Covid, telemedicine, and risk management transfer

The Covid-19 pandemic has furthered large-scale changes in the behaviour of the American population. Unsurprisingly, one of the most visible resultant changes has been in the sudden growth in telehealth services. The use of telecommunications and Internet–based systems to connect patients to physicians, or medical professionals to medical professionals, experienced a meteoric surge in growth in 2020. 

One study, made by the major healthcare information technology company Epic Systems, found that telemedicine visits increased 300-fold year-to-year in the first month following the announcement relative to 2019. A similar study made by the Department of Health and Human Services (HHS) found a 350-fold increase from February 2020 to May 2020 for Medicare primary care telehealth visits. 

Changes in federal regulation made this extremely rapid growth in telehealth and telemedicine possible. Medicare restrictions that only compensated the use of telemedicine in selected rural locations were lifted, allowing patients to use telecommunications technology at any location (including the home) for medical services that previously had been required to take place in person, with private payers following suit. 

The full requirement for an established relationship between the patient and physician was also waived. Because of its socially distanced nature, telehealth has been a lightning rod for established methods of billing fraud, predating the advent of the Covid-19 pandemic. For example, the charges brought against more than 86 defendants by the Department of Justice at the end of September 2020, involving more than $4.5 billion in allegedly fraudulent claims, are characterised by a lack of direct patient interaction or established patient-physician relationships. There has also been an escalation of cyber-specific threats using the growth in telehealth as an opportunity to gain access to sensitive data. Despite the clear challenges, telehealth efforts should be commended and enhanced to reduce long-term healthcare costs and improve access to medical professionals.

From the standpoint of cyber security, the most important waiver has been the discretionary notice made by the Office of Civil Rights (OCR) at HHS that allows certain HIPAA-noncompliant telecommunications applications to be used in the good faith provision of healthcare services during the pandemic. HIPAA, otherwise known as the Health Insurance Portability and Accountability Act of 1996, is the legislative guarantor of patient privacy in the United States, protecting not only the personally identifiable information stored in medical records, but the specific details of the health and medical history of private individuals. 

HIPAA’s actual cyber bonafides are mixed at best and OCR would do well to enforce higher degrees of preparedness and investment against the NIST Cyber Security Framework which is being adopted more broadly and where more expertise exists. Regulators should also be mindful that frameworks and compliance standards do not result in security - mature programs, practices and resourcing do. 

The OCR’s notice allowed healthcare providers to use video chat applications to provide telemedicine services without fear of penalty, specifically naming (without endorsing) Apple FaceTime, Facebook Messenger, Google Hangouts, Skype, and Zoom, while deprecating the use of Facebook Live, TikTok, Twitch, and similar public-facing applications. These applications are distinct from the HIPAA-compliant patient-facing video communication platforms previously developed and approved for telemedicine use.

The patient-physician relationship is the highest-profile interaction in telemedicine, and the one with the largest measured growth. However, this aspect of telehealth is supported by a pyramid of other interactions which have also been affected by the pandemic, mandating work-from-home and offsite access, including the administrative and laboratory functions of the hospital, the clinic, and the physician’s office. It has also affected the spectrum of healthcare business associates, including claims processing and pharmacy benefits management, which may require access to protected healthcare information, as well as conventional healthcare financial and business operations. This entire supply chain should be in-focus for regulators and for operational healthcare executives. 

The swift adoption and high-volume expansion of third-party telemedicine applications has been crucial in meeting the healthcare needs of patients during the pandemic. However, the widespread adoption of telemedicine has also meaningfully expanded the potential attack surfaces for cyber intrusions. For example, the expansion and intensification of these services have been accompanied by an expansion of new and unfamiliar users of these services among patients, healthcare professionals, and healthcare business associates. Established patterns of user behaviour and even IT staff practices will necessarily change in this environment due to the influx of these new and occasional users. 

Many healthcare organisations do not have mature third party risk management practices or sufficient visibility into their networks. Many more still have widespread use of legacy authentication protocols and lag behind their financial services equivalents in IT modernisation. In this environment, ensuring observability and critical controls are in place is a core business leader responsibility - not just an IT team task. Risk-based security programs require more than buying a laundry list of vendor products tagged against a clumsy risk register. Guiding scenarios for management should be put in place and guide discussions around programs, practices and supporting technology requirements. 

The expansion of telehealth functions under pandemic conditions is therefore a lasting shift in the cyber environment, one which provides attackers a greater opportunity to infiltrate and exploit core health and telehealth systems alike. Like all sudden shifts in the environment, however, awareness will be key to an equally agile and adaptive solution. 

Establishing the ground truth about health networks with sufficient visibility and capturing enough data to allow for adequate response and forensic analysis of possible cyber intrusion with speed and accuracy is essential to the proper management of this increased risk. Healthcare professionals have experience dealing with many other risk management challenges in their existing delivery of care to patients; often this experience is relevant to cyber risk management. Although the volume of telehealth and telemedicine services may change with the intensity of the pandemic and the needs of patients, healthcare organizations and their business associates will need to adjust to a new normal - technology is increasingly a core dependency. Our healthcare risks are inextricably linked to information technology, and it’s time to act accordingly.