Safeguarding patient health information in the age of COVID-19

Telehealth consults are the norm today as patients forced by COVID-19 to self-isolate and physician offices close their doors to help stop virus spread.

Keeping the public at home makes sense as the world has seen the impact of not employing social-distancing measures can have on overwhelming health infrastructure and causing dangerous shortages in lifesaving equipment.

Relaxing privacy rules because of the pandemic has made telemedicine applications mainstream overnight.

The technology is far from new, but until recently it had only a modest uptake: with practitioners conducting only one in every 150 doctor visits and one in every 5,000-10,000 specialist visits via telemedicine, according to an article in TechCrunch.

Now Teladoc, the U.S.’s largest virtual-care provider, reports over 100,000 appointments weekly.

On March 18, the Office for Civil Rights announced it would not impose penalties for HIPAA noncompliance against providers leveraging telehealth platforms that may not comply with the privacy regulation during the pandemic, Health IT Security.com reports.

The loosening of HIPAA privacy requirements means healthcare providers can now use popular teleconferencing apps, such as Zoom, Skype, and others, as long as these communications are not public-facing like with Facebook Live.

But have privacy considerations taken a backseat in the rush to provide patients with virtual continuity of care?

Where are the dangers if sensitive health information is leaked?

And, what can organizations and government agencies do now to address this issue?

There are many examples of patients’ information being put at risk:

• Data Breach Today reported on April 13 how healthcare and technology firms are partnering to collect COVID-19 medical insights using patient information. The efforts, to assist government and academic researchers to better understand the virus and how to fight it, have raised significant privacy and security concerns.
• Federal agencies are lessening their enforcement certain privacy rules “to make it easier for hospitals and their vendors to share patient medical records with public health officials,” according to an April 8 article in STAT which poses the question of whether Americans would make the same privacy tradeoffs they did after 9/11, during and after COVID-19.

And what about the privacy implications of companies reinventing themselves to develop a COVID-19 rapid test or vaccine, or to roll out remote telehealth apps to ensure patient care continues in these challenging times?

In Canada, Alberta’s government has collaborated with Telus Health to offer Albertans a free downloadable app that lets patients check symptoms — including those of COVID-19 — schedule doctor appointments and get prescriptions and referrals as an insured service.

But many privacy experts note that the app doesn’t adequately protect citizens’ health information.

In fact, CBC News reported last month that Alberta’s privacy commissioner would take “up to a year” to assign someone to review the privacy impact assessment that Telus provided.

None of this comes as a surprise to Steph Charbonneau, Titus founder, CTO and CISO.

“The reality is it’s not what’s happening today when you’re trying to talk to your physician and use these tools to get the help you need. It’s what going to happen a week or six months from now with that data,” he says.

“We are not giving people the proper time to think about design – how they’re going to collect information,” says Charbonneau.

Dangers are all too real

One thing is obvious: no one wants their private health information put at risk, as it can have far-reaching repercussions on their personal and professional lives.

Hackers want your health records

“I am most concerned about the black market selling medical records,” says David Schwed, director and professor in the cybersecurity master’s program at Yeshiva University Katz School of Science and Health.

“Healthcare records fetch a much higher price on the black market than even credit card numbers,” he says.

According to the 2019 Trustwave Global Security Report, a healthcare record may be valued at up to $250 per record on the black market, compared to $5.40 for the next highest value record, a payment card.

One of the biggest buyers of illegal patient data are state actors like China, Schwed says.

“Countries like China are harvesting medical records and information about U.S. citizens. One reason they are doing it is to identify potential pressure points…to influence or blackmail individuals with connections to the U.S. government.”

WIRED reported last August that state-sponsored hackers in China are targeting medical research data, including clinical trial data for cancer and biotech intellectual property, worldwide.

Charbonneau points to how health information in the wrong hands could find its way to employers at a time when large numbers of people are out of work, with someone with poor health potentially getting discriminated against by hiring managers.

He also says personal health information could also harm people when applying for health insurance or traveling.

Schwed, who also has worked in a chief security officer role in the financial industry, says both the financial and healthcare sector face similarly stringent regulatory scrutiny around protecting people’s personal data.

No home-based firewalls

An added vulnerability is the fact that physicians and other health practitioners, like most of the world’s workforce, now must do their jobs from home, with no enterprise-level information security controls such as data loss prevention or network access control.

“What we’re seeing – not just in healthcare but in almost every enterprise – is that [people’s home office setups] are not necessarily being constructed or architected in a way to facilitate the transmission of secure information,” Schwed says.

He warns that there are security risks “inherent in almost every video conferencing software” on the market. For example, cybercriminals are targeting Zoom for malicious activity because of the app’s popularity.

He advises that before using Zoom or other video application, users should turn on the encryption feature and use meeting passwords to keep hackers from “bombing” their meetings or illegally eavesdropping.

On the healthcare side, both Schwed and Charbonneau recommend that physicians and nurses doing at-home consults use virtual desktop infrastructure.

This kind of software sits on a worker’s home PC and is used to connect into a secure environment such as Amazon Cloud Services.

“Hackers who install malware on a PC won’t be able to intercept patient data because the data isn’t actually on the desktop, it’s on a server that they’re just remotely connected to,” Schwed explains.

Also, as soon as you close your browser, the data is gone and can’t be pulled back up.

Beware of offshore data centers

Charbonneau says that it’s critical that health organizations know how and where their patent data is being stored.

He expresses concerns that apps that have not been well researched could easily route data to countries which may not have the same stringent regulations for protecting patient information.

The need to prioritize patient privacy

Clearly, as the initial crisis-mode that defined this pandemic passes, the healthcare sector needs to embrace patient privacy as a priority.

Charbonneau notes that both patients and health practices should embrace a security mindset.

“You need to do your homework on the services you want to bring together to house the data and where you’re going to put the data,” advises Charbonneau.

He says agencies in Canada and other countries could help healthcare providers by performing due-diligence reviews of technology apps and services to identify the ones that provide the best protection of patient data.

Ensuring patient privacy – Healthcare sector to-dos

• Do take the time to understand an app or service providers’ policies around data privacy – do not assume they have a robust privacy policy.
• Do slow down and be more methodical when assessing telehealth and other apps.
• Do safeguard your home office environment, such as using virtual desktop infrastructure and security controls in video-conferencing apps.
• Do read the AMA quick guide to telemedicine in practice.

For more information on tools and best practices for remote workers and data protection, visit our Remote Workers page.

This post was first first published on Titus website by Jamie Manuel. You can view it by clicking here