Continued Respiratory Therapy Phone: 866-382-0799


Cybersecurity for Telehealth

Cybersecurity for Telehealth
Josiah Dykstra, PhD
January 23, 2023

To earn CEUs for this article, become a member.

unlimited ceu access $99/year

Join Now
Share:

Editor’s note: This text-based course is an edited transcript of the webinar, Cybersecurity for Telehealthpresented by Josiah Dykstra, Ph.D.

Learning Outcomes


After this course, participants will be able to:

  • Describe three potential security vulnerabilities in telehealth delivery
  • Explain three mitigations for delivering improved security for telehealth
  • List sources for further information on implementing secure telehealth

Medicine is Immersed in Technology

It is a pleasure to talk about cybersecurity today. This is my area of expertise. I am delighted to apply it to telehealth today. Whether you are offering telehealth services already, considering them in the future, or have some role in deciding how your health setting will use them. Today, I want to ensure that you have actionable steps that your practice can do to ensure that it is as secure and safe as possible. We owe that to our patients because it is the right thing to do, and the law also demands it. HIPAA requires that.

Now telehealth offers a lot of things for the community, whether the assessment in education, remote monitoring, or management of patient care. There are many ways we use telehealth. We will talk about a few of those today. As I said, my goal is to ensure you have practical steps. I have spent the last 18 years studying cybersecurity. My Ph.D. is in computer science. I learned from my wife, an audiologist and a private practice owner, how many needs there are in the healthcare community. I now apply my expertise in this area because I think it is important, and I look forward to sharing my experiences with you.

There is a couple of things I want to say upfront that we will not cover in this course that is still important. One is that we are not going to talk about the mechanics of how to do a telehealth appointment other than the security aspects. There are many courses and individual nuances of whatever software you might use. This is not how to do a telehealth course specifically.

We are also not going to talk about the legality of licensure, a very important aspect of telehealth that you must be familiar with. For example, if your state requires the patient to be in the same physical state where you are located because your licensure demands that, that is an awfully important consideration. I do not know the state licensure for every state. We could not even delve into it in a security talk anyway. Please make sure you put that on your list of things to know about. I think many of us in the past 24 months since COVID have become very familiar with video conferencing. Whether or not you do telehealth, I would be surprised if anybody has not become very familiar with things like Zoom.

Even the fact that you are reading this presentation today shows this is a technology you are familiar with. Your patients who are kids, many of the people you interact with, are also getting more familiar. There are tremendous benefits to that. It allows us to offer services in ways that were impossible before or physical distance limited before. Many good things about telehealth cybersecurity are never intended to get in your way. Do not let any cyber person tell you that. Cybersecurity is intended to make sure that you can do your job and that you can do what you want to do need to do in a compliant, safe, private manner. I am at the forefront of the cybersecurity group that says cybersecurity is not the goal.

The goal is health care for you. Cybersecurity should be enabling you. If you ever find that it is getting in your way, make sure you have a conversation with someone about that. Now, as you know even more than me, I think medicine, and health care, in general, are immersed in technology. I bet no day goes by that you could do your job without some technology. That is not just limited to telehealth, the equipment you use to schedule appointments and communicate with people, all of that enabled by different kinds of technology. It is an opportunity for the attackers and us to do all those things safely.

By one count, the adoption of telehealth has skyrocketed as well. I found one article, for example, that says that physicians' use of telehealth jumped from 18 to 48% in the two years, from 2018 to 2020. Now, that adoption has remained very high. There has been a little drop-off as people return to seeing face-to-face, in-person encounters. Telehealth is not going away. There are no indications that we will go back to 100% in-person or that people prefer that. There are many more advantages to having a flexible schedule, a safe encounter, maybe a previously impossible encounter with somebody physically distant far away. Technology is here to stay. That is why it is never too late to start doing good security, protecting your liability, and ensuring you are as compliant as possible.

The Technologies Behind Telehealth

We all desire the patient's privacy to be protected. We are all also patients. I think we all understand the value of protecting the security and privacy of our information. It is never too late. If you are not doing it today, today is a great time to start. I want to give you a high-level sketch of the basic technologies. To sort of highlight how this technology works behind the scenes without diving into the technical minutiae, that you know when and how to secure them. This section will also discuss the special precautions still in effect because of COVID.

These are things that might change. I want to give you a heads-up about that. Telehealth goes by many names. Sometimes called telemedicine, remote physical, or respiratory therapy. For the most part, they are interchangeable words. It essentially means what this picture shows: it is not two people physically sitting next to each other. Tele, as a prefix, is used for all kinds of technology. From telephone to telephony to telehealth. It is any situation where the two people are not sitting in chairs next to each other. Now this includes a lot more than live video. Live video is one kind of telehealth. We use technology to communicate remotely, even by email, text messages, mobile phones, remote monitoring of equipment, and all of those things.

Telehealth as a concept is also not new. I cannot find references as far back as 1897, more than 125 years ago, when this kind of health care offering was first emerging. That gives great credit to people being creative for 100 years—lots of innovation in this space. It was considered an alternative way to avoid unnecessary office visits. It was about convenience and a new kind of delivery for patients.

Telehealth, Telemedicine, Remote Respiratory Therapy

Telehealth

  • The Health Resources Services Administration (HRSA) of the U.S. Department of Health Human Services (HHS) defines telehealth as the use of electronic information telecommunications technologies to support promote long-distance clinical health care, patient professional health-related education, public health health administration. Technologies include videoconferencing, the internet, store- and-forward imaging, streaming media, landline wireless communications. (www.hhs.gov)

There is more than one kind of telehealth. Synchronous live video, essentially a face-to-face appointment through a camera and a screen. This is very common. It is the thing that most of us think of first, even though we are not in the same physical location—certainly, a very popular way to offer telehealth.

