Although there may be numerous benefits to using telehealth services, patients and providers should also consider the substantial telehealth risks involved.
With the sudden uprising of COVID-19, the Department of Health & Human Services quickly took significant steps in securing better access to telehealth services. Now, with patients being able to talk to their doctor live through phone or video chat, send and receive messages through email, secure messaging, and secure file exchange, and use remote patient monitoring using home check-up devices, telehealth has become extremely popular due to its accessibility and safety from COVID-19.
By expanding U.S. telehealth offerings and utilizing such technology, this also presents potential severe liabilities, such as a laundry list containing cybersecurity, data, and compliance risks. As the regulations governing telehealth still remain to be relaxed, now is the time to be vigilant regarding various telehealth risks.
Cybersecurity and Data Risks
Healthcare criminals are notoriously creative, and the relaxed standards for telehealth-related data exchanges have opened more opportunities for bad actors to exploit the pandemic for financial gain.
With the onset of COVID-19, phishing attempts have grown remarkably. To date, phishing is one of the most effective methods that attackers use to compromise accounts and access data and resources.
With phishing relying heavily on social networking methods, the sudden dependence on telehealth services and virtual visits makes users even more susceptible to falling victim to phishing. For example, Google reported blocking 18 million malware and phishing emails per day related to COVID-19.
At the end of October, two phishing campaigns emerged. One masqueraded as a Microsoft Teams alert, and the other as a COVID-19 vaccine tracker from the HHS.
According to Healthcare IT News, Patricia Carreiro, a data privacy and cybersecurity litigation attorney at Carlton Fields, states, “Healthcare data carries an extraordinary high-value on the black market, typically worth 10 to 40 times more than a credit card number.”
With HHS allowing for greater accessibility to telehealth services, the transfer of such valuable unencrypted information is prime real estate for hackers. Carreiro adds, “Hackers can simply insert themselves in the unsecured communication, take the information they desire, and proceed to sell the information to perform various types of healthcare fraud or identity theft.”
A current trend is targeting healthcare providers in hopes of discovering unpatched systems or other comparable vulnerabilities. Due to the current COVID-19 climate and longevity, individuals are distracted and stressed. Opening up the wrong email or clicking on a malicious link could be an easy mistake but could take down a whole healthcare system.
According to HHS, ransomware is a type of malware (malicious software) that attempts to deny access to data, usually by encrypting the data with a key known only to the hacker who deployed the malware until a ransom is paid. Most ransomware attacks are sent in phishing campaign emails, asking the target to either open an attachment or click on an embedded link.
Details about a major wave of ransomware attacks on U.S. hospitals began to emerge at the end of September when computer systems for Universal Health Services, one of the biggest hospital chains in the country, were hit, forcing some doctors and nurses to use pen and paper to file patient information.
“Ransomware attacks have been a consistent threat to American industry and local governments for several years, but attacks on the country’s health care systems have risen this year,” said Allan Liska, an analyst at the cybersecurity firm Recorded Future, who monitors known infections.
Liska and his team have tracked 62 reported…