Remote services solve some health care problems, but also bring risks
The rise of telehealth solutions makes risk assessments more crucial
INSIGHT ARTICLE |
The COVID-19 pandemic has been the source of many challenges for hospitals and health care systems, from providing critical patient care and securing personal protective equipment to maintaining operations and managing a changing workforce dynamic. Given the complexities and increased system vulnerabilities, health care organizations have also experienced growing challenges related to cybersecurity and financial risks. For example, as remote telehealth services have increased in prominence during the pandemic, hospitals and providers have become even more dependent on these digital solutions and the internet to remain productive and to engage with patients. Meanwhile, hackers are taking advantage of the crisis by unleashing a variety of attacks on the industry, from phishing schemes to ransomware threats. Strong cybersecurity processes and risk assessments require heightened attention as providers continue to navigate these changes.
Health care is far from alone when it comes to cyberthreat concerns. More than half of middle market businesses indicated that an attempt to illegally access their company’s data or systems is likely in 2020, according to RSM’s Middle Market Business Index Cybersecurity Special Report. That figure is a dramatic increase from 32% just six years ago. Additionally, 18% of middle market leaders indicated their companies experienced a data breach in the last year, up from 15% in the 2019 report. And now the pandemic has even elevated cybersecurity concerns further.
“COVID-19 has been a transformational event for every company, including health care organizations,” says Anthony Catalano, director for RSM’s privacy and security services. “Unfortunately, at the onset, security took a backseat in the beginning of the pandemic because it was really about the operational aspect of the business. It was about keeping the lights on. But now organizations need to turn the corner on this and focus on potential vulnerabilities. For instance, many hospitals now have billing staff working from home, off-site from the hospital. This may continue for quite some time, perhaps even permanently. This brings an entirely new set of risks that an organization must assess.”
According to Catalano, organizations should weigh a variety of workforce risk considerations, including:
- Changes and additions in and around communication platforms such as email and intranets that may create security exposures
- Data storage locations, such as cloud services, employees’ personal computers, mobile devices and how information is transmitted
- Potential weaknesses that could allow attackers to compromise employees’ remote networks or personal systems, potentially granting VPN access to the internal network
- Outmoded business processes that haven’t been updated to account for remote operations (i.e., accounts payable/receivable, payroll)
Telehealth and risk
Another COVID-related risk area for health care systems involves the increased prominence of telehealth solutions. While many patients have quickly accepted and adapted to this new offering with their providers during the pandemic, there are risks to weigh for organizations.
“Patients have seen the benefits of telehealth and have grown to expect a retail experience as they engage in these services, meaning they want the accessible, seamless interaction with their doctor, their services, billing and more. They will look to telehealth as their first line of treatment from now on,” says Jessika Garis, a director of risk services for RSM and industry senior analyst.
“In an effort to make remote health care readily available and easier to access,” Garis adds, “the Office of Civil Rights has stated it will exercise its enforcement discretion and will not impose penalties for providers who use any nonpublic-facing remote communication product during the COVID-19 nationwide public health emergency. It is important to note that if your organization is using a non-HIPAA platform, providers must notify patients that these third-party applications potentially introduce privacy risks, however, and providers should enable all available encryption and privacy modes when using such applications.”
In addition to privacy risks, Garis says there are other telehealth strategy questions providers should ask themselves, including:
- Has the organization assessed the investment? Rapid adoption of a telehealth platform requires significant financial and workforce investments.
- What’s the scope of the organization’s needs? Determine whether short-term or long-term telehealth service offerings are best for the provider.
- Is a redesign needed? Assess the organization’s clinical care model and determine if a redesign is required to incorporate the telehealth platform.
- Will the telehealth system meet the demand? Evaluate the organization’s and clinician’s capacity to treat high volumes of patients.