• Home
  • >
  • Blog
  • >
  • Telehealth, HIPAA, and Cybersecurity

December 28, 2018

Telehealth, HIPAA, and Cybersecurity

Written by: Compliance blogger

More...

Posted 12/28/2018

Updated 10/2020



Not being compliant with healthcare rules and regulations can make your organization vulnerable. Without an effective compliance program whose policies and procedures are followed by employees, your organization is at serious risk for a HIPAA breach or fraud. If either of these issues occur, government agencies will step in to investigate the situation and enforce compliance.


Resulting Harm from Health Data Breaches and Fraud Schemes

In 2018 one of the larger government settlements occurred related to a  U.S. health data breach in history: Anthem, Inc. When the Office for Civil Rights (OCR) investigated Anthem’s breach report, they found that the electronic protected health information (ePHI) of almost 79 million people had been stolen. To put the scale of this breach into perspective, that number is equivalent to approximately 24% of the U.S. population!


In the end, Anthem agreed to pay a record $16 million to the OCR and undertake substantial corrective action to settle potential HIPAA violations. One thing that stands out from this recent settlement is that the HIPAA breach itself was not the only reason for Anthem’s monumental settlement with the OCR. Another glaring problem was the fact that their compliance program had not adequately identified risks, monitored their information systems, implemented access controls, or responded to security issues.


Earlier this year, the Federal Bureau of Investigation (FBI) and the Office of the Inspector General (OIG) investigated one of the largest healthcare fraud schemes to date. Medical professionals had worked with fraudulent telemedicine companies to prescribe medically unnecessary back, shoulder, wrist, and knee braces to Medicare beneficiaries that they often never even met. These providers would then refer their patients to durable medical equipment companies in exchange for illegal kickbacks and bribes.


A total of 24 people, ranging from medical professionals to corporate executives, have been charged for their involvement in this scheme. The Centers for Medicare and Medicaid Services (CMS) Center for Program Integrity has also taken administrative action against 130 durable medical equipment companies that had submitted over $1.7 billion worth of claims.


COVID-19 Pandemic

Due to the pandemic, telehealth is an increasingly important tool for healthcare organizations to provide patients with more accessible and affordable care options. However, in the excitement of developing telehealth programs, organizations should not lose sight of privacy and security regulations that apply to these new services. After all, protected health information (PHI) under HIPAA can include data that is transmitted during the provision of telehealth services.


Download the Frequently Asked Questions on Telehealth and HIPAA During the COVDI-19 nationwide public health emergency published by the Office of Civil Rights (OCR).  This document addresses 11 questions and OCR responses you need to know.


Federal Regulations and Resources

Given the variety of options available with telehealth services, from live or transmitted video to remote patient monitoring and mobile health applications, providers, IT support, and consultants must all have a strong understanding of how various federal rules and regulations apply to telehealth. One of the biggest regulations to consider is, of course, HIPAA. As pointed out in a 2014 State of Wisconsin publication, HIPAA and HITECH both apply to telemedicine providers in a similar manner as how they apply to strictly face-to-face healthcare providers.


Overall, the privacy and security risks associated with telemedicine pose additional considerations for HIPAA compliance due to the technology involved with this type of encounter and the way that electronic protected health information (ePHI) is transmitted and stored.


Various administrative, technical, and physical safeguards must be in place to protect PHI transmitted by both the transmitting and receiving facilities during provided telehealth services. One example of an administrative safeguard would be to conduct appropriate staff security training. This training should include information to ensure that all staff members understand how to protect the privacy and security of ePHI that might be sent during telehealth services. Physical safeguards might include either restrictions placed on ePHI access or off-site computer backups to maintain the physical safety of PHI. Finally, technical safeguards could include tools such as authentication controls and data encryption to make sure that only authorized individuals are able to access ePHI that might be transmitted to the healthcare organization.


A couple of government resources that provide guidance to facilities seeking to implement telemedicine programs include ICN 901705 from the Centers for Medicare & Medicaid Services (CMS) and the and digital health information posted on the Food and Drug Administration (FDA) website. The FDA regulates the medical equipment and software used in telehealth.


