E-visits are just one way technology is revolutionizing the delivery of health care and challenging traditional medical regulations. The term “telemedicine” embraces everything from stateside dermatologists scrutinizing images of soldiers’ skin lesions from another country to wearable sensors monitoring elderly patients’ vital signs at home.
Specialists at major medical centers regularly consult with doctors at smaller hospitals through videoconferencing. And now patients can upload their medical records for a second opinion from anywhere in the world. Healthcare experts are also counting on telemedicine to shore up access to physicians, particularly in rural areas.
While telemedicine is convenient, in many cases, and can enhance communication between clinicians and patients, it can also increase the cyber security risk because unsecured connections are often used to transmit data. This means the data can be hijacked by cyber thieves. In the worst case, these technologies can enable hackers to use malware to hold data hostage, or change the data on its way, creating an inaccurate view of the patient’s condition or the potential to harm patients. At the very least, they offer the risk of exposing private patient data that can be used for identity theft. Healthcare is the most targeted and the least prepared industry in the U.S. when it comes to cyber attacks. Criminal hacking is now the leading cause of healthcare data breaches.
Here are 5 tips to help healthcare organizations reduce their cyber security risk when offering telemedicine:
#1 Appoint a HIPAA security officer – a position that will be responsible for overseeing the monitoring of cyber security measures. Review current HIPAA Audit Protocol and conduct data security self-assessment.
#2 Develop and implement action plans for gaps identified in the self-assessment. For example, ensure that data is always encrypted (made unreadable by third parties) when transmitted. Conduct due diligence review on all IT-related vendors and initiate business associate agreements as appropriate.
#3 Implement safeguards across the continuum – including the originating site, transmission medium and distant site – all software and hardware systems. Also continually audit security in social media, patient portals, webpage content, email communications, cloud storage, back up or thumb drives and texting as part of focused risk areas.
#4 Audit contracted teleradiology providers – in the case of radiology groups, when contracting with outside teleradiology companies for interpretations after the facility’s normal business hours, be sure there are appropriate security mechanisms in place for transmitting the patient information between offices.
#5 Establish policies and procedures related to data security – including security of mobile devices, passwords, confidentiality and system back-up procedures. Provide physicians and staff training on data security risks and safeguards upon hire and at least annually for the duration of employment.
It’s up to healthcare organizations to pro-actively put into place the best cyber security practices. There are currently no government mandated safety measures –only guidelines. In the event that a breach occurs, the organization needs to understand its responsibilities. Here’s a link to hhs.gov that includes additional information on breach reporting: