toggle accessibility mode

Cybersecurity and Privacy Risks of Telemedicine

By John DiGiacomo

Recent events will significantly spur the use of telemedicine. The last two decades have already seen a surge in the use of telemedicine prompted by the advent of economical person-to-person video transmissions. Telemedicine has been a revolution in medical examinations, consultations, and treatment. For example, the Veteran’s Administration recently expanded the use of telemedicine for veterans located in rural and remote areas. See report here.

Telemedicine has two components. The first involves video that allows a two-way, interactive transmission between doctor and patient. An interaction that does not involve an interactive video does not qualify under various state and federal legal definitions as “telemedicine.” Non-conforming examples include telephone only, email, or facsimile interactions. The second component involves use of diagnostic and monitoring devices that transmit patient data and information such as blood pressure, pulse rate, and the like.

So far, the main justifications for telemedicine have been limited access to medical facilities and specialists. That is, video conferencing has become an alternative for those too far from facilities that are able to provide the needed care and for patients needing access to a limited number of physicians who provide specialized care. Now, with COVID-19 spreading across the nation, a new reason for using telehealth is the protection of health care professionals and patients. As one headline proclaimed, in the coming months, remote healthcare might be as important as remote working.

As telemedicine services surge, it is crucial that health care providers ensure that they are duly aware of and compliant with cybersecurity and patient confidentiality protocols. Cybercriminals are not taking a vacation, even in a pandemic. Like all forms of internet use, there are known and foreseeable security risks. Unlike a face-to-face patient examination, a teleconference video can be hacked in real-time and can be easily recorded and stored. Further, medical monitoring devices are designed to store information and then transmit the information at set times. These too can be hacked. Likewise, once transmitted, the diagnostic data is again stored for later retrieval by the health care professionals. There are known cybersecurity risks to stored data. Under many new laws, healthcare businesses must provide a robust security for those computer and transmission systems.

Compliance protocols fall into four broad categories:

  • Software and encryption — the device monitoring and person-to-person video conferencing software must be state-of-the-art and be encrypted to ensure that there is no real-time surveillance or theft of data; for example, for example, basic FaceTime is nonconforming; Skype has several layers of available software products, some of which are compliant with security protocols, some are not.
  • Patient notices and consents — patients must be given notice of what information is being collected by remote monitoring devices, that the information will be stored and what business use will be made of the stored information; likewise, if a healthcare teleconference is recorded, patients must be alerted and told the purposes for which the video will be used; verbal consent to those business used should be obtained.
  • Storage protocols — protocols must be put in place for the systems that are used to store remote device data and any recorded telehealth videos to prevent accidental or malicious breaches and data loss and prevent ransom-attacks; mobile devices should also be considered as part of these protocols.
  • Access protocols — procedures and rules must be established allowing only authorized medical providers access to the videos and other patient information.

Obviously, in medical emergencies, these protocols can be relaxed. But, being aware of the security requirements can ameliorate potential security risks and minimize what information is at risk. For example, if there is an emergency and if the only telemedicine software that is available to the patient is FaceTime, then give the patient notice that the teleconference is potentially not secure and try to avoid asking for personally sensitive information like the patient’s social security number.

If you have legal questions about telemedicine, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.

Put Revision Legal on your side