Are your virtual doctor visits private and secure? Here’s what to know about, and how to prepare for, connecting with a doctor from the comfort of your home.
Telehealth services were one of the tech success stories of the COVID-19 pandemic. Just as cloud-based services helped suddenly locked-down workers to stay productive, telemedicine consultations ensured doctors could still provide essential healthcare and advice without endangering their patients or staff. In fact, telehealth consultations accounted for a quarter of all medical interactions in the US in the first four months of the pandemic, up from just 1% the previous year.
But now the practice has been normalized and we also become ever more entrenched in our hybrid lives, additional security and privacy concerns are emerging. Are telehealth services safe to use? Is patient data being adequately protected? Could such data be sold to third parties or stolen by hackers and even auctioned off on the dark web? As telemedicine becomes more widespread, you might like to take a closer interest in these potential risks.
What is telehealth?
Telehealth or telemedicine refers to any service which allows a healthcare professional to provide care for their patients remotely. For most people this means an online video consultation or phone chat. A huge variety of new apps have sprung up to serve this fast-growing market, including Doctor Care Anywhere, Babylon Health and MDBox.
Additionally, instant messages, emails and file exchange services may be used to transfer important patient information and prescriptions. Telehealth also extends to remote monitoring of patients via connected devices like glucometers, blood pressure cuffs and activity trackers.
According to the US Department of Health and Human Services, telehealth providers could deliver the following services; e.g., those where in-person exams or testing isn’t required.
- Lab test/X-ray results
- Mental health treatment, including online therapy
- Recurring conditions like migraines or urinary tract infections
- Skin conditions
- Prescription management
- Urgent care issues like colds and coughs
- Post-surgical follow-ups
- Treatment for neurological disorders such as attention deficit disorder (ADD)
- Physical and occupational therapy
- Remote monitoring to track health goals
What are the main telehealth security and privacy risks?
However, where there is sensitive data to steal or purchase, cybercriminals and shady third parties will not be too far behind. Patient data is particularly lucrative on underground forums as it includes personal and financial information which can be monetized in identity and insurance fraud or to illegally obtain prescriptions. It may also feature potentially embarrassing medical information which could even be used as leverage in extortion attempts.
There are multiple potential areas of risk, from the applications themselves and their developers, to patients’ and doctors’ own devices. Here are a few to consider:
- Data collection: According to UK non-profit Privacy International: “The challenge of telehealth applications is also the driving purpose behind their existence: to collect health data from individuals.” It adds that some telehealth apps “collect and store vastly more data” than traditional healthcare providers. This puts it at risk from being sold to third parties (although this is strictly regulated by the GDPR in Europe) or stolen/leaked, if the app provider suffers a security incident. In 2020, a data leak at Babylon Health led to videos of private consultations being sent to other patients.
- Software vulnerabilities: Telehealth software may contain security bugs that can be exploited by hackers to grab patient information and perpetrate fraud.
- Web application credential compromise: If people use weak or easy-to-guess logins there is a risk that hackers could hijack their account and harvest sensitive medical, financial and prescription information. Password reuse is also a major threat: if you use the same password for your telehealth app as other sites and apps, then if they’re breached, the same credentials could be used by hackers to unlock your telehealth app.
- Malicious (fake) telehealth apps: Another classic hacker technique for compromising user data is to plant legitimate looking apps booby-trapped with malware on app marketplaces and wait for unwitting users to download them. They could use this malware to harvest personal and financial data from the phone.
- Connected device risks: Just as telehealth apps collect vast amounts of data, so too can connected devices like health monitors. Some indicate user location and activities, for example, and may be stored by both healthcare provider and device or app manufacturer – multiplying the risk of leaks, breaches and onward sale to shady third parties. Many of us may fail to read the small print in privacy policies that allow for the latter, although the GDPR should protect EU and UK consumers from excessive data sharing. HIPAA in the US ensures only medically necessary data is collected and regulates who can access it. But not all firms play by the rules.
- Patient PCs and smartphones: We should also be aware that the PCs or devices we use to access telehealth services may be at risk of snooping or hijacking. If a hacker managed to remotely access your computer or another device they would have access to your telehealth logins and information. The same is true of medical professionals’ devices.
- Chat platform privacy risks: Alongside dedicated applications, commercial video conferencing platforms like Skype and Zoom are also often used for telehealth. In fact, HIPAA regulations were relaxed during the pandemic to allow this. However, their use could raise the risk of patient data being sold to third parties.
What you can do
A few best practice steps can help you to mitigate many of the concerns listed above. Consider the following:
- Protect your PC/device with security software by a reputable vendor
- Always use strong and unique passwords
- Add an extra layer of security to passwords by switching on multi-factor authentication, where available
- Always keep telehealth and chat apps on the latest version
- Ask your provider how your personal and health information is processed and secured
- Ensure any commercial chat apps used for telehealth are encrypted end-to-end
- Never log in from a public Wi-Fi hotspot or a shared PC/device
- Don’t set up a telehealth appointment or share information with a provider you don’t know, or contact details you don’t recognize
As healthcare providers struggle to clear COVID-19 backlogs and serve an ageing population, telehealth will only grow in popularity. Making sure your data is secure and privacy assured is a vital first step towards making the most of a technology that’s increasingly important to our health and wellbeing.
by Phil Muncaster, ESET