Another is what is called asynchronous or store-forward telehealth. This is where the information and the data are collected without the health care professional present at the time of collection or interpretation. If the patient has a health device, an electronic device, that collects information, that information goes, for example, to a website or a portal, and it sits there for you or any other health provider to look at that data. That is not a real-time video conversation. It is still telehealth because you are offering a service to them. Not in real-time, but it still has value.

A third kind is remote patient monitoring. This can be synchronous or asynchronous. For example, if a patient has a chronic illness or chronic disease, they have a sensor that communicates that information remotely to a health provider, which would be remote patient monitoring. For example, you might see this kind of example in an assisted living facility where there is a nurse, for example, in another room or another building, who monitors the patient's health in some way.

The fourth way that telehealth exists is in mobile health. Mobile health, or mHealth, uses smart devices and other apps that support continued health care. There are many implementations of this. It is more likely to be the store-forward asynchronous version where the data is collected all the time and sent back to a place where the health provider can look at it and interpret that, as opposed to real-time video. Telehealth has been around for a long time, much before COVID. That is a great thing. The demand is higher than ever. Patients, I think, like to see you face to face. Certain kinds of health care do not lend themselves well to the remoteness of telehealth. Diagnosis is different remotely. For example, managing the ongoing care of someone with a disease or an illness can be more conducive.

    It is up to you to determine if it is the right approach for a particular patient or situation. When I talk to physicians to other health providers, they tell me they find enormous benefits in this adoption. That the benefits outweigh the risks is the start of the conversation I normally have about the risks and how those risks can be mitigated. That it continues to provide outsized value to it. The words we use, like telehealth and telemedicine, are interchangeable. If you are looking for one official definition, HHS offers this one, which is consistent with what we have discussed.

    In that, using digital or electronic communication information supports long-distance health care. Again, it is not two chairs sitting in front of each other. It is a broad definition. I will come back later to this. There are no special security rules specific to telehealth. The HIPAA laws are written in such a way that they apply no matter where protected health information exists, whether it is on paper or digital, whether you are physically sitting with a patient or remote, the same requirements apply. we are going to come back to that a couple of times. as I said, at a very high level, the core components of telehealth can be boiled down to three buckets.

    Basic Infrastructure

    On one side of the screen, one side of the situation is you, the remote therapist, at a digital device, whether that is a real-time video call or the interpretation of digital data. Your device is in one location. On the opposite side of the screen is the remote patient, the person receiving the care. Again, it might be the patient live video chatting with you, uploading data, or any other situation. They are in another environment, usually with equipment in their control. Even if they have medical equipment that you might have some control over, they might also use a personal tablet or computer to communicate. They exist in different locations.

    The two sides here, the two sides of the screen, are connected by internet services. This is a big broad topic. In general, there are physical wires that connect you. There are servers in the middle. There are service providers that enable this kind of communication, whether it is data or video, or anything else. We will talk a little about where in this picture, problems can pop up where we have control to ensure that security is as good as it can be. Before we move on, many of you have very compliant systems, compliant in the HIPAA sense. that might be a HIPAA-compliant computer, a HIPAA-compliant service.

    I sometimes find that those services are they do not work 100%. What is your backup plan if your webcam does not work five minutes before the appointment? Is it to use another computer? Is it to use a personal device that might be less compliant? The reality of technology not being 100% is we need contingency plans just for the functionality. I worry a little bit that the use of personal devices could be a potential threat to security privacy just because the device is not at the same level of protection as the otherwise compliant device might be.

    COVID-19 Relaxations 

    Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency

    • A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients…
    • Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, providers should enable all available encryption privacy modes when using such applications.
    • Under this Notice, however, Facebook Live, Twitch, TikTok, similar video communication applications are public facing, should not be used in the provision of telehealth by covered health care providers.

    As I mentioned, there were relaxations to the telehealth rules because of COVID-19. HHS, which administers HIPAA and puts out health guidance for you, did say, you can still find these documents on their website, that they were going to relax the enforcement of some of the rules of HIPAA.

    Now they did not relax them all. The relaxations were temporary. It was in the interest of patient health care. When it was perceived as unsafe for patients to come to see you in person, the government said people still needed to talk to their health providers. As a result, they said the health providers are allowed to use technology that might otherwise be considered not compliant, and the government might fine or enforce its rules for using those technologies. For example, on the screen, you can see that they opened up the aperture to say you are allowed to use any non-public-facing remote communications even if they would otherwise not be HIPAA compliant.

    • The list below includes some vendors that represent that they provide HIPAA-compliant video communication products that they will enter into a HIPAA BAA.
      • Skype for Business / Microsoft Teams
      • Updox
      • VSee
      • Zoom for Healthcare
      • Doxy.me
      • Google G Suite Hangouts Meet
      • Cisco Webex Meetings / Webex Teams
      • Amazon Chime
      • GoToMeeting
      • Spruce Health Care Messenger

    Now, non-public facing means things where somebody cannot just go to a website and watch the video of you talking to your patient. That is true of things like Apple FaceTime. If you FaceTime with a patient, that video session is not broadcast on a website for the general public to see. It is a one-to-one communication, and you would have to invite somebody to join that conversation. That is true for Skype, Zoom, and a handful of others. This was not a wide-open invitation to use any technology. Public-facing services were very explicitly prohibited. Those include things like Facebook Live or TikTok, which broadcast to the public that other people who were not you, the patient, could just casually view.

