who stole their data and left servers inaccessible.
According to the IBM report, human error caused 95% of the breaches—the end-user clicks on something that is a phishing scam, which accounts for 90% of security breaches. Cybercriminals gain access to sensitive information such as insurance identification numbers, Social Security numbers, and passwords through phishing. Zoom's increased use has led to "Zoom bombing," which is when intruders enter video conferences.
Unsecured laptops and mobile devices are "start points" that hackers can easily access. Unfortunately, criminals can easily penetrate a range of residential IoT devices, including connected home devices and even popular voice assistants. With many healthcare providers – including nurses, physicians, and therapists – working remotely for the first time, it can be challenging to provide the level of training they need to recognize security threats. The pandemic's rapid acceleration didn't allow healthcare organizations to vet new software vendors, and some security policies were relaxed to keep things moving.
According to a new report from information security companies SecurityScorecard and DarkOwl, "Telehealth systems have become significantly more susceptible to targeted attacks given the pace at which applications were rolled out, often at the price of patient and provider vulnerabilities." Their study reviewed 148 of the most-used telehealth vendors, examining patient data vulnerability across application, endpoint, and network security. Between the second and third week in March, they noted a 144% increase in suspicious activity.
Taking Telehealth Cybersecurity Measures
A May 2020 survey of Medicare Advantage beneficiaries found that 91% of those who had used telemedicine had a good experience and that 78% would use it again. And according to the American Medical Association, telehealth will continue to offer many benefits to providers and patients post-pandemic. The key will be to optimize and protect virtual care.
Until traditional cybersecurity training can resume in person, healthcare organizations can educate their workforces by sharing examples of phishing campaigns, or even testing their workforce with dummy phishing emails to gauge awareness and offer training videos throughout the year. The goal is to get users to think before clicking on links and carefully examine URLs to ensure safety.
Organizations should follow best practices for encrypting their data, using two-factor authentication, running antivirus software, and software updates. Many providers are already moving from consumer videoconferencing to products developed for the healthcare industry. IT professionals must take the time to vet software suppliers.
Goldin Peiser & Peiser will continue to monitor legal and regulatory changes that impact the delivery of healthcare.
For questions about this blog, or other issues regarding your medical practice, contact Erick Cutler at 214-635-2541.
GPP will continue to keep you posted through our COVID-19 Business Assistance and Resource Center. If your medical practice needs assistance during this challenging time, our COVID-19 Business Advisory and Planning Services Group is ready to assist.
For immediate questions, email CARETEAM@GPPcpa.com.
Note: This content is accurate as of the date published above and is subject to change. Please seek professional advice before acting on any matter contained in this article.