After an initial surge, telehealth use remains steady and, as explained by Health IT Security’s Jessica Davis, its use requires health systems and practices to ensure existing policies and procedures protect patient data and privacy. “Risk stems from the accelerated implementation of new technologies without adequate due diligence to prevent introducing new vulnerabilities to the network,” says Mike Garzone of Impact Advisors. Potentially unsecured telehealth systems, adds The Privacy Professor’s Rebecca Herold, are a threat to patient safety and privacy, and amplify the risk of a cyberattack and ransomware.
The experts make the following recommendations to mitigate liability exposure associated with telehealth use:
- Workforce training: Train staff and clinicians on telehealth security risks, specifically how these threats relate to the facility’s policies and procedures. “This way the need for security and privacy practices during daily work activities stays top of mind for workers,” says Herold.
- HIPAA Compliance Assessment: Perform a risk assessment to identify any non-compliance with HIPAA and other applicable regulations. Garzone cautions that HIPAA regulatory enforcement eased during the pandemic will soon resume, leaving telehealth platforms subject to the same requirements as all other systems. He recommends clinicians incorporate the following steps when using the technology to conduct remote encounters:
- Positively identify the patient before beginning the encounter;
- Ensure the patient is the only person in the room, or has given consent to the presence of others such as family members, similarly to an in-person visit; and
- Educate the patient regarding the use of security measures on their electronic device(s).
- Encryption and Authentication: Encrypt data to prevent unauthorized access to protected health information (PHI) and support adherence to regulatory and legal requirements. Additionally, multi-factor authentication, says the report, is “proven to block 99.9 percent of all automated attacks and can effectively protect patient data.”
Herold notes privacy breaches are incredibly damaging to reputation and can lead to large monetary penalties so compliance measures are critical. Davis says guidance issued by the Healthcare and Public Health Sector Coordinating Council can further support healthcare organizations looking to assess their potential risks.
MLMIC encourages our insured facilities and practices to conduct routine and thorough risk assessments to identify vulnerabilities associated with telehealth use in their organizations and address any identified areas for improvement. We also recommend that you assess and secure the safety of all the devices used in your practice including computers, laptops, smartphones, and patient monitoring equipment. Vigilance in safeguarding PHI remains an evolving and ongoing responsibility for all healthcare organizations and professionals. Additionally, we offer several resources to support telemedicine use among policyholders:
- Risk Management Tip: Utilizing Telehealth in Your Practice, a risk management tip with recommendations for protecting PHI and properly using telehealth;
- Telehealth & Cybersecurity Considerations, a blog post with insights to help reduce the risk of HIPAA privacy breaches and cyberattacks related to the use of telemedicine; and
- Liability Considerations Related to Use of Telehealth, a blog post with risk mitigation strategies related to use of telehealth.