    Those things were never permitted. As I said, some of these technologies specifically allowed things like Apple FaceTime. Whether you use those or not, it is helpful to understand the general context of what the government was okay with and which ones they were not. Whether you are looking at a commercial service, that is something to keep in the back of your mind. My advice is if you doubt whether it is public-facing, assume it is public and avoid it. Unless you know for certain that, yes, it is a strictly controlled non-public choice, then that is okay. I think we should err on the side of caution in this case.

    The other important thing is for any entity you share data with outside your clinic or service provider. You are required to get a business associate agreement (BAA). That BAA helps ensure that the company you have hired protects health information as you do. HIPAA is not limited only to health providers. Anybody who sees PHI-protected health information. That includes your attorney, cleaning crew, and email service provider. If those people could see PHI, you should have them sign your BAA. In their HIPAA relaxation, the government says you should pick a service provider who will sign that. What was a little confusing is that some commercial providers offer both HIPAA compliant non-HIPAA-compliant versions of their software, and Zoom is one of those.

    There is a public version of Zoom that you might use to talk to family members. There is a HIPAA compliance called Zoom for Healthcare. If you signed up for Zoom for Healthcare, they would design the BAA. They will not sign the BAA if you use the free version for the public. People had to be cautious about picking the version that would sign up BAA. Many commercial services now are very open to the public about that. If you ever get stuck you are not sure how do I get them to sign my BAA, that is something that you can ask your IT staff, or I can help you with that as well.

    As I said before, the relaxations are not permanent. We do not know if Congress or HHS will make some of the provisions permanent. as I have said, telehealth will not go away. We are in a situation now where HHS is giving a sort of fixed times of how long they will extend the public health emergency. The public health emergency is the linchpin for when these temporary restrictions will go away. We are under an extension that goes through October 13, 2022. If the government does nothing, on October 13, the rules will revert to what they were before the relaxations will disappear. Or the government could give another extension, say the health emergency is not over, and the rules remain temporarily changed for another 60 days until those expire. You need to know where we are in that timeframe or a technology provider who can keep you updated about that. Keep that date penciled in on your calendar for October 13. Things could change. Of course, things can change all the time. These particular rules, they said, will not just disappear on a moment's notice. They will always give a heads-up before they change.

    History of Telehealth in Respiratory Therapy

    Telehealth is also not new to respiratory therapy. Remote consultations have been around for quite a long time. Looking through medical literature as far back as the late 19th century, we saw reports about the very innovative uses of the recently invented telephone. For example, that respiratory therapists could listen to a child's breath to determine if there is a breathing problem over the telephone. That is probably as far back as I can definitively say that sounds very much like telehealth. In those 125 years, things have advanced relatively quickly. We had video technology, probably in the '50s, not over the internet. Video camera displays were sort of not quite as far apart. We have had email for quite a while, quite some time, 20 or more years. Some people were using that for telehealth. Certainly, we are in the realm now of video kinds of technologies. This is not certainly the end.

    This evolution will probably continue, whether it is the metaverse, virtual reality, or anything else. I see no reason that it will not. One thing that I thought was a little bit interesting was in the early days of the telephone, when people were listening to audio sounds of the child's breath, the scare back then was that somebody might contract an infection from using a public telephone that was unhygienic. Not everybody had a telephone in their home. If they called the doctor from a public telephone, was their health worse off than not having that opportunity? It seems a little crazy now. You can imagine there is fear in every version of this. Is the email safe and secure? Is the video safe and secure? Whatever the evolution of technology happens, we will always have contemporary challenges to consider.

    Potential Security Vulnerabilities in Telehealth Delivery

    Now I want to talk a little bit about the potential vulnerabilities in telehealth delivery. This is not meant to make you afraid. It is not about fearmongering. It is very much to help you understand where the risks are and how you can help focus and prioritize your mitigations appropriately. There is such a thing as too much security. As a security person, I am hesitant to say that. I want you to know how to lower your risks appropriately and make good decisions. Most of us understand and appreciate that hackers and computer attackers go after computers.

    That is not a surprise at all. That is where the data is. There is an old quote about a bank robber. Somebody asked him, "Why do you rob banks?" The bank robber said, "Because that is where the money is." Attackers go after computers because that is where the valuable data is. They are not always trying to get you, they are not always targeting you, and they might not even be targeting health care. You might just become a victim because they are broadly spraying across the internet you happen to get caught in that. We all get bad emails. That is not because we are specifically targeted. The attackers are trying to get anybody they can. The attackers, what we most often think about in computer hackers, is the idea of remote exploitation.

    Somebody sitting across the planet, in their basement, trying to attack our computer over the internet. I will be honest. That is very unlikely. Today's technology makes that a very difficult task for the attacker, your computer. By its very nature, your computer is defended against that kind of remote exploitation. Even though home routers have good firewalls, the operating systems on our computers are quite robust against remote exploitation. That is not the primary way hackers get onto our computers. What is much, much more common, much more likely, is this umbrella we call social engineering. Phishing emails fall under this. It is anytime that the attacker is trying to exploit our human weaknesses.

    They send an email that appeals to our sense of urgency. They might say, "Your bank account has been closed. Please click this button to make sure that all your money is safely transferred." It is our sense of fear. It is our human sense of trying to be helpful. All of those are because we are helping busy people, and we do things accidentally that can cause our computers to become infected. Malicious emails, malicious attachments like Word documents, or visiting websites that compromise our computer happen a lot every day to a lot of people, even by accident. They do not know if they are doing anything wrong. You can do a lot about that to make careful, slower decisions.

