Copyright © 2024 Continued Respiratory Therapy - All Rights Reserved

Continued Respiratory Therapy Phone: 866-382-0799

What Are Potential Security Vulnerabilities in Telehealth Delivery?

Josiah Dykstra, PhD

February 1, 2023

Share:
Print

Question

What are potential security vulnerabilities in telehealth delivery?

Answer

Now I want to talk a little bit about the potential vulnerabilities in telehealth delivery. This is not meant to make you afraid. It is not about fearmongering. It is very much to help you understand where the risks are and how you can help focus and prioritize your mitigations appropriately. There is such a thing as too much security. As a security person, I am hesitant to say that. I want you to know how to lower your risks appropriately and make good decisions. Most of us understand and appreciate that hackers and computer attackers go after computers.

That is not a surprise at all. That is where the data is. There is an old quote about a bank robber. Somebody asked him, "Why do you rob banks?" The bank robber said, "Because that is where the money is." Attackers go after computers because that is where the valuable data is. They are not always trying to get you, they are not always targeting you, and they might not even be targeting health care. You might just become a victim because they are broadly spraying across the internet you happen to get caught in that. We all get bad emails. That is not because we are specifically targeted. The attackers are trying to get anybody they can. The attackers, what we most often think about in computer hackers, is the idea of remote exploitation.

Somebody sitting across the planet, in their basement, trying to attack our computer over the internet. I will be honest. That is very unlikely. Today's technology makes that a very difficult task for the attacker, your computer. By its very nature, your computer is defended against that kind of remote exploitation. Even though home routers have good firewalls, the operating systems on our computers are quite robust against remote exploitation. That is not the primary way hackers get onto our computers. What is much, much more common, much more likely, is this umbrella we call social engineering. Phishing emails fall under this. It is anytime that the attacker is trying to exploit our human weaknesses.

They send an email that appeals to our sense of urgency. They might say, "Your bank account has been closed. Please click this button to make sure that all your money is safely transferred." It is our sense of fear. It is our human sense of trying to be helpful. All of those are because we are helping busy people, and we do things accidentally that can cause our computers to become infected. Malicious emails, malicious attachments like Word documents, or visiting websites that compromise our computer happen a lot every day to a lot of people, even by accident. They do not know if they are doing anything wrong. You can do a lot about that to make careful, slower decisions.

If you are very busy, that might not be a good time to check your email because the attackers are counting on that busyness to help trick you into doing something. Now, of course, the attackers are not just sending you emails. They are also sending them to everybody on the internet, including your patient. We generally have little or no control over the security of those personal devices. If our patients open every attachment, their computer is very infected, threatening telehealth. That is a bit outside of your control. When patients sign up for telehealth, you can tell them about the risks. I strongly encourage you to get the patient's consent to do telehealth.

That document can say there are risks to this. The risks are A, B, and C. If you consent as a patient, please sign this document saying that you understand you agree to do it anyway. At least that covers you a little bit to say, well, I told the patient, here were the risks they accepted anyway. If the patient has an infected computer, that infected computer could listen to your conversation with the patient because it is out of your control. Then, of course, all the computers on the internet also get the same kinds of attacks that your patient gets. We again have very little control over that.

The BAA, the business associate agreement, is one way to lower your risk in at least the services that you sign up for that you pay for. If your email provider says, "Yes, I will sign the BAA. I will protect your email," for instance. That is your sort of insurance, in a sense. Even if something goes wrong, they are liable to protect the information. Again, lots of opportunities for those attackers. Some things are in our control some things are not.

This Ask the Expert is an edited excerpt from the course, Cybersecurity for Telehealthpresented by Josiah Dykstra, Ph.D.

josiah dykstra

Josiah Dykstra, PhD

Josiah Dykstra, Ph.D. is the owner of Designer Security, a consulting business devoted to cybersecurity needs in healthcare. Over the past 18 years, he has worked as a practitioner, researcher, and leader in cybersecurity at the Department of Defense. He is a frequent speaker, the author of numerous peer-reviewed publications, and wrote the book Essential Cybersecurity Science and Cybersecurity Myths and Misconceptions.

Related Courses

Cybersecurity for Telehealth
Presented by Josiah Dykstra, PhD
Video

Presenter

Josiah Dykstra, PhD
Course: #1567Level: Introductory1 Hour
  'He had a lot of information and covered it at a level I could understand'   Read Reviews
View CEUs/Hours Offered
Telehealth is here to stay, and now is the best time to apply secure practices to ensure safe and compliant delivery. This course describes vulnerabilities in telehealth delivery and provides practical advice for RTs who offer or are considering offering telehealth services.
Course Details
Everyday Cybersecurity Best Practices for Respiratory Therapy
Presented by Josiah Dykstra, PhD
Video

Presenter

Josiah Dykstra, PhD
Course: #1334Level: Introductory1 Hour
  'Content and presentation'   Read Reviews
View CEUs/Hours Offered
This course covers practical steps and cybersecurity best practices to help protect professionals and their patients’ protected health information. The presentation discusses how to recognize malicious emails and websites, how to select strong passwords, how to protect smartphones, and how to secure sensitive data.
Course Details
Effective Conflict Management Between Multidisciplinary Teams
Presented by Mira Rollins, OTR/L
Video

Presenter

Mira Rollins, OTR/L
Course: #1539Level: Introductory1.5 Hours
  'Speaker gave great examples'   Read Reviews
View CEUs/Hours Offered
This course gives practical techniques to effectively manage conflict in health care resulting from high stress, fast-paced and demanding work environments. The course offers support and solutions for all levels of employers, including support staff, assistants, clinicians, and management.
Course Details
Clinical Leaders at Peace: Mastering Conflict Management
Presented by Ten'Niquwa Bryan, MS, B.A.S, M.S
Live WebinarMon, May 13, 2024 at 3:00 pm EDT
Mon, May 13, 2024 at 3:00 pm EDT

Presenter

Ten'Niquwa Bryan, MS, B.A.S, M.S
Course: #2064Level: Introductory1.5 Hours
View CEUs/Hours Offered
Mastering Conflict Management discusses the essential skills and strategies to navigate and resolve conflicts within healthcare settings effectively. Additionally, the course reviews confidence gains to lead their team with harmony, fostering a more collaborative and productive clinical environment.
Course Details
Asthma Case Manager and Program Director: Who, What, Why, Where, and How
Presented by Linda Nozart, MPH, BSRT, RRT, AE-C
Video

Presenter

Linda Nozart, MPH, BSRT, RRT, AE-C
Course: #1810Level: Introductory1 Hour
  'the speaker explain it well!'   Read Reviews
View CEUs/Hours Offered
This course provides the practitioner with a better understanding of healthcare models related to professional growth opportunities in asthma care management.
Course Details

Our site uses cookies to improve your experience. By using our site, you agree to our Privacy Policy.