The COVID-19 pandemic has resulted in many changes to the way organizations operate. It’s estimated that the number of remote workers increased from just over 4% of the workforce to almost half, with about 80% of employers allowing at least some remote working. This is especially true for health care.
The requirement for health care to continue, coupled with the need to stay away from any potentially infectious environment, has put a special emphasis on remote delivery of services. This trend is likely to continue. According to the consulting firm McKinsey, “COVID-19 has caused a massive acceleration in the use of telehealth. Consumer adoption has skyrocketed, from 11 percent of US consumers using telehealth in 2019 to 46 percent of consumers now using telehealth to replace cancelled healthcare visits.” This could eventually translate into “$250 billion of current US healthcare spend [which] could potentially be virtualized.” Assuming it works.
The issues with telemedicine and privacy
Telemedicine is not just one technology. It can refer to many, including video conferencing, wireless technologies, data monitoring, Internet-based technologies, smartphone apps, interactive voice response technology, and even fax and landlines. The issue is that many of these technologies are not designed to keep patient information, and physician and even lawyer communications confidential.
Part of the problem is that many developers live by Facebook founder Mark Zuckerberg’s famous motto: “Move fast and break things.” The industry average is between 15 and 50 bugs per 1,000 lines of code, which can increase drastically with the complexity of the project. Ideally developers should use the SDLC (software development lifecycle) process to formalize and document secure coding methodologies. More often, however, the need for speed obviates the process.
Vulnerabilities in telehealth technology
This has created difficulties for two of the most important telemedicine technologies: mobile health apps and Internet-connected surveillance cameras. Both have recently been found to be accessible by criminal hackers, who have been able to steal health care information. Health care information is required to be kept private under HIPAA (Health Insurance Portability and Accountability Act, 48 CFR §164.502). It is also one of the most valuable types of information available for sale on the dark web.
The problem with mobile apps is partially due to the apps themselves. Unlike programs, apps need other programs to do what they do. About ten years ago, you would access information through a browser, which would query a company’s servers to complete a transaction. Now you use an API (application programming interface), a company app on your cell phone, designed to gather information from various sources and use the cell phone’s computing power to provide the answer to the request.
Obstacles to health care privacy
New technologies are rarely free from cyber security issues. They just have different issues. According to a 2019 Akamai report, API calls account for 83% of web traffic; a Gartner report in the same year estimated that by 2021, APIs would account for 90% of the attack surface and by 2022 will become the most common attack vector.
You can lock down an API like you protect your home computer. You are careful with authentication. You implement lockout policies. You limit exposure of sensitive data like ePHI (electronic protected health information). The difficulty with API authentication is that these problems are harder to find, but they are just as exploitable.
A recent study showed that of the 30 health apps tested, all were vulnerable to attack, allowing access to health care information that should have been protected. It took researchers less than a minute to discover one of the most common vulnerabilities. Half of the apps could be used to reveal clinical, pathology, and radiology reports.
Another obstacle to telemedicine privacy has to do with Internet-connected surveillance cameras. There are an estimated 1 billion of these cameras in use around the world. Two organizations whose images were shared online were Tesla and Cloudflare. In 2018, two Chinese companies that manufacture the bulk of CCTV cameras were prohibited from U.S. government contracts.
Time to manage privacy
The point of all of these issues is that before a health care provider, law firm, or any organization interested in keeping its information private adopts a new technology, it should consider an information security management framework like ISO 27001. Keeping private information private as technology changes needs to be managed to remain secure. Just because a technology is new, doesn’t mean it’s better.
Free PDF download: Information Security & ISO 27001 – An introduction
The volume and value of data used in everyday business including telemedicine increasingly informs how organizations operate and how successful they are. In order to protect this information – and to be seen to be protecting it – more and more companies are becoming ISO 27001-certified.
This free paper will help you explore the benefits of implementing an ISMS and achieving ISO 27001 certification.