Telehealth has been a transformative option during the COVID-19 pandemic, allowing new forms of access to care even when in-person visits were impossible. Of course, given the sensitivity of personal health data, telehealth security was also a much-discussed topic during the pandemic. While telehealth rose to the occasion, their convenience and portability have meant that such services are expected to remain (and even grow) after virus numbers have dwindled and traditional healthcare services have reopened; this warrants additional forward-thinking about how patient and provider information can be kept safe while maximizing convenience for telehealth users, and much is being done to paint a safer, more secure future for telehealth.
Radical Changes for Telehealth
With the onset of the pandemic, telehealth changed rapidly, moving from a small sector of the overall industry to a primary mode of access to health care. While telehealth initially required adjustments in expectations, patients came to welcome the convenience of appointments and quick access to professionals obtained through telehealth appointments. As a result, many patients are eager to continue to access telehealth services long after the U.S. reopens and the pandemic comes to an end.
Even before the COVID-19 pandemic, telehealth growth was forecasted to rise 14.9% between 2019 and 2025, a growth rate that was rapidly exceeded due to circumstances. Telehealth also provides exciting options for the 133 million Americans with some form of chronic illness or disease, who need regular check-ins but also may face limitations on movement that telehealth options can help to transcend.
However, that massive increase in usage also saw increasing concerns about security. Like other virtual technologies going through a sharp expansion during the pandemic, security flaws and potential vulnerabilities were exposed. Telehealth vulnerabilities could potentially leave private health information exposed to the public — or in the hands of attackers. There have been breaches of some data held by some telehealth providers or intermediaries, while other health care companies have been subjected to ransomware attacks.
Addressing Security Concerns
The rapid rise of telehealth, with over 70% of telehealth users stating they intend to continue using the services after the pandemic, has meant a rushed on-ramp to implementation. The growth plans of a decade were compressed into several months.
However, many of the best practices and regulations for apps and internet technologies are designed more for typical e-commerce applications than for the uniquely private nature of health care. Telehealth providers have worked to find solutions to ensure health care privacy laws are fully applied to the information they store. In addition, both providers and users may access their telehealth visits through unsecured or poorly secured networks, leading to further points of vulnerability outside an app’s ecosystem.
The first step in protecting telehealth security is ensuring that best practices are followed at every step of the process. This means that fundamentals like endpoint detection and response, two-factor authentication, and segmentation of networks should be standard for all telehealth applications, including for providers accessing their services from home. Hospitals often have highly encrypted networks that could make use of videoconferencing and other options from inside the hospital, providing further security for personal health data.
Advancing Telehealth Expansion
Due to the value of personal health data, attackers have focused on telehealth companies, with several security researchers reporting an uptick of attacks targeting telehealth vendors specifically. This has been combined with rising attempts to interfere with or otherwise interrupt videoconferencing solutions more generally. Most telehealth providers have moved to specially designed apps made for the purpose of providing health care, with higher levels of security enabled. However, some local providers may continue to use consumer-level solutions to access patients, which could exacerbate the likelihood of a breach.
When healthcare institutions implement clear standards for the use of telehealth, providers will have better guidelines and instructions about how they can best protect their patients while offering virtual services.
In addition, telehealth may make security issues more visible, but many of the underlying concerns relate to institutions’ overall practices and data security approaches. While telehealth provides an opening to the internet and the vulnerabilities that come along with it, health IT systems should be secured at all levels, with encrypted data and strict access controls, which can harden security against both outsider threats and insider compromise.
We can also expect regulations to come into effect in many countries around the world. While the U.S. is the world’s leading market for telehealth services, Europe is rapidly moving into second place. The Asia-Pacific region is growing quickly, and these services are becoming more popular and accessible globally, especially as many rely on the use of secure mobile apps and do not require users to have a computer. As a result, we may initially see a patchwork of regulations that must be implemented for a successful telehealth program. While these will eventually arrive at a global standard, privacy and security concerns are likely to be at the forefront of all of these regulatory efforts.
Moving Towards the Future
With all of the promising indicators for telehealth, security remains a concern. Almost half of the respondents to one survey of patients said they would stop using telehealth or change providers if their personal data was breached in an attack. Women are more likely than men to back away from telehealth in case of a data breach, as are older adults, with members of the Baby Boomer and Silent Generations far more likely to stop using telehealth if their personal health information is compromised.
To date, most telehealth breaches have affected internal systems or financial data, rather than personally identifiable health information, with some exceptions, and telehealth has been a lifeline for many people unable to travel to medical appointments. The growth of telehealth points to a bright future that can only be enhanced by properly dealing with security concerns in a proactive, flexible manner that puts patient data protection at the heart of telehealth expansion initiatives.
