The signs that telehealth will become a predominant and permanent part of the American healthcare system have become abundant in the wake of COVID-19. But are we prepared to address the proportional risk of cyberattack that accompanies them?
Consumer interest in digitally-facilitated — and socially-distanced — healthcare has skyrocketed in recent months as patients seek to maintain their health amid the pandemic. Their wariness of in-person services, coupled with a growing interest in convenient, digitally-facilitated services, seems likely to establish telehealth as a normal and significant part of healthcare in the future.
According to a recent report published by the research and consulting firm Arizton, the US telehealth marketed is expected to top $10 billion by the end of 2020 and experience an incredible 80 percent year-on-year growth rate. Arizton’s researchers note that while this rapid expansion is driven primarily by COVID-19 and the favorable private and public reimbursement policies that have resulted from it, the trend towards telehealth will likely persist well beyond the pandemic.
The US telehealth market is expected to grow at a compound annual growth rate of approximately 30 percent between 2019 and 2025. Around 76 percent of US hospitals currently connect with their patients and medical consultants via remote video, audio, chat, email, and other digital comms. Many hospitals are also looking to expand their investment in telehealth tools and education to ensure that their physicians are comfortable conducting remote care sessions.
Patients, too, are interested in telehealth. A recent Vivify survey found that 79 percent of surveyed patients were somewhat or very interested in switching to providers who can support virtual visits, and 48 percent say that the pandemic has “made them more willing to seek virtual care in the future.”
The interest in telehealth has skyrocketed, creating countless new opportunities for growth and advancement. However, this fast-paced growth has also opened the door to new risks: namely, cyber attacks.
The danger was made painfully clear this summer when hackers breached the University of California at San Francisco’s medical school and managed to encrypt several of the medical center’s servers. The cybercriminals obtained data to prove their breach during ransom negotiations but did not appear to expose patient medical records. Ultimately, UCSF opted to pay out a $1.4 million ransom to reclaim their data.
“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,” UCSF representatives shared after the attack. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”
UCSF’s decision is entirely understandable — but also exemplifies a troubling example of what can happen when medical centers aren’t fully prepared to defend their data against cybercriminals. As more patients and providers turn to digitally-facilitated care and expand their telehealth frameworks, bad actors will have more opportunities to attack.
Last year, the healthcare sector experienced 41.4 million patient record breaches and noted a 49 percent increase in hacking. Reporters for Health IT Security further note that the rate of ransomware attacks has remained steady through the end of 2019 and into 2020. Some bad actors even used the pandemic as a pretext for phishing attacks; these peaked mid-April.
“The rapid pace at which telehealth applications were rolled out during the pandemic made them attractive targets for cybercriminals,” Sam Kassoumeh, COO and co-founder of SecurityScorecard, told reporters for Healthcare IT News.
Andy Riley, executive director of security strategy at the managed-security-services vendor Nuspire, provided further context in a statement. “Any time you make a change to an IT environment, you have the potential to increase risk. When you introduce rapid change, that potential goes up rapidly.”
In the months since the pandemic made its American debut, web-based healthcare products have seen a rapid rise in adoptions. Cybercriminals have targeted these products, knowing that many newer applications will not have as robust a security protocol as they should.
Now more than ever, healthcare organizations must temper their enthusiasm for new digital products with reasonable wariness. They must redesign their asset management strategies to make security assessments a priority. For their part, providers must be educated on their network and devices so that they fully understand how to correctly and safely connect to a shared network. Telehealth can and will bring a lot to the health care system — but we can’t let our excitement over the prospect cloud our judgment or put patients at risk.