    If you are very busy, that might not be a good time to check your email because the attackers are counting on that busyness to help trick you into doing something. Now, of course, the attackers are not just sending you emails. They are also sending them to everybody on the internet, including your patient. We generally have little or no control over the security of those personal devices. If our patients open every attachment, their computer is very infected, threatening telehealth. That is a bit outside of your control. When patients sign up for telehealth, you can tell them about the risks. I strongly encourage you to get the patient's consent to do telehealth.

    That document can say there are risks to this. The risks are A, B, and C. If you consent as a patient, please sign this document saying that you understand you agree to do it anyway. At least that covers you a little bit to say, well, I told the patient, here were the risks they accepted anyway. If the patient has an infected computer, that infected computer could listen to your conversation with the patient because it is out of your control. Then, of course, all the computers on the internet also get the same kinds of attacks that your patient gets. We again have very little control over that.

    The BAA, the business associate agreement, is one way to lower your risk in at least the services that you sign up for that you pay for. If your email provider says, "Yes, I will sign the BAA. I will protect your email," for instance. That is your sort of insurance, in a sense. Even if something goes wrong, they are liable to protect the information. Again, lots of opportunities for those attackers. Some things are in our control some things are not. What happens if an attacker accesses your computer or your patient's computer? What could happen? I am not saying these are guaranteed to happen. In cybersecurity, we do not know the likelihood of these very well.

    Computer Security

    • A compromised computer might enable a hacker to:
      • Commit medical billing fraud
      • Illegally access live videos between patients doctors
      • Gain unauthorized entry into other computers
      • Access cloud-based EHR/EMR systems where patient data is stored

    I want you to be aware that they are technologically possible. If an attacker had access to your computer where you do telehealth appointments, it is possible that they could commit medical billing fraud. They could get the patient's information. They could use your computer to submit fraudulent billing. I have not seen many public instances of this, but it is possible. I think it is relatively low risk, something to be aware of. Another thing that they could do would be to illegally access the audio or video between you and your patient. This is, by its nature, illegal. It is the kind of thing I think many of us are frightened about that an attacker could turn on the video camera or listen to our conversations.

    We will talk a little bit later in the presentation about one way to help prevent this. It is all the more reason to make sure our computers do not get infected in the first place. Let's prevent that from even happening. One thing that is quite common is the third bullet here. When an attacker gets access to one computer, they might install malicious software, might steal information. They often use your computer to attack other computers on the same network. That could be in other computers if you are working from home. It could mean other hospitals or other computers in the hospital. Anything that the attackers, the computer that is compromised, can see online.

    The attacker wants to spread. They want to spread their infection to other computers. by getting access to one, which is a foothold into the network for them to do more damage. Another reason we want to stop infections as soon as possible is that, over time is how the attackers do that spreading. It is not instantaneous. It might take them a day or a month, or a week. The sooner we clean up the infection, the less likely it is to spread. The last thing is that because you are using the computer or the tablet to do the telehealth appointment, by the nature of that interaction, you are accessing health information, whether it is stored locally on the device or in a cloud-based EHR or some other online service.

    If the attacker has access to your computer, they could also access those cloud-based services. This is another thing that is a really bad outcome. Because of data breaches, this is how a data breach happens. The attacker gets access to one computer, downloads or compiles all the information on that device, steals it, and maybe sells it online. We want to limit the availability of those attackers on our computers to access any of that information. Remember, the goal here is not just to protect the single patient you are talking to in a live telehealth appointment. HIPAA says that our goal is to protect all the patient information for all patients over which we have control.

    Basic Infrastructure

    Furthermore, this is not only about the computer. Digital information can be compromised because we are human. It can happen because we speak loudly to a patient over that telehealth appointment. It is your responsibility to protect what is said out loud the same way you protect the digital information on the computer. As I said before, the rules apply no matter how that PHI exists. It can exist by speaking out loud, in video form, on paper, or anywhere. The people in this diagram matter just as much as the computers, even in a digital sense. Again, you have a lot of control over your environment. We'll talk even more about the fact that you should make sure the door is closed so that people cannot casually listen to the conversation.

    You can encourage your patients to be in a secure environment as well. They can make whatever choice they are going to make. It is helpful. I think to help the patient understand where the risks are, how can they help protect the situation of the health setting that they are in at that moment. Now, there are humans all along that internet services path. Some people work for your cable company if that is how you get internet. Some people work for the email provider or the video conferencing provider. All of those people could pose a problem. We want to ensure all of them are educated and well-trained even though they understand they have human risks. They also can make risky decisions if they are tired or if they are distracted busy.

    The last thing that I will mention here is it is really helpful, I think, sometimes to think like a criminal. I presume that everyone here is a law-abiding citizen and that you are all doing the right thing and trying your best. Imagine you wanted to attack this system. How would you go after it? How would you try break steal information? As you think about that, I think it will help illuminate where you can do better security. If, for example, your office hypothetically did not have a lock on the door, you can imagine if I were a criminal, maybe I would walk into the room, steal the computer, plug in a USB device, and install some malicious software. Thinking like a criminal can help us do better security. I am not, of course, advocating that you do anything criminal.

