In the rush to offer telehealth visits early in the COVID-19 pandemic, many organizations chose to use consumer-friendly options, such as Zoom, Skype, and FaceTime. The rapid switch to such platforms, some of which are not inherently secure, and others of which do not have privacy protections adherent to the Health Insurance Portability and Accountability Act (HIPAA), has created opportunities for breaches in patient privacy.
Federal wrangling remains ongoing in Washington, DC, leaving virtual healthcare in a form of limbo…it is legislatively permitted to continue, but security specifics remain fuzzy. Threats to digital privacy may be increasing, due to software glitches or malicious actors using ransomware. According to Node Health, numerous instances of exploitation have been reported, including:
- A major research laboratory, hospital systems, physicians’ offices, and testing laboratories have been prime targets for ransomware attacks that hold and lock patient data crippling workflows and threaten to make PHI public if ransom is not paid.
- A Rhode Island-based healthcare system settled with the DHHS Office of Civil Rights for more than $1 million after an employee’s stolen laptop had >20,000 unsecured individuals’ personal health information in the form of work emails. Further investigation revealed noncompliance with security measures including unencrypted work devices, insecure tracking of PHI on its network, and missing business associate agreements with affiliates.
The following are DHHS-approved HIPAA-compliant and secure platforms for telehealth visits:
- Skype for Business/Microsoft Teams
- Zoom for Healthcare
- Google G Suite Hangouts Meet
- Cisco Webex Meetings/ Webex Teams
- Amazon Chime
- Spruce Health Care Messenger
Further details can be found at HHS.gov/Health Information Privacy.