By Heather Annolino, senior director healthcare practice, Ventiv.
As hospitals are working vigorously to address the health care needs of its patient population during the COVID-19 pandemic, they are unintentionally leaving themselves and their patients exposed to cybersecurity risks.
Measures implemented to protect workers and patients, including expanded use of telehealth and telemedicine, remote work and bringing new equipment such as ventilators online can leave data exposed, and institutions vulnerable to hackers and scammers. These cyberattacks can affect supply chains and the ability to leverage healthcare data from the COVID-19 pandemic for use in the future for other crises.
In March 2020, the Office for Civil Rights announced it would not enforce penalties for HIPAA noncompliance against providers leveraging telehealth platforms that may not comply with privacy regulations. This measure rapidly expanded the use of telehealth and telemedicine over the past several weeks, allowing providers to utilize videoconferencing platforms, including WebEx, Zoom and Skype.
The use of telemedicine improves patient access and assists with alleviating the additional burden on healthcare systems by limiting in-person care during the COVID-19 pandemic. If any incidents do occur, they should be entered into the facility’s health care risk management/patient safety software system. This technology is designed to help healthcare organizations see all of their data in one place, making it easier to learn from the incidents through analysis. While doing that now might be difficult, it is essential to capture this data to improve preparation for the next disaster and prevent patient harm.
Although telemedicine presents a lower risk from a risk management perspective, it is still important to provide consistent processes and protections to mitigate potential threats. During these uncertain times, telemedicine is the best option for providers to continue treating select segments of their patient population, as well as triage potential COVID-19 cases. Whether health care organizations are looking to expand (or even begin) the use of telemedicine capabilities, it is crucial to outline best practices for consent, credentialing, and security and privacy to assist with mitigating potential risks.
Here are a few strategies facilities should consider:
Security and Privacy
Under normal circumstances, healthcare facilities have difficulty bringing key equipment online securely. As facilities are currently working tirelessly to address COVID-19 patients’ needs in addition to continuing to provide care to non-COVID-19 patients, there is a potential increase of security risks as additional medical equipment and medical IoT devices integrate into the network.
By investing in and deploying cybersecurity procedures and protections, including backup and downtime procedures, healthcare facilities can reduce the risk of potential phishing and ransomware attempts. These measures should include ensuring all practitioners are using communication apps recommended by the U.S. Department of Health & Human Services Office for Civil Rights and secure telephone connections as well.
Institutions must improve or create a framework for managing patient-provided health information. Processes need to address steps telemedicine practitioners must follow to gather and store information for informed consent, including requirements on which forms need to be on file, and procedures to archive and retrieve video/images.
Before obtaining signed consent, physicians should discuss the benefits and risks of telemedicine verbally with patients and ensure they collect the following information:
– Names, locations, credentials and affiliations of the staff involved in the consultation and follow-up
– Description of the procedure or exam
– Potential benefits and risks of the procedure or exam
– Explanation of how care is to be documented and assessed
– All security measures that will be taken
– Technology issues that may arise and contingency plans
Several states have defined standards of care for telemedicine during the pandemic, so it is essential for the facility associated with the telemedicine practitioner to comply with the Medicare Conditions of Participation credentialing standards, as well as any national, state and local regulations. This includes rules about the physician-patient relationship, proper patient identity, electronic prescribing and in-person follow-up regulations. Additionally, organizations may need to modify any existing telemedicine agreements as needed.
It’s no question that the spike in telehealth and remote work brought on by COVID-19 has significantly expanded the cybersecurity risk for healthcare organizations. By following the privacy and security recommendations above, organizations can stay prepared during the pandemic.