    Selecting Telehealth Services

    • HIPAA contain NO any special section devoted to telehealth!
      • Same HIPAA requirements as in-person appointment
      • Only authorized users should have access to ePHI
      • Secure communication to protect the integrity of ePHI
      • System of monitoring communications containing ePHI to prevent accidental or malicious breaches
    • Features to consider when selecting a telehealth provider/solution:
      • Business Associate Agreement
      • Strong end-to-end encryption (NIST recommends 256-bit AES)
      • A virtual waiting room
      • Technical support (doesn’t add any security)

    Let's briefly discuss selecting telehealth services from a cybersecurity privacy perspective. If you already have a service, these are things to maybe review in your mind. If you have the opportunity to help influence the choice of software, these are things that should be on your mind. Let me reiterate. There are no special considerations in HIPAA for telehealth. All of the same HIPAA rules apply to any PHI, whether it is digital or not, electronic or not. That should always be on your mind. It is one reason, for example, that you should always ask the provider to sign your business associate agreement.

    Business associate agreements are one-directional agreements. if the provider says, "I want you to sign my BAA." My understanding, I am not a lawyer is that you should also ask them to sign your BAA. You can ask your attorney about that. My general advice is always to ask the other person to sign yours. Number two is that you should always be on the lookout for strong encryption. Encryption is one of those kinds of abstract concepts. It provides the protection of information as it moves around the internet. Because you can talk to the patient, we want it to be more secure, for example, than a postcard through the mail.

    We want that communication, whether text or video, to be scrambled or encrypted. That anybody who looks at the postcard as it moves around the proverbial postal system looks garbled on the postcard. They cannot read the information. That is your case, would be health information. When you look for a provider, look for strong end-to-end encryption. You will often see numbers and letters that speak to the kind of encryption they use. For example, 256-bit AES. This is a particular encryption algorithm. It is the one that the government NIST recommends. You can look for numbers that are bigger than 256. You might see those. That should be the minimum recommendation that you are looking for.

    That ensures that information is quite well protected. Nothing is impossible. It should give you a lot of comfort that the information you are exchanging is well protected. Another thing that I advise people to look for their solution is a virtual waiting room. If you do not have a virtual waiting room, if the solution you use automatically connects and turns on your camera, you have less control over the person on the other end of the line. We expect that it is the actual patient, not some random person, that you are ready for the appointment. We will talk about three steps to do it to execute a telehealth appointment. The virtual waiting room gives you more control time to say, "I am sitting at my device."

    I am ready to do this appointment. My environment is protected. Now I can see that this patient is the one I expected at 3:30. I will let them into the appointment." It is essentially what you would do in a physical setting too. People do not just come in the door and waltz into the exam room. We will do some checks in the meantime. We should do digital checks as well. Something that often seems helpful but provides not much cybersecurity is technical support. It is great to have somebody who can help. Technology can be unreliable sometimes. It can be confusing sometimes. A virtual service will often say, "Oh, you get customer service 24 hours a day, seven days a week." That might be very helpful. You might be highly desired. I will say it does not necessarily make the service any more secure. Just be careful you understand which side of the benefits column. Things like that are on.

    Security Mitigations for Telehealth Before, During, and After Appointments

    With those potential vulnerabilities in mind, what can you do? What should you do? Let's discuss what to do now, today, and this afternoon. What to do after appointments as well. I want to highlight first that there are security best practices that you should do, regardless of telehealth. Especially because telehealth is something that you are considering, you can do four things that will greatly lower your computer's risk of infection, which supports good secure telehealth.

    Follow Security Best Practices

    1. Keep software updated
    2. Install turn on antivirus software
    3. Keep data encrypted
    4. Use two-factor authentication

    Number one, ensure that the software on your computer is up to date. That it has all the patches installed that it can have. This is becoming a little bit easier in some cases. For example, on Windows iPhone, you can turn on automatic updates. This means the device will check for you to see if there is an update and install it automatically. You do not necessarily have to look for updates all the time. It is free. It is a load cost it requires very little expertise. That is often something I hear from health providers I do not have time, I do not have money, I do not have expertise. Software updates all four things on the screen are low cost, low time, and low expertise required.

    Check the software on your computer. Make sure it is updated. This is not only about the operating system, Windows, and Zoom. Is your Zoom client up to date? Whatever software you use is a potential way an attacker could take advantage of unsecured software. Attackers love software that is not patched. If we use old, outdated software that is a very common mechanism for attackers to try to access our devices, the highly patched well, secured software is much more difficult for them. It is very easy for you, very difficult for them. That is an excellent combo in your favor.

    Number two, ensure you have installed, enabled turned on the antivirus software on your computer. Antivirus these days is very effective at helping mitigate problems if they happen. If we accidentally visit a website that tries to attack our computer, the antivirus is one way to detect and block that kind of attempt automatically. We have to make sure it is installed. We have to make sure it is turned on. There are some free antivirus options. Windows has a built-in firewall called Windows Defender. Windows Defender is free again. As long as it is turned on, it will provide you with a level of protection. If you work for a company, ensure they have also considered the paid services. In some sense, you get the protection you pay for. Any antivirus is better than no antivirus. Make sure that that is turned on.

    Number three is another HIPAA requirement, which is to keep data encrypted. We discussed picking end-to-end encryption for your telehealth software a few slides ago. We also want to ensure that the files and the data that live on our devices or in our cloud storage are encrypted. If heaven forbid, somebody should steal our information. We want to help limit the availability of the attacker to read the information. Making sure that it is encrypted helps that goal. You can turn on BitLocker encryption in Windows with just a few clicks. You can probably Google this and figure out how to do it on your own. It is transparent to you. The hard drive where the files stored locally on your device exist is automatically encrypted. You never have to do anything. If the device is lost or stolen, the person who steals that data cannot read it. It is all scrambled. Turning on data encryption is a HIPAA requirement. Relatively easy to do and certainly supports good telehealth.

