The world has always needed remote medical services to bridge the distance between medical facilities and patients (especially patients in non-urban locations). This need has been heightened due to the outbreak of COVID-19 across the world, with medical practitioners relying on telemedicine to provide healthcare services to their patients while maintaining social distancing.
The need for telemedicine, coupled with expanding availability of high speed internet access, has resulted in a significant increase in the utilisation of telemedicine services. The Indian telemedicine market is projected to reach $5.4 billion by 2025 with a Compound Annual Growth Rate (CAGR) of 31%.
Telemedicine is possible only through the exchange of large amounts of data between users through devices and networks. This creates opportunities for threat actors who will seek cybersecurity gaps anywhere in the digital chain between healthcare facilities and patients to attack. We have already discussed why cyberattackers target healthcare in our blog on Cyber-hygienic Healthcare. Telemedicine increases the probability of a successful attack by offering more entry points for cyberattackers due to the increase in digital touchpoints.
Digital Interaction in Telemedicine
Before we examine cybersecurity in the context of telemedicine, let us understand the extent of digital interaction in telemedicine with an overview of the steps involved in a teleconsultation:
- The patient contacts the hospital seeking a consultation with a doctor. The hospital’s front office staff log the patient’s particulars in the hospital management system
- Additional information about the patient, including patient’s medical history and scans of test results, is requested. The patient emails the requested details or uploads the required information into the hospital’s repository of medical records which is linked to the patient information module in the hospital management system
- A teleconsultation is scheduled through videoconferencing. Payment is collected through a payment gateway
- During the consultation, the doctor records detailed case notes about the patient in the patient information module. Specific medical information may be shared by the patient through a chat application to avoid ambiguity
- The doctor advises the patient on next steps and sends a detailed report to the patient through email to maintain a written record of the interaction and prescribed treatment
This is a highly simplified example of the telemedicine process, but even within this overview we can see multiple opportunities for cyberthreat activity:
- Keyloggers in front office systems can capture credentials that provide access to the hospital management system. More sophisticated malware can capture screenshots and even record videos to help the attacker understand exactly how to enter the hospital’s information systems
- All medical records that the patient provides to the hospital can be intercepted through malware. Ransomware in the repository of records can cripple the hospital by preventing access to patients’ medical and other records
- Cyberattackers can redirect the patient to a fake payment gateway to steal the patient’s banking credentials, or hijack the patient’s payment
- Cyberattacks can intercept the videoconference and chat messages to steal information. Keyloggers in the doctor’s device can capture the doctor’s credentials, allowing the attacker to access the hospital’s information system with the doctor’s access privileges
- Written records sent by the doctor/hospital to the patient can be intercepted and accessed by the attacker if the records are not password protected
In addition, the hospital should also consider the security of communications between facilities when records, such as test results, are transmitted from one healthcare facility to another. Chat applications may also store chat records in data centres located in other countries and with poor internal access controls, raising concerns over compliance with data sovereignty and privacy legislation.
Types of Digital Interaction in Telemedicine
Based on the above example, we can broadly classify digital interaction under 2 categories:
- Live/Real-time Interaction – This includes synchronous communication methods such as videoconferencing and chat, where both the patient and medical practitioner are online and communicating at the same time. Cybersecurity concerns include electronic eavesdropping, disruption through Zoom bombing (or similar attacks on other platforms), and impersonation (identify theft and communication hijacking)
- Asynchronous Interaction – This includes email communication, file upload/download, and examination of scans and test results before a consultation, where the patient and medical practitioner communicate at different times. Cybersecurity concerns include maintaining the security and accessibility of stored data and securing data in transit
Telemedicine need not be limited to direct treatment of a patient. It can include other hospital activities such as education of the general public through digital channels which can also occur in real time (e.g., Zoom group call) or be asynchronous (e.g., YouTube video) with corresponding cyber risk.
It should be noted that hybrid interaction is also prevalent e.g., remote monitoring of a patient can be done in real time and recorded data from remote monitoring can be analysed later for a diagnosis.
While the cybersecurity concerns in telemedicine may seem daunting, they can be anticipated and countered by following cybersecurity best practices.
Measures to Cybersecure Telemedicine Operations
Healthcare facilities can mitigate the cyberthreat risk in telemedicine by:
- Creating a Cybersecurity Policy – A cybersecurity policy lays down roles and responsibilities for an organisation’s stakeholders to follow and also stipulates technical standards to be enforced such as credential strength, encryption of data at rest and in transit, types of encryption used, and frequency of backups; permitted applications and services that can be used by staff; communication standards such as password protecting files that are sent to patients; and appropriate use of official social media channels. The policy should also specify penalties for non-compliance to ensure the policy is implemented
- Listing Authorised Solutions – Telemedicine often relies on 3rd party solutions, such as videoconferencing and chat tools. These solutions should be evaluated for privacy by checking the provider’s privacy policy, for security by verifying that communication is encrypted, and for data sovereignty by confirming where (in which country) the solution stores data. All stakeholders should be informed that only authorised solutions should be used
- Ensuring Security of Stored Data – Personally Identifiable Information (PII) of patients and their medical records (scans, test results) should be protected from theft and destruction by utilising encryption and backups. Backups should follow the 3-2-1 rule (3 copies, 2 media, 1 offsite) and be tested periodically by restoring a backup to see how quickly and easily normal operations can be resumed in the event of a wiper or ransomware attack
- Limiting Access – All access to data, networks, and devices should be granted on the principle of least privilege i.e., users should have the least access rights they require to fulfil their responsibilities. User identity, including patient identity, should be verified through strong credentials and (where practical) Multi-factor Authentication (MFA) before access is provided
- Deploying Endpoint Security – Endpoint protection solutions, like K7 Endpoint Security, protect computing devices (including email, file, and application servers) from malware like keyloggers, Trojans, and ransomware. They can also prevent the use of unauthorised applications and control access to unauthorised cloud/web services
- Deploying Network Security – Network security devices, like K7 Unified Threat Management, provide gateway security to enterprise networks and include AAA (Authentication, Authorisation, and Accounting) framework to control access to computing resources. Communication between facilities can be secured by installing the K7 Connect 500 device in satellite facilities
- Training End Users – Providing training on cybersecurity ensures that end users maintain cyber hygiene and can spot and stop social engineering attacks like phishing which target the user rather than the device or network. Training on safe use of social media makes end users aware of the risks present in their use of personal social media which can spillover to their professional lives
Healthcare cybersecurity teams may also wish to read our blogs on conducting Safe Zoom Calls & Meetings, Ransomware in Healthcare, and Protecting Legacy Healthcare Devices against Ransomware for more information on protecting healthcare IT infrastructure from cyberattacks that may enter the organisation through telemedicine facilities.
K7 Security provides world-class enterprise cybersecurity solutions that are renowned for their protection, efficiency, and manageability. Please read our healthcare cybersecurity case studies (Multi-speciality Hospital Chain, Teaching Hospital & Research Institute, Multi-speciality Hospital and Research Centre) for more information on how our solutions protect healthcare facilities, or Contact Us to learn more about our international award winning cybersecurity solutions.