The Office of the National Coordinator for Health Information Technology has published Top 10 Tips for Cybersecurity in Health Care located at HealthIT.gov.


This is a summary of the 10 tips which applies to HIPAA compliance and securing systems for telehealth services.

  1. Establish a security culture
    • Security professionals are unanimous: The weakest link in any computer system is the user. One of the most challenging aspects of instilling a security focus among users is overcoming the perception that “it can’t happen to me.” By following a set of prescribed practices and checking them each time, at least some of the errors due to overconfidence can be avoided. To build a security culture:
      • Education and training must be frequent and ongoing.
      • Those who manage and direct the work of others must set a good example and resist the temptation to indulge in exceptionalism.
      •  Accountability and taking responsibility for information security must be among the organization’s core values.
  2. Protect mobile devices
    • Where it is absolutely necessary to commit electronic health information to a mobile device, cybersecurity experts recommend that the data be encrypted. Mobile devices that cannot support encryption should not be used. Encrypted devices are readily obtainable at a modest cost — much less than the cost of mitigating a data breach.
    • Policies specifying the circumstances under which devices may be removed from the facility are very important, and all due care must be taken in developing and enforcing these policies. The primary goal is to protect the patient's information, so considerations of convenience or custom (e.g., working from home) must be considered in that light.
    • Remote workers are more common due to the COVID-19 pandemic.  Those who have responsibility for protecting patient information must recognize that this responsibility does not end at the office door. Good privacy and security practices must always be followed.
  3. Maintain good computer habits
    • Configuration Management is critical for new computers and software packages as well.  Uninstall applications not essential and check with the EHR developer to see if the software is critical to the EHR's function.  Don’t default to standard configurations.  Is there an EHR vendor “back door” installed for support? Is it secure
    • Software Maintenance is important and requires periodic updating to keep it secure and to add features to address newly found vulnerabilities in the product.
    • Operating System Maintenance needs to be performed regularly. Over time, an operational system tends to accumulate outdated information and settings unless regular maintenance is performed. Just as medical supplies have to be monitored for expiration dates, material that is out-of-date on a computer system must be dealt with.
  4. Use a firewall
    • While anti-virus software will help to find and destroy malicious software that has already entered, a firewall's job is to prevent intruders from entering in the first place. In short, the anti-virus can be thought of as infection control while the firewall has the role of disease prevention. A firewall can take the form of a software product or a hardware device. In either case, its job is to inspect all messages coming into the system from the outside (either from the Internet or from a local network) and decide, according to pre-determined criteria, whether the message should be allowed in.
    • Configuring a firewall can be technically complicated,and hardware firewalls should be configured by trained technical personnel.
  5. Install and maintain anti-virus software.
    • Without anti-virus software, data may be stolen, destroyed, or defaced, and attackers could take control of the machine.
    • After implementation of EHRs, it is important to keep anti-virus software up-to-date. Anti-virus products require regular updates from the vendor in order to protect against the newest computer viruses and malware.
    • Most anti-virus software automatically generates reminders about these updates, and many are configurable to allow for automated updating.
  6. Plan for the unexpected.
    • Fire, flood, hurricane, earthquake, and other natural or man-made disasters can strike at any time. Important health care records and other vital assets must be protected against loss from these events. There are two key parts to this practice: creating backups and having a sound recovery plan.
    • A reliable backup is one that can be counted on in an emergency, so it is important not only that all the data be correctly captured, but that it can quickly and accurately be restored. Backup media must be tested regularly for their ability to restore properly.
    • Recovery planning must be done so that when an emergency occurs, there is a clear procedure in place. In a disaster, it is possible that health care practices will be called upon to supply medical records and information rapidly. The practice must be prepared to access their backups and restore functionality, which requires knowledge about what data was backed up, when the backups were done (timeframe and frequency), where the backups are stored, and what types of equipment are needed to restore them. If possible, this information must be placed for safekeeping at a remote location where someone has responsibility for producing it in the event of emergency.
  7. Control access to protected health information 
    • Grant access only to people with a “need to know”.  Having good access
    • controls and knowledge of who has viewed or used information (i.e., access logs) can help to prevent or detect data breaches.
  8. Use strong passwords and change them regularly.
    • Examples of strong password characteristics:
      • At least eight characters in length (the longer the better)
      • A combination of upper case and lower-case letters, one number, and at least one special character, such as a punctuation mark
    • Strong, or multi-factor, authentication combines multiple different authentication methods, resulting in stronger security. In addition to a user name and password, another authentication method is used (e.g., a smartcard, key fob, or fingerprint or iris scan). Under federal regulations permitting e-prescribing of controlled substances, multi-factor authentication must be used.
  9. Limit network access.
    • Devices brought into the practice by visitors should not be permitted access to the network, since it is unlikely that such devices can be fully vetted for security on short notice. Setting up a network to safely permit guest access is expensive and time-consuming, so the best defense is to prohibit casual access.
    • Wireless routing is a quick and easy way to set up broadband capability within a home or office. However, because of the sensitivity of health care information and the fact that it is protected by law, tools that might allow outsiders to gain access to a health care practice’s network must be used with extreme caution.
    • Wireless routers that allow a single incoming Internet line to be used by multiple computers are readily available.
  10. Control physical access.
    • Not only must assets like files and information be secured; the devices themselves that make up an EHR system must also be safe from unauthorized access. The single most common way that electronic health information is compromised is through the loss of devices, whether this happens accidentally or through theft.
    • Incidents reported to the Office for Civil Rights show that more than half of all these data loss cases consist of missing devices, including portable storage media (e.g., thumb or flash drives, CDs, or DVDs), laptops, handhelds, desktop computers, and even hard drives ripped out of machines, lost and stolen backup tapes, and entire network servers.