    The last thing I want to advocate here is using two-factor authentication, sometimes called multi-factor authentication. By Microsoft's estimate, multi-factor authentication could block 99.9% of account compromises. If the attacker steals your password or guesses it, they do not have the code that goes to your phone or another second factor. Then they still cannot get into your account. Our accounts are the lock that goes to much-protected information, whether email, social media, cloud storage, EHRs, or anything. It is worth the extra 30 seconds it takes to use two-factor to ensure that that is turned on everywhere possible for your accounts, particularly those like banking, email, and EHRs. That provides excellent protection for you in general. It is good cyber hygiene. It also helps protect telehealth.

    Install Use Webcam Covers

    Many of us use video cameras for telehealth. I want to make one important announcement that there is a possibility attackers can turn on our cameras without our knowledge if they have access to our computers. They cannot just magically do this without ever touching your computer. If there happens to be a compromise, we do not even want to offer the possibility that somebody could look through our camera. One way to help protect this is with a hard plastic cover over the video camera, whether on your laptop or tablet or if you have an external webcam. A physical cover over that camera, even if somebody were to turn on the video, would not be able to see you. That is good protection at a very low cost. You can buy these for $10 or less online. they provide quite a good amount of security. Many people take a different approach: putting a piece of tape over the camera, a post-it note, or a sticker.

    This is not my recommendation. None of those is 100% as beneficial as the hard plastic cover is. You can see in this picture that even through a piece of tape, it is possible to make out some fuzzy image of the person that might be you on the other side. Invest, go for the hard plastic cover. Let me talk about the one minute that happens for you before you start an appointment. Wherever you are, whether you are in a clinic, a hospital, or your home, prepare the environment before you start the appointment. Make sure you remove any sensitive information on the table, the desk, or the bookshelf behind you. The camera can see anything that might expose another patient's health information.

    We do not want that to show up visibly on the camera. Maybe you have to turn off some screens. Maybe you have to close the file folder, whatever it might be. Make sure that that will not be visible when you start the video session. Number two, close the door. If you are even in your home, try to be in a space where other people cannot see or overhear you. I certainly would never recommend you do a telehealth appointment in a public space. Do not do it in a coffee shop. Do not do it at the library. All of those are horrible opportunities for other people to hear the conversation for there to be a HIPAA violation.

    We want to avoid that at all costs. Once the environment is prepared, log in to the telehealth system connect. I appreciate that we sometimes have staff trying to be helpful who might want to log us in automatically so we can walk into the room and have our session. While that could be convenient, it is not helpful in the security sense because you have outsourced control. Maybe the camera turns on even before you are ready the room is prepared. I would say if at all possible, you should log in and connect. Then the last thing is, because we all bought our plastic cover, turn on the camera, turn on the microphone, unmute enjoy the appointment.

    Immediately Before the Appointment

    Checklist for Today

    • Purchase install a webcam cover
    • Review/Update your Employee Handbook
    • Review/Update your Notice of Privacy Practices
    • Create a Telehealth Consent Form for patients
    • Confirm/Obtain a BAA with telehealth providers
    • Install the latest updates for all software devices
    • Update run an antivirus scan
    • https://DesignerSecurity.com/TelehealthChecklist

    That is a really helpful way to ensure that you are in a situation you are ready for the appointment in a secure, compliant way. These kinds of steps might be something to consider for an employee handbook. Make this the policy. Do not just rely on every provider doing it because they remember. Help people with a checklist and have a policy that says, "This is the way we are all going to do this." That is a good way to make sure that it is constantly enforced. We have talked about a lot of things today. If you go to my website, you can download this telehealth checklist because some of these will take a little while.

    Some I think, like installing a webcam cover, you can do that very easily. if you have the opportunity to update your employee handbook, make sure you put that on your to-do list. Make sure you have a good consent form for your patients. That consent form that says, here are the risks allows the patient to review them to sign off with a wet signature that they agree. That is also on the list if you need to check about BAAs. Then the cyber hygiene things that we talked about. Making sure your software is updated. These are good things to review on a routine basis, not just a one-time checklist. Technology changes very quickly. Not just in the adoption of telehealth during COVID but the tech itself. The emergence of video conferencing.

    Maintaining Awareness of New Emerging Threats

    When are we going to have things like augmented reality? What about the emerging threats that happen seemingly overnight? A new bit of ransomware, a new bit of cyber attack. How can you know what you need to know without worrying about being overwhelmed by being a technological cyber expert? There is a couple of ways that you can do due diligence without having to spend all day every day worrying about just security.

    Review Your Security Posture

    • Every 30 days, check the security of your telehealth services:
      • Is your software up to date?
      • Are user accounts accurate authorized?
      • Is ePHI backed up encrypted?
      • Any unusual or anomalous activity in system logs?

    I highly recommend you put on your calendar once a month, every 30 days, to remind yourself about the security of telehealth mentally. Are you still doing things as routinely as you want to? Is your software still up to date? Are you still careful about ensuring the room and the environment you are in are safe before you start appointments? Also, is your information backed up? If you have control over that, as opposed to your provider, make sure that the backups exist. Go online and make sure that those files are there. You can do this kind of review in just a couple of minutes. It is a good use of your time before anything goes wrong to make sure that, yes, I am confident that the security is still functioning in the way that I expected. one way that you can help prevent catastrophe, even if something goes wrong, is to do this mental or physical checklist once a month.

