When it comes to targets in healthcare that criminals want to hit with a cyberattack, a telemedicine consultation might not immediately come to mind. But in fact, telehealth is a ripe arena for cyberattacks.

There are crucial strategies for healthcare organizations to fortify their defenses against cyberattacks in the virtual care landscape. With more patients accessing care virtually, organizations must prioritize timely software updates and secure communication channels, and identity verification methods to protect sensitive health data.

Healthcare providers should adopt a proactive cybersecurity stance, ensuring both patient trust and compliance with industry standards like HIPAA and HITRUST, said George Pappas, CEO of Intraprise Health, a cybersecurity company recently acquired by Health Catalyst.

Healthcare IT News sat down with Pappas to discuss these and other topics at the intersection of telemedicine and cybersecurity.

Q. What kinds of attacks on telehealth programs is the industry seeing and why are criminals singling out telehealth programs for attack?

A. The healthcare industry is witnessing a rise in cyberattacks characterized by a common sequence: the first being intrusion, the initial step where attackers gain access to a system, followed by lateral movement to find vulnerabilities, when attackers seek credentials to gain access to sensitive data and assets.

Telehealth programs have become increasingly attractive targets for cybercriminals due to their rapid expansion and critical role in patient care. As these programs integrate more technology and data, they can present a wide variety of vulnerabilities that can be exploited.

Once inside, cybercriminals may copy, confiscate or encrypt data while neutralizing backups, which is a hallmark of classic ransomware attacks. Additionally, various forms of malware can cause operational damage alongside data theft and corruption or damage.

The initial intrusion often occurs through various tactics, with phishing being the most common method. Phishing scams trick users into unknowingly installing malware or sharing their login information and email access. This allows attackers to gain entry to the system.

Q. What makes telehealth delivery a high-value target?

A. It begins with the business model. Many health systems outsource their telehealth services to third-party organizations. These organizations employ physicians, physician assistants and nurse practitioners who are connected to a patient portal or other front-end access methods. On the middle and back-end of the delivery stack, these telehealth providers are credentialed to work within the health system's electronic health record, write prescriptions and access patient billing systems.

Additionally, the same virtual provider can serve multiple health systems under various contracts, which means if one virtual provider is compromised, it could potentially affect the many health systems they serve.

Next, consider the technical and administrative access environment. Many of these virtual providers work from home, relying on personal devices and home networks for their tasks: using a personal computer with a personal cell phone for authentication (a situation often referred to as BYOD, or Bring Your Own Device – times two).

This creates numerous vulnerabilities, such as the risk of home network intrusions, device compromises and unauthorized access to credentials. Questions arise about the security of home networks: Are routers and Wi-Fi adequately protected? Are family members accessing other online services that could lead to intrusions? While virtual private networks can offer some protection, they are not foolproof.

Finally, the clinical and operational access privileges required for telehealth add to the risks. Providers need access to EHR data, electronic prescribing for both regular and controlled substances, and other supporting services like imaging and lab work. They also process copayments and electronic payments, exposing protected health information and payment card industry information in a single cybersecurity incident.

These factors make virtual care delivery an attractive high-value target for cybercriminals due to the multiple vulnerabilities across the delivery chain, creating significant opportunities for exploitation.

Q. What are some of the tactics healthcare CISOs, CIOs and other security leaders should use to protect the sensitive health data in telehealth programs?

A. When working with an outsourced telehealth provider, the first step is to conduct a comprehensive risk assessment of their technical, administrative and physical controls related to their virtual delivery environment.

First, management of virtual providers. Evaluate how they manage their virtual providers, including their training, credentialing, identity proofing and ongoing monitoring. How are level of assurance controls managed? These controls allow controlled substances versus standard prescriptions.

Second, network configuration and security. Assess how they handle the security of their distributed network. Are their providers operating from home or in a controlled office environment?

Third, privacy considerations. Address privacy issues, such as how home office environments may expose sensitive materials on screens.

And fourth, ensure their environment is continuously monitored and determine what visibility you have into their compliance with established practices. This may include phishing tests and current credential access review and inventory.

Implement a highly isolated network access point within your IT infrastructure to protect your primary network from potential intrusions that can arise from your telehealth provider. Additionally, define control measures for services, payments and other sensitive functions within your operating agreement with the provider.

To further enhance security, conduct ongoing phishing and penetration tests to assess the security of your provider's personnel and infrastructure.

Q. How can hospitals and health systems adopt a proactive cybersecurity stance specific to telemedicine to ensure both patient trust and compliance with industry standards like HIPAA and HITRUST?

A. Hospitals and health systems can enhance their cybersecurity by integrating their telehealth providers' security measures into their overall security strategy. This involves continuously monitoring the risks associated with their telehealth provider and tracking their progress in mitigating those risks, much like they do for their internal operations.

In this context, the telehealth provider acts as an extension of the health system, directly impacting patient interactions and access to PHI. Compliance with HIPAA is essential, as it sets forth specific controls for security risk assessments and privacy access for privacy breach risk assessments. HIPAA serves as the baseline standard that all covered entities must follow under the HITECH Act of 1996.

The increasing recognition of cybersecurity threats to patient safety and care delivery has led to various regulatory and legislative efforts. For example, New York has become the first state to mandate cybersecurity practices that exceed HIPAA requirements.

This trend is likely to continue, with federal proposals from the White House and Congress aimed at enhancing cybersecurity risk management and increasing accountability for organizations that fail to comply with new standards.

HITRUST is another important framework that goes beyond HIPAA and NIST 2.0. It was developed by combining multiple International Organization for Standardization standards into a cohesive and comprehensive assessment tool. Current legislative and regulatory initiatives suggest a movement toward the standardization of these frameworks for health systems of various sizes.

Follow Bill's HIT coverage on LinkedIn: Bill Siwicki
Email him: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication