As hospices begin to offer a wider range of services via telehealth during the COVID-19 pandemic, they may need to get smarter when it comes to cybersecurity.
Hospices often rely on popular videoconferencing platforms to conduct telehealth visits with patients, including Zoom, Skype and other systems. According to a blog on the company’s website, the number of individuals that use Zoom in particular has ballooned to 200 million in March, up from 10 million in December 2019. However, security concerns are starting to arise about the use of these systems, to the extent that the New York state attorney general’s office began to look into Zoom’s privacy practices.
These privacy concerns are critical for hospices to understand in order to prevent data breaches that could cause financial harm, reputational damage or exposure of information protected by the Health Insurance Portability and Accountability Act (HIPAA).
“If a doctor and a patient are having a very sensitive discussion about a health condition, a bad actor could first potentially discover who they are. They could understand which person is the doctor and which is the patient; they could hear information about a chronic illness or ailment, whatever that is,” Heather Federman, vice president of privacy & policy at BigID. “That could potentially create medical fraud on the one hand, which could have a financial impact, but then there’s also the potential to gather the patient or doctor’s location, which could lead to physical harm. Even a reputational impact to the hospice is a big concern.”
The U.S. Centers for Medicare & Medicaid Services (CMS) in recent weeks has announced a series of new flexibilities that allow hospices to perform more functions via telehealth than were previously allowed. The recent $2.2 trillion CARES Act stimulus package, designed to help the economy and essential industries weather the impact of the pandemic, also contains provisions related to hospice telehealth, including permitting practitioners to recertify patients via telemedicine appointments rather than face-to-face encounters.
Health care organizations, hospices included, continue to be prime targets for hackers and other cybercriminals, leading to data breaches that disclose protected health information and cause potentially huge financial losses. Despite the risks, most health care providers do not have adequate protections in place, according to a report by cybersecurity watchdog Kapersky.
Hospices are information rich. Even during in-home visits, nurses and staff arrive in patient homes with laptops, cell phones, and tablets; all of which could contain sensitive information, and hospices are increasingly investing in telehealth systems and emerging technologies such as virtual reality.
The average cost of health care cybersecurity incidents is as much as $408 per patient as well as an average $1.75 million in advertising to counteract resulting damage to their reputations, Kapersky reported.
“The challenge also with some of these platforms is that they weren’t always keeping privacy and security in mind when they were originally created, so the default settings might not always be designed to make sure these conversations are private or secure,” Federman told Hospice News. “For any health care organization, the provider should really take a moment to look through the settings and see how they can make this more secure. Can we enable a password for this? Can we block the meeting to make sure no one gets in? If I were at an organization or hospice, I would want to make sure that I was protecting any sort of firewall or VPN that encrypts my communication. For staff, you might not be able to do a full-fledge security training, but they at least need to have awareness.”