    Advice Breaking News

    There are a lot of places to get information online these days. It seems like there is no end to this. The internet is a big place. There is a lot of information that I do not trust. Sources where I would not recommend that you get information. We are not going to talk about the bad sources. I do want to give you some good ones. The first is a government agency called CISA, the Cybersecurity Infrastructure Security Agency. They exist under DHS, under Homeland Security. They publish a lot of really digestible information online. You can go to their website. You can subscribe to their Twitter page or their Facebook page. They put out information almost every day.

    That is easy to read and understand. Because they write it for normal people, they are not writing for a tech audience. They want to ensure that even people at home understand what ransomware is. How can I make sure that I am safe? What is this new emerging thing that I saw on the news that might have happened a couple of days ago or a week ago? CISA is a reputable place for cyber information. Reuters news, which has a website here, is another place to go for all of their cybersecurity news to be reputable, timely, and very factual. Kim Komando airs on the radio if you like a casual conversation or want to listen to an easy-to-listen podcast.

    You can subscribe to those podcasts or go to her website. Another place where I find there to be timely, relevant, actionable advice for all of us, everyday people. As we start to summarize, I hope your questions are coming to the forefront because we will also have time for those. There are many everyday things we can do to help ensure and secure private telehealth. Telehealth is here to stay. If anything, we will see new opportunities and innovations for remote care that are great for our patients. Health providers need to understand where are the potential vulnerabilities. What are the everyday things we can do to ensure that technology works as we expect?

    Part of that is thinking about cyber hygiene. We should do this whether or not it is in the telehealth setting. Then there are very specific telehealth countermeasures that we can do as well. Things like monitoring the physical environment, ensuring our cameras are protected, and all those things. We are then making sure that our passwords are secure. We cannot control everything. We cannot control our patients via our mental 100%. We cannot control the internet 100%. I think it is important that you do the things within your control.

    If you are interested in some references for cybersecurity in the field, here are a couple that you might want to read about. As I dug into this before the presentation, I found that the uptick in cybersecurity in respiratory therapy has increased, not surprisingly. Many people are studying the problem in academia, proposing new opportunities to do telehealth. These are things that kind of academic reading that might interest you as well. For things that are not technical, there are other options for information, like the AMA and the government's websites, that offer this intersection of healthcare cybersecurity. They, for example, offer a BAA template. If you want a free BAA, you can go to hhs.gov to get one they offer. If you need to adopt one, that is a fine place to start. I am here if you need other information or feel like you are getting stuck or hitting a wall.

    I am always happy to answer your questions. We'll open it up here in a second for your questions. I do not want you ever to feel confused. I do not want you to feel like security is impossible. The things that I have given you off are just the start. There are lots of other opportunities. Cybersecurity for mobile devices, for example. We could do a whole conversation about that. Thank you for paying attention to privacy security in your health delivery. You can do it. It does not have to be overwhelming. It does not have to be expensive. There are everyday things that we can all do to make sure that our patients that our practices are as secure as possible.

    Questions Answers

    How does the VPN work? Does my patient need also to have it?

    Excellent question. There is a lot of confusion over VPNs. A VPN is particularly helpful when you are in an environment where you do not trust the network. When I go to a coffee shop, for example, I do not trust the wireless network in the coffee shop. I do not know who runs it. I do not know the other people in the coffee shop who are using it. I use a VPN to ensure a trustworthy connection between my computer and the VPN provider. This is slightly different from a VPN, like between physical locations. If you have two hospital settings, for example, they might have a private VPN between those settings. It can be helpful. It is not always essential. If you are in your home, for example, the VPN probably does not help you that much. This is equally parallel for your patient. If they are in their home or another trustworthy controlled setting, the patient probably does not need the VPN. There is not never harm in it. There are very low-cost, easy-to-use VPNs. Hopefully, that has put you in the right direction anyway.

    Can you explain how Google Authenticator works? Is it the same as two-factor authentication?

    Google Authenticator is an app that runs, I think, on every platform. Even though it is a Google app, it runs on iPhones, on Android phones. Google Authenticator provides codes. When you sign up for two-factor authentication for email, most email providers say, would you like a code text message to your phone? Or would you like to use an app like Google Authenticator? There is a strong preference from me in the security community not to do text messages. The text messages are just less secure and less in your control. The apps are better. There are lots of them. Google Authenticator is one, and LastPass has one. Much other software allows you to get a code that is the second factor for your login. You would put in your username your password.

    The site you are using would say, now, please enter the code that currently appears in Google Authenticator. Every 30 seconds or every 60 seconds, the code changes. The security it provides is that even if somebody has your password, they do not know the code because it is always changing. I use an application like this. I have 20 or 30 different websites. I use it for my bank. I use it for my email, everything, and even my social media because it is worth that extra effort. Not every site supports something like Google Authenticator. Some banks, for example, might require a different piece of software. It is really helpful. It provides a really strong level of security. Thanks for asking that.

    What about password managers? Are they beneficial for us to have?

    I love password managers. I think they provide a tremendous amount of security, in part because I am a human. As a human, I am horrible at picking a good password. I care a lot about not using the same password on every website that I go to. Because if something should happen to that password, I do not want the attackers to be able to get into my email, my bank, my computer, and everything. Because I have that special software, the password manager, which you can get for free or very low cost, things like LastPass 1Password that allow me to pick a powerful password for every site I visit.

