Four Things Solutions Providers Should Know about Telehealth Security

The COVID-19 pandemic has accelerated the usage of telehealth services for patient care. More than ever, healthcare providers are utilizing virtual consultations and remote patient monitoring. According to research, the global telehealth market will reach around US$ 53.1 billion by 2026, with North America holding the largest share of the market. Rising costs in healthcare, technology advancement, the increasing number of people suffering from chronic diseases, and increased reimbursement of telemedicine all contribute to this growing trend.

For telehealth technology solution providers and integrators, while it is tempting to rush to create a solution to capture this market demand, security must be prioritized, among other things. Here are four security considerations that every company should know.

1. How is the patient’s data collected and shared?

The privacy and security of the patients’ data pose the most significant security risk in telehealth. What level of control is in place to collect, use, and share the patient’s personal and medical data? For example, if the user is using a consumer smartphone, the smartphone apps may share sensitive data—such as sensor data on location—with advertisers and other third parties in ways not anticipated by users. In another example, a remote patient monitoring device may inadvertently collect private information the patient does not wish to share, such as the household occupancy status.

2. How is patient data transmitted?

How the data is transmitted can cause another layer of security concern. For the service providers, it is crucial to take into consideration the evaluation of the telecommunications platform it uses. Is the transmission of the data encrypted? Proper encryption can protect data privacy by encoding the transmitted data. If the data is intercepted, it cannot be read without the decryption key. Major telecom network providers offer enterprise-grade protections via value-added services, and it is well worth the resources to investigate which services can help you safeguard data security at the network level. At JACS Solutions, we partner closely with companies such as Asavie via our joint solution to ensure our telehealth customers are protected end-to-end, from the network to the devices.

3. What is the level of the patient’s tech skills?

How often do we hear a technology product doesn’t work because of “user errors”? Probably more often than we’d like. For best practices, telehealth solution providers should factor in the level of the user’s technical skill at the design stage of the product, and not as an afterthought. It is especially important when the solution requires the integration of software, hardware, and services components. On the hardware side, JACS Solutions helps our telehealth partners achieve this by locking down the devices at the operating system level via firmware customization and transforming devices such as the tablets into single-purpose devices. This approach dramatically reduces security risks and enhances Protected Health Information (PHI).  The device does not have unapproved applications, and the user cannot accidentally initiate such applications which could potentially transmit unintended patient data.

4. What regulations govern the patient data security?

HIPAA’s privacy and security rules require that the information collected through a telemedicine service is encrypted. Also, the service providers need to message the patients via a secure network connection. On March 18, 2020, to help fight the COVID-19, the Office for Civil Rights announced it would not impose penalties for HIPAA privacy noncompliance during the pandemic. This change, however, is not expected to last past the pandemic crisis time, so telehealth companies still need to address the security issues at the core of their products.

On the medical device side, the Food and Drug Administration (FDA) regulates medical devices, with a focus on technical issues related to the security and integrity of information. It does not, however, monitor consumer-facing devices and apps.