By Susan Kreimer
Image: Maryland ophthalmologist Dr. Renee Bovelle conducts a telehealth visit from her office.
Some of Dr. Renee Bovelle’s patients feared their pink eye and allergies could be signs of COVID-19. But the Maryland ophthalmologist could only treat them by video conferencing — “telemedicine” — because of mandatory social distancing.
The technology allows doctors to manage most health conditions remotely while reducing risk of exposure to coronavirus. The practice brings heightened concerns of patient confidentiality and digital privacy.
“Now that we’re in this digital age, the burden of responsibility to protect the patient’s healthcare data rests on the shoulders of physicians and healthcare organizations,” Bovelle, who also holds a master’s degree in cybersecurity, told Digital Privacy News.
The global pandemic compels doctors to eliminate most office appointments and conduct more virtual visits, even as telemedicine raises the potential for eavesdropping on conversations and tapping into electronic databases that contain patient information.
Computers and cellphones are prime targets for hackers seeking to capitalize on a new wave of unpredictability in these socially distant times, experts tell Digital Privacy News.
“The general public is obviously relying on their medical professionals,” said Robert Siciliano, a cybersecurity analyst at Protect Now in Boston. “It is ultimately up to that medical professional that they and their clients are going to be protected.”
The Health Insurance Portability and Accountability Act (HIPAA) mandates end-to-end encryption in telehealth interactions to protect sensitive data. But those standards have become more relaxed because of COVID-19.
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services said last month that it would exercise “discretion to not impose penalties for HIPAA violations” if healthcare providers practiced good faith in using telehealth technologies.
“We are empowering medical providers to serve patients wherever they are during this national public health emergency,” OCR Director Roger Severino said on the agency’s website. “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”
The safest telemedicine occurs via a HIPAA-compliant platform with encryption that gives both parties access to a confidential record of the patient’s medical history. User names and passwords are required to access the information.
This system provides more security than such consumer platforms as Skype, FaceTime and Zoom, Amber Humphrey, director of telehealth at Vanderbilt University Medical Center in Nashville, Tenn., told Digital Privacy News.
Vanderbilt uses a HIPAA-compliant version of Zoom that is protected by a business associate agreement.
Generally, such accords specify the required and permitted uses of the protected health information. They bar the video-platform company from disclosing the data beyond what has been allowed or mandated by the contract or as stipulated by federal law.
These agreements also direct companies to take appropriate safeguards to prevent any use or disclosure of the protected health information other than as outlined in the contract.
Before the pandemic, Vanderbilt had fewer than 10 telehealth sessions per day. Now, it is averaging more than 2,000 visits daily.
“We’re fortunate,” Humphrey told Digital Privacy News, “that we already had the foundation for a secure video visit to occur.”
Bovelle, who opened her practice outside Washington in 2005, also uses a HIPAA-compliant platform to keep patient data safe. It proves invaluable in assessing new patients.
“I can conduct a telemedicine exam on a new patient and determine if they require further intervention,” she said.
Problems at Zoom
However, Zoom Video Communications Inc. has come under fire recently for myriad privacy-related problems — and Siciliano advises patients to ask medical professionals about their security practices.
“It’s always good for you as the recipient of that medical attention to do your own research to make sure they are actually protecting you and your information,” he told Digital Privacy News. “Doctors should be engaged in security-awareness training.”
For patients, homes are the best setting for a telehealth visit, whether by computer or mobile device. Public Wi-Fi is less secure, with patients running greater risk of being overheard.
Clinicians should be at home or in an office without intrusion, said Mei Kwong, executive director of the Center for Connected Health Policy in Sacramento, Calif.
“Try to find a space where you have a door you can close,” Kwong said. Patients may not be able to be alone because of caregivers or children, but “the provider has a higher level of obligation” to ensure privacy, she said.
Regarding data theft, health insurance and payment information are particularly ripe for identity theft, said Linda Malek, a partner and chair of the healthcare, data privacy and cybersecurity practices at the Moses & Singer law firm in New York.
Given the dangers in cybercommunication, the federal government “is trying to balance the need for more avenues of remote access with those risks of hacking,” she told Digital Privacy News.
Still, the most common tactics used by scammers are hacking into a video-conferencing platform’s encryption or phishing schemes — targeting physicians and patients, Siciliano said.
“Beyond the encryption, the easiest way to get into the account is by phishing the health professional,” he said. “You think it’s coming from Zoom, and Zoom is asking you to reset your password.
“But it’s not Zoom,” the analyst continued. “It’s a hacker that wants to get your credentials.”
Onus on Patients, Too
Overall, however, not all the responsibility for privacy and security falls on medical professionals, Siciliano told Digital Privacy News.
“The patient also has to engage in basic cybersecurity hygiene,” he explained. “What this means is, to begin with — whatever device they’re using, whether it’s a laptop, desktop or mobile phone — they have to password-protect it.
“It’s not enough to have the device. You have to protect it,” he said. “If the device is lost or stolen, then anybody can get access to your information.
“A seat belt is annoying, but we know it saves lives,” Siciliano added. “So, putting a password on your device is annoying, but we know it protects your data on your device.”
With a secure physician-to-patient telemedicine platform, Bovelle visits her patients safely and efficiently from her home or ophthalmology practice.
“Patients appreciate that I am available — and they can actually see me and show me what concerns them,” she told Digital Privacy News. “The mere fact that we physicians remain accessible lets them know how much we care.”
Susan Kreimer is a healthcare journalist in New York.
Sources (external links):