Telehealth Security

Telehealth services and tools utilize the internet. Therefore, any healthcare organizations that provide telehealth must seriously consider not just security, but also cybersecurity measures.


Due to its very nature, telehealth requires the implementation of technology-based security procedures to protect ePHI. The National Cybersecurity Center of Excellence of the National Institute of Standards and Technology (NIST) is currently developing a project specifically to examine telehealth security measures. This drafted project, titled Securing Telehealth Remote Patient Monitoring Ecosystem, was available for public comment until December 21, 2018. When enacted, the project will provide an example infrastructure for addressing the privacy and security risks experienced by healthcare organizations implementing remote patient monitoring, a type of telehealth program. Some of the security procedures that will be part of this project’s telehealth infrastructure include:

  • Risk assessment and management
  • Data security and information protection
  • Continuous monitoring for unauthorized access, devices, software, et cetera to detect potential cybersecurity issues
  • Contingency plans for recovering from any detected cybersecurity incidents
Telehealth Risk Management

Local state-level guidance is available for many healthcare organizations seeking to identify and manage risks associated with telehealth services. For example, the State of Wisconsin’s 2014 guidance for risk and compliance program for telehealth services included a detailed breakdown of risk management strategies and recommendations for healthcare organizations that provide telehealth services. Some key recommendations for these organizations were:

  • Extend encryption technology to portable devices.
  • Use existing privacy & security measures to safeguard patient data during its transmission for telehealth services.
  • Conduct HIPAA staff training that includes training specific to telemedicine.
  • Review general admissions and other relevant consent documents to ensure that patient authorization and informed consent for telemedicine services are included.
Conclusion

Utilize government information to help secure Telehealth communications and guard against theft and cybercriminals.  Visit The Office of the National Coordinator for Health Information Technology (ONC) website; the  HIPAA Security Guidance Page and the Office for Civil Rights (OCR) website for more information.

Gain additional education through online, on-demand courses in HIPAA, Corporate Compliance and Auditing.  Visit our Certification Store today!


TAGS

Business Associate (BA), CMS, Compliance, Compliance Program, Continuing Education, Corporate Compliance, EHR, Emergency Preparedness, FDA, Health IT, Healthcare Consultants, Healthcare Employees, HIPAA, HIPAA Covered Entities, Medicare and Medicaid, NIST, ONC, Privacy, Providers, Security, Telehealth, Telemedicine, Training
Verified by MonsterInsights