Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

By Stefan Richards, Chief Information Security Officer, CorVel Corporation

Stefan Richards, Chief Information Security Officer, CorVel Corporation

Telehealth Takes Hold: The Challenges & Solutions to Protecting Privacy &SafeguardingSecurity

When COVID-19 swept the country, meetings were canceled, appointments were delayed, and elective surgeries were postponed. With the inability to access in-person treatments and healthcare appointments, telehealth was catapulted to the forefront and became a standard of care. This rapid expansion of virtual healthcare presented new security and privacy challenges. How do we pivot to minimize security risks for our organizations and the people they serve? What security controls should be applied to protect privacy? How do we address the rapidly changing digital environment and shifting regulations? Security and privacy are two sides of the same coin, so it’s critical that both security and privacy operations are protecting the company, employees, customers, providers, and their patients.

"COVID-19 legislation has popped up across the country, but guidelines vary from state to state. It is critical to understand what needs to be reported, how it needs to be reported, and what constitutes a workers’ compensation claim"

The Telehealth Boom

Telehealth has been used in healthcare and workers’ compensation for many years. However, it was underutilized, and physicians were often slow to adopt the technology—until COVID-19. Suddenly, telehealth became the preferred mode of care, as it allowed patients to connect with physicians and receive medical treatment through video or phone appointments without leaving the safety of their home or workplace.

Telehealth hotlines exploded, and virtual appointment requests went through the roof. In the span of a month, call volume doubled, and the need for providers skyrocketed. Workers’ compensation injury hotlines were flooded with questions about COVID-19—sometimes claim-related but often with basic healthcare questions. Everyone was hungry for information, but these two different uses of telehealth—reporting a claim and sharing medical information outside of a claim, which is HIPAA-protected—can create a privacy challenge. 

The Precarious Technology Platform

As the pandemic escalated, the number of people working remotely and connecting digitally rapidly expanded. It didn’t take long for virtual meetings and telehealth appointments to become the norm. Patients were navigating new software platforms, and physicians, most of whom had never conducted a virtual appointment, needed to get up to speed very quickly. It was important to get up and running as fast as possible, but we found out very quickly that not all teleconferencing platforms are created equal. 

Companies that were not using commercial-grade software were susceptible to security breaches because they didn’t have the right types of protections in place. In addition, there was the added question of what would happen to the recordings of these digital appointments and meetings. Where are they stored? Who has access to them? How are they protected? This new wave of dependence on technology meant increased risks for privacy and security issues.

A Moving Target

Navigating the constantly changing landscape of COVID-19 has been one of the biggest challenges for organizations. Regulations, safety protocols, policies, procedures, and legislation are continuously being updated or adjusted to keep employees and customers safe. Losing track of these changes can derail security and privacy operations.

COVID-19 legislation has popped up across the country, but guidelines vary from state to state. It is critical to understand what needs to be reported, how it needs to be reported, and what constitutes a workers’ compensation claim. In addition, agreements and protocols are frequently being updated to address the current circumstances around telehealth and virtual healthcare. These types of fluid situations significantly impact privacy operations and, in turn, the security measures that are needed to keep the organization secure. 

Three Keys to Success

As the first to provide telehealth services as part of the Workers’ Compensation care options, CorVel has navigated these challenging waters and can offer the following:

1. Adopt Protective Technology: With this sudden rise in the use of technology, it’s critical that organizations use software platforms that protect the privacy and safeguard security. Choose a powerful platform that allows for safe virtual conversations, offers secure document storage and tracking and maintains privacy for the company, employees, providers, and patients. Sometimes this infrastructure is already in place, but sometimes it needs to be built. Implementing a commercial-grade software platform with an authentication system that employs multifactor authentication is critical. We don’t want people sharing credentials or using weak passwords because that opens the system up to an attack. Multifactor authentication minimizes the risk of a security breach.

2. Create Clear Communication Channels: Now that telehealth has become mainstream, it’s important to establish policies and communicate them clearly. It’s our job to give good guidance about what software to use, which videoconferencing platforms are safe, and how to interact digitally. This information needs to reach everyone, including leadership, employees, clients, and provider partners. Using multiple channels to convey these messages will ensure that everyone is informed. Send notices, post videos, conduct virtual information sessions, and encourage word-of-mouth communication. Everyone using the organization’s technology should understand the policies and procedures around how to digitally connect in the safest and most secure way possible.

3. Make Friends with Legal: To address the rapidly shifting COVID-19 landscape, it’s essential that the security team has a tight bond with the legal team. Regular connections, weekly or even daily, confirm that everyone is on the same page and aware of any emerging issues. The legal team can also provide updates regarding privacy laws and COVID-19 legislation, which directly affects the security controls that must be put into place. Finally, a tight partnership with the legal team enables the ability to quickly bring on new health experts and technology providers with strong agreements that provide for essential security and privacy protection. Having an open line of communication between the security and legal teams allows the organization to make rapid adjustments as needed and ensures that both security and privacy operations are protecting the company as they need to. 

While telehealth and the increased demand for technology may pose new security and privacy challenges, these risks can be mitigated by implementing powerful software platforms, providing clear communications, and working as a team. The more we know and learn, the better we can apply security mechanisms that will protect our organizations and minimize risk.

Weekly Brief

Read Also

Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
IAM may help secure data, but it needs to be protected as well

IAM may help secure data, but it needs to be protected as well

Marc Ashworth, Chief Information Security Office, First Bank
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA
In a Crisis: Cold Talent Automation versus Warm Talent Key Success Factors

In a Crisis: Cold Talent Automation versus Warm Talent Key Success...

Rob Hornbuckle, CISSP - ISSMP, CISM, CRISC, CISO and VP, Allegiant Travel Company
Supporting Business with the Right Technology

Supporting Business with the Right Technology

Andy Jurczyk, CIO, Seyfarth Shaw LLP