Cybersecurity in Healthcare 2022: Privacy Risks of Telehealth
- Christopher Dale, Content Marketing Manager, ThriveDX's Enterprise Division
It’s amazing to ponder just how far the medical industry has come in the past few decades. From completely paper-based operations in the 70s to today’s high-tech, interconnected systems, the way hospitals and clinics function has changed dramatically. One of the most significant innovations we’ve seen in recent years has been the growth of telehealth services.
Telehealth, also known as telemedicine, is the use of technology to provide medical care and services remotely. This can include everything from two-way video conferencing for appointments to the remote monitoring of patients’ vital signs. While telehealth benefits abound, it’s not without challenges. Overcoming the privacy risks of telehealth is the most important hurdle. Securing patient data is always healthcare’s most pressing concern.
COVID and the Rise of Telemedicine
Telehealth has become increasingly popular in recent years, as providers look to mitigate the risks of COVID-19 and provide care in a safe and effective manner. So much so in fact, that they’re seeing as many as 50 to 175x more patients through their digital services than they were before the pandemic.
Striking a Balance
There are a number of reasons why telehealth has become such a popular option for both patients and providers.
For patients, telehealth can be a major time and money saver. Not only does it demand less travel on their part, but it also saves them the risk of having to deal with lengthy waiting times in clinics or hospitals. They’re able to access the care they need from the comfort of their own home, and by diverting non-urgent matters to telehealth, can save up to $1,500 per visit.
As for providers, telehealth can help them reach a larger number of patients, including those who live in rural areas. Without geographical boundaries, doctors can now conduct more appointments per day. Added benefits include better work life balance and reduced burnout by affording by allowing for more flexibility in their schedule.
The Innate Privacy Risks of Telehealth
It’s no secret that medical visits are very personal interactions. Not only do they involve discussing an individual’s most sensitive concerns, but also exchanging information critical to their identities like social security numbers and other private information. This is why security has always underpinned the doctor – patient relationship.
The recent shift to telehealth disrupted this delicate balance. Unlike in-person visits, telehealth appointments happen over the phone or internet – two much more insecure channels, increasing the chances of compromising patient data.
Privacy and Security Concerns of Telemedicine
There are a number of ways in which patient data can be compromised in a healthcare setting. The following are two of the most common and some high-profile examples of each.
Ransomware
One of the most common ways patient data is breached happens via ransomware attacks. Ransomware is a type of malware that encrypts a victim’s files and then demands a ransom be paid in order for them to be decrypted. The privacy risks of telehealth don’t get bigger than this.
Over the past few years, we’ve seen a number of hospitals and clinics fall victim to ransomware attacks. In 2016, for example, the Hollywood Presbyterian Medical Center had to pay $17,000 in Bitcoin to regain access to its files after being hit with ransomware. And in October 2019, the DCH Health System had to temporarily shut down its computer systems after being infected with ransomware.
Why Hospitals Are the Perfect Targets for Ransomware
Hospitals make attractive ransomware targets for two main reasons. One: healthcare facilities are often running outdated or unpatched networks. Two: Getting systems up and running again is a matter of life and death. In other words, paying ransoms takes on more urgency. Because so much of their data is online, and patient care depends on accessing that data, hospitals can’t afford to wait for days or weeks to get their systems back up and running like other industries can.
Phishing Attacks
Phishing attacks precede most ransomware. Phishing lures victims into unwittingly giving up their login credentials or other sensitive information. This is why security awareness training is so crucial.
One of the most famous phishing examples happened in 2015, when hackers used phishing emails to access employee login credentials of Anthem, one of the largest health insurance companies in the United States. Once they were inside Anthem systems, they stole the personal information of over 78 million people.
Healthcare Cyber Attacks: How Common Are They?
These concerns are not without merit. Healthcare-related data breaches spiked in recent years, especially from COVID-19 onwards. The pandemic forced an unpreceded 46% of patients to pivot online in 2020, and it’s estimated that since then over 29 million records have been compromised on an annual basis.
Of industry targets, hospitals and clinics account for 72%, with business associates and health plan organizations making up the rest.
The damages they’re incurring to recover from attacks is markedly on the rise, too, with the average cost of a data breach in the healthcare industry amounting to over $10 million dollars between March 2021 and 2022. That’s up from what was already a record-breaking total in 2020 of $9.23 million.
How to Prevent Healthcare Data Breaches
In order to mitigate the risks associated with healthcare data breaches, hospitals must secure their systems and mandate security training for every employee. Patients must also become aware of the privacy risks of telehealth.
For healthcare providers, some steps to improve cybersecurity include:
- Educating employees about phishing attacks and how to spot them
- Improving password security by implementing multi-factor authentication
- Encrypting all sensitive data, both in transit and at rest
- Regularly backing up data to an offsite location
- Working with security experts to identify system vulnerabilities.
Patients can also take steps to protect their data when using telehealth services, such as:
- Verifying doctor is using a secure video conferencing platform
- Ensuring patient has data encryption enabled (https://)
- Asking doctor what measures they’re taking to protect patient data
- Avoiding giving out personal information unless absolutely necessary
Tech Adoption and Cybersecurity are Inseparable
There’s no going back from this era of digital healthcare we’ve entered – telehealth is here to stay. As the industry continues evolving, cybersecurity must be top of mind to protect both patients and providers from data breaches.
For more information on ThriveDX’s Security Awareness Training, please visit here.
Christopher Dale is the content marketing manager for ThriveDX’s Enterprise Division. He has worked in the cybersecurity field for almost 14 years in PR, social media and content development roles for a range of companies including ESET, Forcepoint, Cylance (Blackberry) and Proofpoint. He holds Bachelor of Arts degrees in Political Science and Rhetoric & Communication from the University of California, Davis.
Protect Your Organization from Phishing
Explore More Resources
- Article, News
- Article, Blog
- Article, Blog
- Article, Blog
Your Trusted Source for Cyber Education
Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.