Cybersecurity and Privacy Risks of Telemedicine featured image

Cybersecurity and Privacy Risks of Telemedicine

by John DiGiacomo

Partner

Internet Law Privacy

Recent events will significantly spur the use of telemedicine. The last two decades have already seen a surge in the use of telemedicine prompted by the advent of economical person-to-person video transmissions. Telemedicine has been a revolution in medical examinations, consultations, and treatment. For example, the Veteran’s Administration recently expanded the use of telemedicine for veterans located in rural and remote areas. See report here.

Telemedicine has two components. The first involves video that allows a two-way, interactive transmission between doctor and patient. An interaction that does not involve an interactive video does not qualify under various state and federal legal definitions as “telemedicine.” Non-conforming examples include telephone only, email, or facsimile interactions. The second component involves use of diagnostic and monitoring devices that transmit patient data and information such as blood pressure, pulse rate, and the like.

So far, the main justifications for telemedicine have been limited access to medical facilities and specialists. That is, video conferencing has become an alternative for those too far from facilities that are able to provide the needed care and for patients needing access to a limited number of physicians who provide specialized care. Now, with COVID-19 spreading across the nation, a new reason for using telehealth is the protection of health care professionals and patients. As one headline proclaimed, in the coming months, remote healthcare might be as important as remote working.

As telemedicine services surge, it is crucial that health care providers ensure that they are duly aware of and compliant with cybersecurity and patient confidentiality protocols. Cybercriminals are not taking a vacation, even in a pandemic. Like all forms of internet use, there are known and foreseeable security risks. Unlike a face-to-face patient examination, a teleconference video can be hacked in real-time and can be easily recorded and stored. Further, medical monitoring devices are designed to store information and then transmit the information at set times. These too can be hacked. Likewise, once transmitted, the diagnostic data is again stored for later retrieval by the health care professionals. There are known cybersecurity risks to stored data. Under many new laws, healthcare businesses must provide a robust security for those computer and transmission systems.

Compliance protocols fall into four broad categories:

  • Software and encryption — the device monitoring and person-to-person video conferencing software must be state-of-the-art and be encrypted to ensure that there is no real-time surveillance or theft of data; for example, for example, basic FaceTime is nonconforming; Skype has several layers of available software products, some of which are compliant with security protocols, some are not.
  • Patient notices and consents — patients must be given notice of what information is being collected by remote monitoring devices, that the information will be stored and what business use will be made of the stored information; likewise, if a healthcare teleconference is recorded, patients must be alerted and told the purposes for which the video will be used; verbal consent to those business used should be obtained.
  • Storage protocols — protocols must be put in place for the systems that are used to store remote device data and any recorded telehealth videos to prevent accidental or malicious breaches and data loss and prevent ransom-attacks; mobile devices should also be considered as part of these protocols.
  • Access protocols — procedures and rules must be established allowing only authorized medical providers access to the videos and other patient information.

Obviously, in medical emergencies, these protocols can be relaxed. But, being aware of the security requirements can ameliorate potential security risks and minimize what information is at risk. For example, if there is an emergency and if the only telemedicine software that is available to the patient is FaceTime, then give the patient notice that the teleconference is potentially not secure and try to avoid asking for personally sensitive information like the patient’s social security number.

If you have legal questions about telemedicine, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

2025 Changes to Trademark Fees

2025 Changes to Trademark Fees

Trademark

There are some significant changes coming to the United States Patent and Trademark Office (USPTO) that will affect trademark filings beginning January 18, 2025. These changes include the introduction of the Trademark Center, new fees, and revised application requirements. Here is an overview of the key changes: The USPTO will retire the TEAS system, which […]

Read more about 2025 Changes to Trademark Fees

Automated Decision-Making Technology: California Releases Proposed Regulations

Automated Decision-Making Technology: California Releases Proposed Regulations

Internet Law

In today’s competitive e-commerce landscape, automated decision-making technology is becoming more and more important. From personalized product recommendations to targeted advertising and streamlined logistics, these systems help ecommerce businesses adapt and grow. But new regulations are on the horizon, and these changes could reshape the way e-commerce businesses use automation. The California Privacy Protection Agency […]

Read more about Automated Decision-Making Technology: California Releases Proposed Regulations

FTC Adopts Final “Click to Cancel Rule”

FTC Adopts Final “Click to Cancel Rule”

Internet Law

The Federal Trade Commission (FTC) has issued final amendments to its trade regulation rule concerning negative option plans, also known as the “click to cancel rule.” This rule aims to address widespread deceptive practices that prohibit customers from cancelling services in the same manner in which they signed up. Here’s a detailed summary of the […]

Read more about FTC Adopts Final “Click to Cancel Rule”

Put Revision Legal on your side