Post-COVID-19 IT and cyber considerations in telehealth deals

Telehealth has received a major boost in demand and supply due to COVID-19, creating a significant opportunity for investors. However, there are several key IT and security considerations that must be assessed to ensure that any investment is wise and well-protected.

Originally projected for 19% annual growth according to Global Market Insights, telehealth received a major volume increase as the COVID-19 pandemic spread, which forced many health care providers to offer telemedicine appointments to protect operations and provider personnel. In addition, the federal government as well as many commercial payers relaxed regulations for telehealth providers. And finally, demand shifted significantly with people avoiding physical interactions and unnecessary trips, with many reporting satisfaction with the service model.  

While patients can be served via a wide range of solutions, there is no single provider mature enough to meet the full range of necessary services. This gap in the market is an opportunity for private equity to build a scalable platform that could support multiple add-ons and consolidate the highly fragmented telehealth market. The right opportunity can only be qualified by assessing the scalability and sustainability of the target’s platform against high-growth scenarios.

A mature telehealth platform does not simply connect a provider and patient over the internet; it provides the same level of comfort and care to patients as they would receive by in-office visits. A mature platform also integrates with providers' front-office and back-office applications for seamless scheduling, processing documentation, test results and imaging, and billing and coding invoices. To identify risks and opportunities in telehealth deals, an effective IT and cyber due diligence approach should focus on five key areas:

1. User experience for patients and providers: Health care workflows and care coordination are fundamentally meticulous operations, and moving these lifesaving workflows into the virtual space is uncomfortable for many operators. Telehealth is a new concept for most patients and providers; they would need a very simple and secure user experience that could give the same level of compassion and care as an office visit. A mature telehealth platform would exceed user experience by providing:

• Low system requirements and support for a wide range of operating systems
• No latency in a low-bandwidth environment
• Easy-to-use forms to collect pre-visit background information and consents
• Virtual waiting rooms with educational or revenue-generating advertising content
• Post-session follow-up and recommendations
• Session recording for post-follow-up review
• Patient responsibility and price transparency tools
• Payment portals with ApplePay and other electronic payments accepted

2. Platform scalability for 100x growth: A scalable platform that could have geographically distributed users and support zero latency in low-tech environments need the right architecture, design, code development practices, and infrastructure. Most telehealth platforms today are developed by integrating disjointed components to capture the sudden increase in demand. The architectural shortcuts could result in sustainability issues if the product is built on tight coupling and close architecture that would require complete rearchitecting and redeveloping the underlying product to scale.

3. Integration with electronic medical record (EMR) systems: Connecting a provider and patient involves complex workflows of scheduling, collecting patient data, prescribing, and billing and coding that enterprise EMR systems handle every day for health care providers. Integration of telehealth with a wide range of EMR systems will provide omnichannel experiences with telehealth and in-office visits and reduce complexities in rolling out the telehealth capabilities for health care organizations. Due diligence should assess the difficulties of integrating the platform with the leading EMR systems (i.e., Epic, Cerner, Allscripts, and AthenaHealth) and the ease of rollout in the providers’ environment.

4. Integration with wearable medical devices: Patients’ vital signs are critical for accurate diagnosis; they are also necessary for prescribing the right medication. While there is no issue with obtaining these during an in-office visit, providers are handicapped without their ability to measure patients’ vitals when providing remote care. The next-generation telehealth platform will solve this problem by integrating with wearable devices (i.e., Apple Watch, Fitbit, etc.). Capturing data from wearable devices and using it in a meaningful way for tracking patients’ health will be a game-changer.

5. Data security and privacy compliance: While the Food and Drug Administration excludes telehealth platforms from the scope of data security regulations for digital technologies (i.e., medical devices), the entities are still subject to the Health Information Privacy and Accountability Act. HIPAA requires telehealth platforms to implement security controls for protecting patient data, administrative controls for collecting patient consent, and third-party risk management processes before sharing patient data. A 2019 Ponemon report puts the average cost of a health care data breach at approximately $6.45 million, which is expected to rise with more adoption of technology in health care. A deal cannot be closed without fully understanding the company’s ability to protect patient data as liabilities from a data breach can threaten the existence of the business and wipe out the investment in an extreme case.

Telehealth’s use and acceptance are growing faster than infrastructure, regulatory requirements, and security measures can keep up in many cases. Telehealth services are now reimbursed from Medicare and many other payers, regardless of where the enrollee is located geographically and regardless of the surroundings, which allows the home to be an eligible originating site. These home sites have little to no security precautions in place and many rural instances have aging subpar IT infrastructure.

Several health plans, as well as Medicare and Medicaid, have expanded their coverage for telehealth, which allows more access to the services. With relaxed rules and an initial in-person visit no longer a factor in some cases, chances of misdiagnosis and prescription abuse are possible. The expansion of these services puts an additional strain on an already aging and overtaxed system in some cases.

The opportunity to learn from the past as well as the present should help drive the plan for telehealth going forward. Health care is essential to our society, but it’s also routinely at the top of the charts in all breach reports—specifically with attack numbers and the overall cost of a breach. Being a statistic is not a plan, but being prepared to mitigate risk and grab opportunities is a plan. Dealmakers seeking to build a successful telehealth platform and leverage the trend that emerged with the global pandemic will require a road map and strategy to address the shortcomings of the current environment.