Telehealth applications have played a significant role during the pandemic, providing ways for healthcare providers to care for patients at home. But they have also raised a new round of privacy concerns.
Recently, federal regulators have relaxed restrictions not just on how healthcare organizations can use telehealth applications -- but on what telehealth applications they can use. Consumer video technologies like FaceTime and Skype are fair game, at least for the moment, as are HIPAA-compliant products from startups that may be pushing out new features without a thorough testing of their security and privacy implications.
A recent exposure of recorded patient consultations by Babylon Health UK, a London-based telehealth services provider, underscores the need for healthcare systems to exercise caution when using telehealth applications and to ask the right questions to make sure a platform is secure and able to protect patient data.
"These days, privacy and security have to be top of mind," said Kate Borten, a HIPAA and healthcare privacy and security expert. "Especially with any kind of online app [that] deals with confidential, personally identifiable information."
Federal regulators have loosened restrictions on using telehealth platforms in provider practices during the pandemic, even removing obstacles for commercial technologies like Skype and FaceTime. In a U.S. Senate Committee on Health, Education, Labor and Pensions (HELP) hearing last week, committee members discussed the benefits and drawbacks of making telehealth regulation changes permanent.
Committee chairman, Sen. Lamar Alexander, said some changes are a no-brainer, such as the removal of originating site requirements, which made explicit that telehealth platforms should only be used to treat patients by connecting smaller, rural healthcare organizations with the specialists and other resources at larger organizations.
Other changes, however, are not so cut and dried. Federal regulators have relaxed HIPAA enforcement during the pandemic, allowing tools to be used by healthcare organizations that otherwise wouldn't be due to HIPAA restrictions. Alexander said extending those privileges should be "considered carefully."
"There are privacy and security concerns about the use of personal medical information by technology platform companies, as well as concerns about criminals hacking into those platforms," he said during the hearing.
Indeed, Babylon Health, which partners with healthcare organizations to provide telehealth services through an app, announced that it had suffered a data breach earlier this month. After the launch of a new feature that allows patients to transition from an audio to a video visit during a call, users were given access to other patient consultation recordings. Babylon Health has not disclosed the exact cause for the software error, saying in a news release that it is investigating what went wrong and has disabled patient access to consultation recordings.
This incident demonstrates why healthcare systems, CIOs and CISOs need to be vigilant about patient privacy, particularly with applications dealing with sensitive patient information, Borten said. Telehealth may be here to stay, but the loosened HIPAA enforcement discretion likely won't because the purpose of HIPAA is to protect patients and healthcare organizations.
Kate BortenHealthcare privacy and security expert
She said it's important that CIOs ask the right questions of any third-party vendor they're working with to determine their privacy and security measures. That even includes HIPAA business associates or third-party organizations that provide services involving the use of protected health information covered by HIPAA in the U.S.
Organizations under HIPAA regulation should look closely at vendors developing apps that can access patient data and ask for details about how the vendor is coding and testing apps for security and privacy, Borten said. She recommended asking if vendors adhere to coding standards from reputable organizations such as the Open Web Application Security Project (OWASP), a nonprofit organization that works to improve software security.
"It raises the question of, in this country, when a healthcare organization uses another party as a HIPAA business associate to provide the actual app for telehealth, how closely are we looking at that vendor and their awareness and knowledge of good security practices in terms of software development, coding and testing," she said. "I think we should be asking some very tough questions and keeping our business associates really on their toes."
Vetting telehealth services
Healthcare systems that rely on traditional HIPAA business associates and healthcare vendors for telehealth services can expect they have good security and privacy practices in place, Borten said. But for systems looking to invest in new apps or startups, it's important to conduct due diligence, particularly for telehealth tools granted use due to relaxed regulations, she said.
Borten said CIOs should ask questions such as what are the vendor's software coding practices, whether the company's software developers are trained in secure code development, what are their coding standards in terms of security and what level of security testing the company does.
"I think anyone covered by HIPAA needs to look very closely at whoever is developing these apps and do their best to ask tough questions about the details for how they're coding and testing these apps for security and privacy," she said.
David Finn, executive vice president of strategic innovation at healthcare cybersecurity firm CynergisTek, said vetting the telehealth applications is not enough. Healthcare systems also need to craft policies on telehealth visits and train clinicians about the proper use of a telehealth app, as well as privacy and security settings.
Finn said when opting for a new telehealth application, it's important for healthcare systems to consider whether that vendor has had experience in healthcare.
"Organizations need to deploy software and hardware solutions that can be compliant with HIPAA," Finn said. "There's no such thing as a HIPAA-compliant solution because it depends on how you set it up and use it. But they need to make sure they can configure their software and hardware so it's HIPAA-compliant. They need to check all the settings, particularly the security and privacy settings."