Addressing telehealth's cybersecurity risk will be an industry-wide problem
Experts have repeatedly predicted that telehealth would present a major challenge for healthcare cybersecurity in the coming year.
But it's not enough to know telehealth is likely to be an issue. The real task is working collaboratively to address those dangers.
At the second installment of the American Telemedicine Association's EDGE policy conference on Tuesday, leaders in the healthcare space reiterated the importance of cybersecurity as a patient safety issue.
"We've been measuring the risks and the threat for telemedicine-type services for many years," said Christopher Logan, director of healthcare industry strategy at VMWare.
Even before the COVID-19 pandemic, "healthcare already had a cyber target on its back," said Logan.
Now, with the explosion of connected devices in conjunction with the rising value of digital medical records and an increasingly remote workforce, Logan said maintaining seamless cybersecurity will be more important than ever.
This is particularly important, he said, given that patient safety can be on the line – as we've seen with the fallout and continued disruption from high-profile ransomware cases over the last year. Ransomware attacks have even been linked to a patient's death in Germany.
"At the end of the day, 'adequate security' is not enough when you think about what we're trying to accomplish," said Logan.
Of course, taking precautionary steps in terms of security-as-a-service and planning for a worst-case scenario will be paramount in developing a robust security profile. But Logan noted that "the most important aspect of any security program … is always going to be the people that are involved."
Mark Jarrett, chief quality officer and deputy chief medical officer at Northwell Health, agreed: "What we're trying to [do] … is look at it from the patient viewpoint and the provider's viewpoint."
It's not a matter of computer literacy, he said, but rather whether there are basic security measures in place. Providers who are associated with larger hospitals, said Jarrett, may have the privilege of an additional, institutionalized layer of security, while smaller or medium-sized providers "are basically on their own."
And again, this is magnified by the increasing reliance on telehealth, which frequently relies on patients' own network security – especially when it comes to remote patient monitoring devices. Jarrett noted that this could be a good opportunity for the government to intervene.
"I don't love overregulation, but this is an area where we have to be careful, because patients will be hurt," he said. "Cybersecurity is a patient safety issue."
Still, said Jessica Wilkerson, a cyber policy advisor with the All Hazards Readiness, Response and Cybersecurity team at the Center for Devices and Radiological Health within the Food and Drug Administration, cybersecurity is a shared responsibility.
"FDA does not regulate telemedicine," she reminded co-panelists. But "if there's one thing FDA has really learned … it's that everybody has to be doing their part."
Even for medical device manufacturers, she said, that device will still go into a hospital system or someone's home, where it needs to be kept secure. "You have to be doing your part and talking to the other person about what they're doing and adjust on a constantly evolving basis," she said.
"Telemedicine is the epitome of cybersecurity issues," she continued, in that there are varying levels of security expertise at play. "The whole ecosystem approach to cybersecurity is so critical."
"At the end of the day, we all know technology is going to fail," added Logan. "We have to be running a little faster than the bad guy.
"The key here is going to be people. That's going to help reduce the risks associated with telemedicine," he continued. "We're going to be able to reduce that risk only if we work in harmony together."
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.