The COVID-19 pandemic has provoked an unprecedented upswing in the use of telehealth technologies. But security experts say that rise presents vulnerabilities – and the crisis is "blood in the water" for cybercriminals. 

"Any time you make a change to an IT environment, you have the potential to increase risk," said Andy Riley, executive director of security strategy at the managed-security-services vendor Nuspire. 

"When you introduce rapid change, that potential goes up rapidly," Riley continued.

A "perfect storm" for cybercriminals

The need for patients and providers to minimize in-person contact has created new vulnerabilities throughout the care-provision process and has spotlighted existing ones, experts say. Reports have already emerged about bad actors, including nation-states, using the virus as a wedge to obtain information. 

"Securing data and devices is a challenge at the best of times," said Raja Bhadury, head of the care-delivery portfolio for healthcare at HP, during a sponsored HIMSS TV interview with Client Content Development Senior Director Patty Enrado.

"And now during this pandemic … when you have clinicians working in these novel ICUs that have been created in parking lots and convention halls, cybersecurity is a huge thing to watch out for," said Bhadury.

Riley, too, noted that health systems have rapidly rolled out technologies to provide broader access to care, sometimes neglecting security in the process.

As one example, he pointed to tools "like iPads and other mobile devices to be able to run a remote-triage tent," for which administrators may not have considered tightening the controls.

Riley noted that medical devices "have long been problematic" in part because of their light operational footprint, which doesn't allow for much security processing-power. This can be especially troubling because of such devices' proximity to patients and links to the cloud. 

He also pointed to the relaxation of firewall rules to accommodate additional remote-work capabilities as a possible danger.

And, of course, existing problems with phishing are only exacerbated by individuals' hunger for knowledge about the pandemic. Recently, Microsoft also warned about the use of ransomware – including using Java Runtime Environment – to target health systems.

"It's hard enough to fend off attackers on a normal day," said Riley. "But when you're expecting emails from government agencies outside the organization, that creates an opportunity for hackers to phish accounts and gain access that way." 

"It's a perfect storm," he continued.

Not too late for change

"There's nothing inherently riskier about telehealth technology," Riley said. "We're still talking about the same products and services under the hood."

"But when you mix this rapid, enhanced adoption [of telehealth] with this enhanced threat … that's where the trouble lies," he continued. 

Beyond potential vulnerabilities in software used to videochat with patients at home, Riley also pointed to the practice of giving COVID-isolated patients in hospitals iPads to communicate with their family members.

"You have no idea what's on the other end of that," he said.

Even if systems rolled out telehealth technology quickly, Riley said, they can and should still work to implement best practices. 

The first task, he said, "is to conduct a third-party risk assessment on any service you're using."

He also suggested having a plan for evaluating any changes – including new software and policy tweaks – that were made since the onset of the coronavirus, and weighing the necessity of those changes now. He noted the advantages of using a managed security provider, which can be easier than standing up technologies independently.

For systems using third-party vendors, he advised looking for warning signs: "Are the vendor security-controls equivalent to what you have, or are they better?"

"I would want to see a pretty holistic security program with policies and standards," he said, including practices around back-end storage to prevent the accidental disclosure of data or unauthorized access.

"Any kind of outdated software that's in use in delivery of service could be a problem," he said. 

He also advised specifically examining or implementing policies around video recordings of sessions between patients and providers.

"Any notoriety around that patient could be extremely valuable to someone trying to extort money," he pointed out. 

When it comes to shoring up security, he said, "It's not too late to go back and do that now."

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.