Question
What are potential security vulnerabilities in telehealth delivery?
Answer
Now I want to talk a little bit about the potential vulnerabilities in telehealth delivery. This is not meant to make you afraid. It is not about fearmongering. It is very much to help you understand where the risks are and how you can help focus and prioritize your mitigations appropriately. There is such a thing as too much security. As a security person, I am hesitant to say that. I want you to know how to lower your risks appropriately and make good decisions. Most of us understand and appreciate that hackers and computer attackers go after computers.
That is not a surprise at all. That is where the data is. There is an old quote about a bank robber. Somebody asked him, "Why do you rob banks?" The bank robber said, "Because that is where the money is." Attackers go after computers because that is where the valuable data is. They are not always trying to get you, they are not always targeting you, and they might not even be targeting health care. You might just become a victim because they are broadly spraying across the internet you happen to get caught in that. We all get bad emails. That is not because we are specifically targeted. The attackers are trying to get anybody they can. The attackers, what we most often think about in computer hackers, is the idea of remote exploitation.
Somebody sitting across the planet, in their basement, trying to attack our computer over the internet. I will be honest. That is very unlikely. Today's technology makes that a very difficult task for the attacker, your computer. By its very nature, your computer is defended against that kind of remote exploitation. Even though home routers have good firewalls, the operating systems on our computers are quite robust against remote exploitation. That is not the primary way hackers get onto our computers. What is much, much more common, much more likely, is this umbrella we call social engineering. Phishing emails fall under this. It is anytime that the attacker is trying to exploit our human weaknesses.
They send an email that appeals to our sense of urgency. They might say, "Your bank account has been closed. Please click this button to make sure that all your money is safely transferred." It is our sense of fear. It is our human sense of trying to be helpful. All of those are because we are helping busy people, and we do things accidentally that can cause our computers to become infected. Malicious emails, malicious attachments like Word documents, or visiting websites that compromise our computer happen a lot every day to a lot of people, even by accident. They do not know if they are doing anything wrong. You can do a lot about that to make careful, slower decisions.
If you are very busy, that might not be a good time to check your email because the attackers are counting on that busyness to help trick you into doing something. Now, of course, the attackers are not just sending you emails. They are also sending them to everybody on the internet, including your patient. We generally have little or no control over the security of those personal devices. If our patients open every attachment, their computer is very infected, threatening telehealth. That is a bit outside of your control. When patients sign up for telehealth, you can tell them about the risks. I strongly encourage you to get the patient's consent to do telehealth.
That document can say there are risks to this. The risks are A, B, and C. If you consent as a patient, please sign this document saying that you understand you agree to do it anyway. At least that covers you a little bit to say, well, I told the patient, here were the risks they accepted anyway. If the patient has an infected computer, that infected computer could listen to your conversation with the patient because it is out of your control. Then, of course, all the computers on the internet also get the same kinds of attacks that your patient gets. We again have very little control over that.
The BAA, the business associate agreement, is one way to lower your risk in at least the services that you sign up for that you pay for. If your email provider says, "Yes, I will sign the BAA. I will protect your email," for instance. That is your sort of insurance, in a sense. Even if something goes wrong, they are liable to protect the information. Again, lots of opportunities for those attackers. Some things are in our control some things are not.
This Ask the Expert is an edited excerpt from the course, Cybersecurity for Telehealth, presented by Josiah Dykstra, Ph.D.