Mobile News

HSCC Shares Telehealth Cybersecurity Assessment, Mitigation Guidance

In the wake of a surge in telehealth implementations during last year’s pandemic response, new HSCC guidance supports providers with cybersecurity assessment and mitigation.

healthcare telehealth telemedicine cybersecurity assessment and mitigation guidance

By Jessica Davis

- The Healthcare and Public Health Sector Coordinating Council (HSCC) shared guidance directed at telehealth vendors and services providers, to support with the assessment and mitigation of potential cyber risks tied to the surge in the use of the remote platforms.

Health Industry Cybersecurity -- Securing Telehealth and Telemedicine is the eleventh HCSS resource developed and released in the last two years. The last release occurred in September 2020 and provided the sector with a toolkit for supply chain cybersecurity risk management.

Monday’s guidance takes direct aim at the rapid adoption of telehealth and telemedicine in the last year to support the COVID-19 pandemic response. The white paper is meant to be leveraged by healthcare systems, clinicians, vendors, service providers, and patients.

In total, there was a whopping 4,347 percent increase in telehealth claims to private insurers between 2019 and 2020, according to the report, citing data from FAIR Health. Meanwhile, Frost & Sullivan project a seven-fold increase in telehealth by 2024.

As the majority of patients who used telehealth during COVID-19 reported satisfaction with the platform and expect to continue virtual care post-pandemic, it's crucial for providers to ensure the security of these oft-rapidly deployed technologies.

“The deployment of more mature analytics, better adherence to cybersecurity and privacy regulations, and the use of data to show return on investment are expected to maintain the drive of this significant telehealth expansion,” the report authors wrote.

“This tool identifies potential cybersecurity risks in the use of telehealth and telemedicine and the regulatory underpinnings of its management, and provides recommendations for managing those risks,” Mark Jarrett, Northwell Health’s deputy chief medical officer and chief quality officer, said in a statement. Jarrett is the chair of the HSCC Task Group.

Specifically, the guide sheds light on potential cybersecurity risks posed by the use and management of telehealth and telemedicine, as well as recommendations for addressing and mitigating possible threats.

Security leaders can leverage the guidance to better understand the cybersecurity risks, regulatory issues, policies and procedures, audit tools, and overall best practices. Those insights include regulations and organizational policies, cybersecurity considerations, and policy underpinnings.

For those providers that have not yet adopted a telemedicine option, the guidance includes recommendations for the implementation and maintenance of telemedicine programs. HSCC also shared projections for telehealth’s future.

The insights also explain in detail why threat actors can and are targeting the healthcare sector and telehealth platforms, as well as the threats specific to the use of remote care technologies. There are also considerations for the non-clinical environment, along with cyber-guidance for telemedicine, including audit and compliance assessment options.

Lastly, the guide provides a review of needed cybersecurity oversight and best practices, as well as a host of resources to better understand cybersecurity laws, state regulations, and other regulatory requirements.

Researchers explained that the insights may be updated in the future, given the rapid evolution of the threat landscape. Entities are urged to adopt the recommendations provided by the guidance, as appropriate to their risk profile.

“The audience for our resource is intended to be senior health provider executives with decision making authority over resource allocation and risk prioritization, senior IT security executives who can drive security policy through the enterprise, telehealth service and product companies, and regulators,” HSCC CWG’s Executive Director Greg Garcia said in a statement.

Throughout the pandemic, security researchers have warned that the rapid adoption of remote platforms and enforcement discretions from the Department of Health and Human Services may have resulted in implementations where security was not top of mind.

Healthcare entities should review previous HSCC insights around protecting trade secrets and tactical crisis response amid COVID-19, which can reduce risks to the network as hackers continue to target and exploit the network.

"Currently, there is no single federal agency with authority to establish and enforce privacy and security requirements for the entire telehealth ecosystem," researchers wrote. "At a minimum, telehealth systems need to maintain security and privacy consistent with those of all other forms of care."

"In considering the end-to-end telehealth service, along with processes needed to provide service, providers must apply the HIPAA Privacy and Security Rules," they added. "Providers may choose to vary standards or requirements according to their own unique circumstances as long as they are not in direct conflict with HIPAA."