Commercial video conferencing tools are risky for healthcare
Healthcare providers are allowed to use some commercial video conferencing tools during the pandemic, but analysts say they should choose their tools carefully.
Providers have been granted more freedom to treat patients remotely during the coronavirus pandemic, including the use of commercial video conferencing tools such as FaceTime, Skype and Zoom. But analysts warn those tools were never meant for patient-provider communication and could pose security and privacy risks to organizations.
Last month, the Office for Civil Rights (OCR) at the U.S. Health and Human Services Department (HHS) decided to waive HIPAA penalties for using commonly available video conferencing tools to treat patients remotely. The decision is proving to be a double-edged sword, according to David Holtzman, executive advisor for healthcare cybersecurity firm CynergisTek Inc. It provides healthcare organizations with more tools to treat patients at home, but the tools may not adhere to the same data protection and information security safeguards as HIPAA-compliant platforms.
"I want to be clear; I think this is a perfectly reasonable and acceptable course of action that HHS has taken," he said. "At the same token, I lament the fact that the tools and technologies that we are permitting ourselves to use apparently do not have privacy and security controls and … are extremely susceptible and prone to unauthorized access and hacking or are just largely insecure. The marketplace in which these technologies operate is largely unregulated. There are no rules; it's the wild, Wild West."
Holtzman said it's critical that healthcare organizations understand the risks associated with non-traditional telehealth tools, the use of which is likely only temporary. He recommended that healthcare CIOs and CISOs make it a point to designate what video conferencing tools are acceptable and educate providers on how to use the tools safely and securely.
Concerns with commercial video conferencing tools
Holtzman said one of his main concerns with consumer-grade video conferencing tools is that many vendors are not transparent about the security measures built into the technologies to protect personal information. Nor do they have to be transparent.
"These technologies were never intended for use as the medium to exchange the most personal information between a healthcare provider and a patient," he said.
The marketplace in which these technologies operate is largely unregulated. There are no rules; it's the wild, Wild West.
David HoltzmanExecutive advisor, CynergisTek
During the pandemic, security and privacy issues have plagued Zoom, a video conferencing tool founded in 2011 that offers a basic service for free. But Alla Valente, a Forrester Research analyst covering security and risk, said while the issues with Zoom are easily visible in headlines today, she also has similar concerns about other commercial video conferencing tools.
Although Apple encrypts its products, if healthcare providers are using its videotelephony service FaceTime to interact with patients, Valente said that likely means they're using personal devices and not HIPAA-compliant laptops. Even the consumer-grade version of Microsoft's Skype platform stores some video calls on its servers for up to 30 days as outlined in the privacy and terms of use agreement, Valente said.
OCR did not address these security concerns in its HIPAA penalties waiver, nor did the federal agency provide best practices on how to secure these commercial-grade video conferencing tools for provider use.
Demand for telehealth services is growing substantially as patients seek care from home during the coronavirus outbreak.
"Where the [HIPAA penalties] waiver really fell short is that … they didn't go that next step to say, 'OK, if you use these, these are the security settings you need to make sure you're enabling on the physician's end, but then also on the patient end,'" she said. "There are privacy notifications, personal settings, what can be stored, what can be accessed -- all of those granular details the waiver didn't even touch upon."
In an FAQ about its decision to allow the use of commercial video conferencing tools, OCR did address security to a degree, saying many commonly available remote electronic communication products include security features that can protect electronic personal health information. The OCR said video tools as well as messaging tools like Facebook Messenger, WhatsApp, Google Hangouts and Apple's iMessage tend to feature end-to-end encryption, which means messages between the sender and receiver are private and cannot be altered by a third party.
Yet Zoom is facing class-action lawsuits that claim the online meetings provider overstated its end-to-end encryption capabilities on its consumer-grade platform. Facebook, which owns Facebook Messenger and WhatsApp, is another company that's had its fair share of privacy and security concerns.
Zoom does provide a HIPAA-compliant video teleconferencing platform, but patients and even providers could have a hard time distinguishing between a vendor's consumer-grade products and its premier, more secure offerings like Zoom's healthcare product. Valente said that's why healthcare CIOs and CISOs should be involved when it comes to deciding what video conferencing tools to use.
"I don't think that people really understand the difference between, let's say, regular Skype and Skype for Business," Valente said. "These commercial applications often have a premier offering and then a free or lower-priced offering and they don't offer the same benefits. But [healthcare organizations] need to be really careful even if they think they're using something that is at a premier level and understand what are the security settings that have been enabled for that use."
Opening Pandora's box
Valente said not only do healthcare CIOs and CISOs need to think about the short-term risks associated with using commercial video technology tools, but the long-term implications as well.
When the COVID-19 crisis is over and the HIPAA waiver is rescinded, healthcare organizations will have to revert to more traditional security requirements for telehealth services, which could be a rude awakening for organizations that allowed the use of commercial video technology tools that are not HIPAA-compliant, Valente said.
She argues that using commercial-grade tools now could create compliance issues down the road, as providers and patients get used to accessing care in the same way they interact with friends and family.
"You're opening up Pandora's box," she said. "So think about what do you need to put in place now to make sure that when the waiver is lifted, you're operating back at the same standards you once had."
Although privacy and security are the main concerns, Forrester Research analyst Arielle Trzcinski said CIOs should also prepare for an interoperability struggle. Commercial video conferencing tools may be convenient, but they could create a headache for providers when the tools can't integrate with the EHR the same way a traditional telehealth platform can.
"As we think about further fragmenting the patient journey by using things that are not integrated with the EHR, things like FaceTime or Facebook Messenger, that creates even more of an administrative burden for the clinician that now has to document all of that information in a separate system," she said.
Valente said CIOs should look to HIPAA-compliant telehealth platforms such as Amwell, Bright.MD, Teladoc Health Inc. and Doctor On Demand.
Dig Deeper on Federal healthcare regulations and compliance
