The Challenges facing Telemedicine Cybersecurity

There’s been a rapid uptick in recent months in the need for telemedicine. The benefits are clear: infection and cross-contamination risks between patients and staff are reduced or eliminated, rapid communication can be achieved between different specialists or Trusts, and patients can access healthcare in a variety of ways. Many existing apps and platforms have responded to this demand, swiftly developing and expanding their capabilities in order to access and store sensitive personal health data. But just how safe are our virtual medical records?

The current boom in video conferencing apps demonstrates the issues facing telehealth perfectly. In early 2020, the telecommunications sector suddenly experienced an unexpected surge in popularity, with many people using this type of software to both work from home and connect with loved ones. This was swiftly followed by reports of uninvited guests or lewd material appearing during conference calls, school lessons, group counselling sessions, and personal calls. This was largely due to security processes which had not been reviewed or updated, and therefore were not equipped to cope with the increase in demand.

As many telemedicine platforms were initially designed for other purposes, the pre-existing security measures in place are often lacking with respect to keeping people’s health data private. This increases the chance of cybercriminals illegally obtaining access to medical systems and information. There have been well-publicised breaches of healthcare cybersecurity in recent years. The WannaCry ransomware attack in 2017 affected a range of organisations worldwide including the UK National Health Service, wreaking havoc with patient care for many weeks. The consequences of telehealth cybersecurity breaches are extensive and can have serious implications — you can read more about these here.

There’s an inherent issue with high levels of interconnectivity between existing software apps. Many platforms use third party hosts or separate vendors to provide functions for a backup cloud service, and each has their own security system in place to cover their own area. Although this may sound much more secure than a single overarching protective process, if one vulnerability is exposed then others could be put at risk too. Think of it like visiting a block of flats — if you’ve gained entry through the external door to a communal hallway, you could feasibly get some of the apartment owners to open their front doors just by knocking.

Different countries have varying laws and guidance on the use of established apps, social media, and messaging services for medical purposes. The Health Insurance Portability and Accountability Act (HIPAA, responsible for safeguarding medical data in the USA) recently lifted some restrictions to allow certain pre-existing platforms to be used for telemedicine. In the UK, most existing GDPR legislation from the EU governing data protection have been incorporated into national laws and all companies wishing to use personal information must abide by these regulations. However, many NHS staff report a lack of specific guidance on the use of encrypted messaging and social media platforms, despite widespread use by individuals working for Trusts.

Telemedicine has taken a giant leap forward in providing healthcare remotely, and will be a definitive landmark on the map of healthcare for the foreseeable future. Cybersecurity must be an integral part of all future developments to safeguard medical records and organisations. You can read more about how to protect healthcare data from cybercrime here.