    My social media passwords are all different. I do not even know what the passwords are. Because the software fills them in for me automatically, it helps my human brain. I very much encourage everybody to at least consider it. If not, go sign up for that today.

    If I was using my hotspot while reviewing patient records in a public place, does that compromise cybersecurity the same as using public WiFi?

    The personal hotspot is better than public WiFi. I would certainly pick that over the public. Now, if you are in your home, I would say your home WiFi is probably equally secure to the hotspot. It does not provide you any benefit there. Of course, there are other considerations in a public place, like can people in the public place see your screen. I am glad you are thinking about the network part. It is one component.

    References Further Reading

    Munafo, D., Hevener, W., Crocker, M., Willes, L., Sridasome, S., & Muhsin, M. A. (2016). A telehealth program for CPAP adherence reduces labor yields similar adherence efficacy when compared to standard of care. Sleep Breathing, 20(2), 777-785.

    Pierce, M., Gudowski, S. W., Roberts, K. J., Scott, M. J., & Laudanski, K. (2021). Establishing a telemedicine respiratory therapy service (eRT) in the COVID-19 pandemic. Journal of Cardiothoracic Vascular Anesthesia, 35(4), 1268-1269.

    Pierce, M., Gudowski, S. W., Roberts, K. J., Jackominic, A., Zumstein, K. K., Shuttleworth, A., ... & Laudanski, K. (2022). The Rapid Implementation of Ad Hoc Tele-Critical Care Respiratory Therapy (eRT) Service in the Wake of the COVID-19 Surge. Journal of Clinical Medicine, 11(3), 718.

    Sawadkar, M. M., & Nayak, V. R. (2021). Telehealth: The role of respiratory therapists during the COVID-19 emergency. Canadian Journal of Respiratory Therapy: CJRT= Revue Canadienne de la Thérapie Respiratoire: RCTR, 57, 119.

    Sculley, J. A., Musick, H., & Krishnan, J. A. (2022). Telehealth in chronic obstructive pulmonary disease: before, during, after the coronavirus disease 2019 pandemic. Current Opinion in Pulmonary Medicine, 28(2), 93.

    Telemedicine, privacy, information security in the age of COVID-19, M. Jalali, A. Landman, W. Gordon , JAMIA, https://academic.oup.com/jamia/advance- article/doi/10.1093/jamia/ocaa310/6039104

    Cybersecurity in Medical Private Practice: Results of a Survey in Audiology, J. Dykstra, R. Mathur, A Spoor. 2020 IEEE 6th International Conference on Collaboration Internet Computing, https://designersecurity.com/SurveyPaper2020

    American Medical Association https://www.ama-assn.org/topics/telehealth

    Health Human Services https://www.hhs.gov/hipaa/for-professionals/faq/telehealth/

    Health IT Security https://healthitsecurity.com/tag/telehealth

    Citation

    Dykstra, J. (2023). Cybersecurity for telehealth. Continued.com - Respiratory Therapy, Article 169. Available at www.continued.com/respiratory-therapy.

    To earn CEUs for this article, become a member.

    unlimited ceu access $99/year

    Join Now

    josiah dykstra

    Josiah Dykstra, PhD

    Josiah Dykstra, Ph.D. is the owner of Designer Security, a consulting business devoted to cybersecurity needs in healthcare. Over the past 18 years, he has worked as a practitioner, researcher, and leader in cybersecurity at the Department of Defense. He is a frequent speaker, the author of numerous peer-reviewed publications, and wrote the book Essential Cybersecurity Science and Cybersecurity Myths and Misconceptions.



    Related Courses

    Cybersecurity for Telehealth
    Presented by Josiah Dykstra, PhD
    Video
    Course: #1567Level: Introductory1 Hour
    Telehealth is here to stay, and now is the best time to apply secure practices to ensure safe and compliant delivery. This course describes vulnerabilities in telehealth delivery and provides practical advice for RTs who offer or are considering offering telehealth services.

    Everyday Cybersecurity Best Practices for Respiratory Therapy
    Presented by Josiah Dykstra, PhD
    Video
    Course: #1334Level: Introductory1 Hour
    This course covers practical steps and cybersecurity best practices to help protect professionals and their patients’ protected health information. The presentation discusses how to recognize malicious emails and websites, how to select strong passwords, how to protect smartphones, and how to secure sensitive data.

    Effective Conflict Management Between Multidisciplinary Teams
    Presented by Mira Rollins, OTR/L
    Video
    Course: #1539Level: Introductory1.5 Hours
    This course gives practical techniques to effectively manage conflict in health care resulting from high stress, fast-paced and demanding work environments. The course offers support and solutions for all levels of employers, including support staff, assistants, clinicians, and management.

    Clinical Leaders at Peace: Mastering Conflict Management
    Presented by Ten'Niquwa Bryan, MS, B.A.S, M.S
    Live WebinarTue, Apr 2, 2024 at 10:00 am EDT
    Course: #2064Level: Introductory1.5 Hours
    Mastering Conflict Management discusses the essential skills and strategies to navigate and resolve conflicts within healthcare settings effectively. Additionally, the course reviews confidence gains to lead their team with harmony, fostering a more collaborative and productive clinical environment.

    Asthma Case Manager and Program Director: Who, What, Why, Where, and How
    Presented by Linda Nozart, MPH, BSRT, RRT, AE-C
    Video
    Course: #1810Level: Introductory1 Hour
    This course provides the practitioner with a better understanding of healthcare models related to professional growth opportunities in asthma care management.

    Our site uses cookies to improve your experience. By using our site, you agree to our Privacy Policy.