Expanding Telehealth: The Privacy, Security IssuesTrump Issues Executive Order to Extend Telemedicine Beyond COVID-19 Crisis
An executive order President Donald Trump signed Monday that's designed as a first step toward potential long-term expansion of the use of telehealth could prompt renewed attention to related privacy and security issues.
Telehealth technology vendors must mitigate potential cybersecurity risks of their platforms, healthcare entities must safeguard the privacy of patient encounters and regulators must provide oversight of the integrity of telemedicine programs, security experts say.
Executive Order Provisions
Among other provisions, the executive order instructs the Department of Health and Human Services to review certain temporary telehealth measures that were put in place during the COVID-19 crisis and propose regulations - including "innovative payment models" - to extend those measures.
For example, the president instructs HHS to continue to offer Medicare beneficiaries coverage for additional telehealth services and to look for ways to increase access to healthcare in rural communities, including "high-quality care through telehealth."
Trump's order also calls upon HHS and the Department of Agriculture to work in coordination with the Federal Communications Commission "and other executive departments and agencies, as appropriate, to develop and implement a strategy to improve rural health by improving the physical and communications healthcare infrastructure available to rural Americans."
The use of telehealth services has surged during the pandemic. "Internal analysis by the Centers for Medicare and Medicaid Services showed a weekly jump in virtual visits for CMS beneficiaries, from approximately 14,000 pre-public health emergency to almost 1.7 million in the last week of April," the order notes.
While Trump's executive order calls for extending telehealth services for Medicare beneficiaries beyond the public health emergency, more permanent telehealth expansion by CMS for beneficiaries outside of rural communities would require legislative action by Congress.
Spotlight on Privacy, Security
As the use of telehealth expands in the U.S., a number of privacy and security concerns need to be front and center, some experts contend.
"Patient privacy, and the protection of patient data, are a prerequisite for connected care," says Ann Mond Johnson, CEO of the industry group, American Telemedicine Association in a statement provided to Information Security Media Group.
"State and federal regulatory schemes should allow for innovation and support the advancement of technology-assisted care. However, telehealth and virtual care platforms, systems and devices should be required to mitigate cybersecurity risks and provide for patient safety and confidentiality."
Public and private payers and healthcare providers must ensure "guardrails" are in place to protect patients and ensure program integrity of virtual care programs, she adds. "Federal and state policies should leverage technology to optimize program integrity measures and prevent fraud and abuse without providers being required to see patients in person."
"It is crucial healthcare entities are aware of all the privacy and consent requirements that come with providing telehealth in non-emergency times, as many of those requirements are different from the ones currently being enforced during the public health emergency."
—Andrew Tomlinson, CHIME
Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, says the expansion of telehealth services will help improve the quality and availability of patient care. But H-ISAC is working with its member organizations to ensure those services can be delivered securely while maintaining patient privacy, he adds.
"It's important to remember that securing the transmission of telehealth sessions is just one small part of securing patient data. The data at rest also needs to be stored securely," he notes.
"More practically, as we've seen during the pandemic response, the health delivery provider - a physician, for example - and the patients' home networks present additional security and privacy concerns."
Other privacy and security concerns related to telehealth include how healthcare providers store, access and manage sensitive patient information, Weiss notes.
Providers need to take steps to reduce the risk of data breaches, including implementing encryption of data at rest, offering end user training, automating compliance enforcement and utilizing insider threat monitoring.
Healthcare entities also need to consider deploying "better - high assurance - identity and access management to ensure the patient is who they say they are," Weiss adds.
Andrew Tomlinson, director of federal affairs at the College of Healthcare Information Management Executives, notes that as part of flexibilities enacted under the COVID-19 public health emergency, HHS' Office for Civil Rights relaxed rules around technologies that can be used to provide telehealth services (see: COVID-19: HHS Issues Limited HIPAA Waivers).
This included allowing telehealth to be provided "through mediums such as Apple's FaceTime and non-HIPAA certified technology, he notes.
"While there is a convenience factor that comes with these tools, there is also a privacy and security risk, too," Tomlinson says. "We do not anticipate these flexibilities to be made permanent, and providers need to be prepared to have HIPAA-certified communications technology in place for the long-term as telehealth continues to expand. This means also educating patients on how to use these technologies and also ensuring providers are able to utilize the technology as well."
In a joint statement, the Healthcare Information and Management Systems Society and the Personal Connected Health Alliance, a HIMSS unit - say they "strongly support the notion that telehealth services should be extended beyond the public health emergency, particularly in rural communities."
But, they continue, "we are concerned that the lack of reliable and affordable broadband has continued to prevent many patients and providers from utilizing telehealth, as has lack of access to technologies that can support live voice-video communications or provide real-time or regular tracking of a patient's physiological data. We expect the administration's actions will address some of these concerns."
Rural communities across the nation are routinely left behind when it comes to advancements in telehealth due to the lack of reliable broadband service, Tomlinson of CHIME notes.
"Access to stable broadband connections for not only providers, but also patients, is crucial to ensuring telehealth is accessible," he says.
"We may still be years away from having ubiquitous 5G networks available to patients and providers, but it is a technology many are looking at as one that can solve internet connectivity issues across the board in both rural and urban areas."
In the meantime, organizations offering telehealth services should take steps to ensure timely patching and updates of systems, Tomlinson says.
"There will always be new threats developing and often times emerging technologies are targeted by malicious actors," he notes.
"Similarly with privacy, it is crucial healthcare entities are aware of all the privacy and consent requirements that come with providing telehealth in non-emergency times, as many of those requirements are different from the ones currently being enforced during the public health emergency."