August 11, 2020

When Health Care Goes Online: Mitigating the Risks of Virtual Health Care Delivery

Jason Kemmerer

Editor's Note: This is the second post in an ongoing series dedicated to the health care industry. Click the link to read the intro post: Through the Health Care Lens.

Over the past few months, the Centers for Disease Control (CDC), the World Health Organization (WHO) and the American Medical Association (AMA) have all advocated for the expansion of access to telemedicine services. The Centers for Medicare and Medicaid Services (CMS) announced that federal programs providing health care coverage, including Medicaid, could be used to pay for digital visits. And states are allowing for increased licensure flexibility for cross-border treatments. 

Northwest U.S. Health Provider Story

All these factors have led to a huge increase in the number of health care services being delivered virtually and remotely. As a result, both clinicians and information security teams tasked with safeguarding the Protected Health Information (PHI) of the populations they serve are facing unprecedented challenges. 

The widespread adoption of new cloud-based videoconferencing and messaging applications in health care came about almost overnight. Telemedicine brings numerous benefits to patients and providerstime and cost savings, improved access to care and higher patient satisfaction rates, among others. 

But these benefits also come with security risks. This is especially true for health care organizations that lack tools to monitor users’ behaviors as they interact with cloud applications or electronic medical records (EMR). To mitigate these risks, health care organizations must ensure that clinicians are recording and handling patient data properly and have chosen applications that support encryption and other privacy protections. 

They must also ensure security teams have established data loss prevention (DLP) policies and user activity monitoring procedures that are appropriate for today’s newly distributed digital health care ecosystem. It’s critical to track and protect highly-sensitive and regulated data across its entire lifecycle—from the moment it’s created through all the times it will be accessed, modified, or shared. 

Securing the Modern Consultation: Best Practices

These new health care protocols are generating massive volumes of new kinds of data, from the time appointments are made throughout the duration of the consultation and extending into the long-term retention of notes in the patient’s chart or recordings of the digital visits themselves. 

Protecting this data involves educating users on the basics of good security hygiene, including encouraging them to select videoconferencing and messaging applications that feature strong end-to-end security including encryption of all communications traffic. 

Although the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) has defined that penalties for violating the Health Insurance Portability and Accountability Act (HIPAA) provisions about remote communication technologies will not be enforced during the crisis, the real-world consequences of a breach remain. In addition, future audits will still ascertain that data collected now was handled and stored securely.  

With a Cloud Access Security Broker (CASB) solution in place, your security team can automatically discover which cloud applications are being used for patient communications. This includes HIPAA-compliant video conferencing tools as well as those temporarily permitted non-public facing ones.

For some organizations, it may make sense to block certain applications, to educate users about safer alternatives, or to limit certain high-risk activities such as sharing sensitive files with third parties. A CASB solution can be deployed relatively quickly, making its implementation a sensible first step in mitigating the security risks that come with delivering remote health care at scale.

Protecting Sensitive Data in Productivity and Telehealth Apps

Specialized telemedicine applications provide patients an opportunity to better manage their health and understand care and treatment options. These apps offer patients direct online access to portions of their medical records. They can allow providers at multiple different facilities to share patient information, can offer a secure channel for patient communications with care teams, and can streamline the process of scheduling appointments. They’ve long seen widespread use in the health care industry, but in the face of recent events, they’re being leaned on even more heavily.

Although telemedicine apps were designed with security in mind, their risks multiply if their users aren’t conscious of how best to safeguard patient data within them. Often risky behaviors, such as downloading PHI to a medical provider’s personal device, are attempted because they seem like the quickest or most convenient method of completing a task. 

To further protect EMR from the consequences of unauthorized user activities, you could implement a user activity monitoring solution like Forcepoint Insider Threat to protect the “crown jewels” in your database. 

This will ensure that your users aren’t exhibiting anomalous high-risk behaviors (which can signal deliberate abuse) when interacting with patient records. This solution can also be integrated with Forcepoint Data Loss Protection (DLP) to provide additional containment measures such as data fingerprinting and active blocking.  

The security challenges that have arisen with the recent expansion of health care to incorporate remote provider visits require additional layers of data protection and cloud application governance. Forcepoint can deliver these capabilities affordably and without placing undue burdens on your team.

Jason Kemmerer

Jason Kemmerer is a Solutions Architect for the Americas at Forcepoint specializing in Data Security and Insider Risk. He also acts as a liaison between enterprise customers and product management teams for the strategic roadmap of the Data Security Portfolio....

Read more articles by Jason Kemmerer

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.