Identifying and Implementing Appropriate Security Controls in Your Telehealth Architecture

The recently passed Coronavirus Aid, Relief and Economic Security (CARES) Act provides a $300 million boost in funding for Federal Communications Commission (FCC) led Telehealth and Telemedicine Services programs. FCC Chairman Ajit Pai announced on March 30 that he is proposing $200 million of CARES Act funding go to a new COVID-19 Telehealth Program. This new program will offer selected healthcare providers full funding to purchase “telecommunications services, information services and devices to support telehealth services.” Chairman Pai also announced that an additional $100 million will be allocated to the previously proposed Connected Care Pilot Program. This program will cover 85% of eligible providers qualifying costs for the purchase of the broadband services, network equipment, and information services necessary to provide connected care services primarily to low-income Americans and veterans.

Organizations receiving funding from either of these programs and rolling out telehealth services need to be careful to consider appropriate security controls in their planning. Failure to do so, will place these investments, their patients and their organizations at unnecessary risk.

This latest investment further funds the many efforts that the FCC has underway in support of telehealth. These efforts include the Rural Health Care Program, the aforementioned Connected Care Pilot Program, and the Connect2Health Task Force. Each of these programs individually and the programs as a whole are intended to provide and facilitate access to medical services for all Americans and particularly those in underserved rural areas. To that end, Chairman Pai had earlier in March announced the immediate allocation of $42 million in unused funds to support telehealth for patients of rural hospitals and clinics through the Rural Health Care Program.

Telehealth and telemedicine solutions can vary quite a bit from one organization to another in their capabilities and architectures. While reputable telehealth vendors have included appropriate security controls within their products out of the box, these controls typically must be configured and implemented appropriately in order to be effective. Interfaces with existing systems and infrastructure must be understood so as not to introduce new vulnerabilities into an organization’s environment.

In addition, unlike a traditional setting, the telehealth architecture may include remote patient monitoring systems (RPMS) deployed in a patient’s home. RPMS devices typically reside on the patient’s private home network along with many other non-healthcare devices including the typical computing devices like desktops, laptops, phones and tablets as well as many new Internet of Things (IOT) devices like refrigerators, personal digital assistants, baby monitors and home security systems. Often these home networks and devices are not well defended, potentially providing an easy entry point for nefarious actors not just to the home network itself but now to the healthcare provider’s network as well.

Healthcare organizations making investments in telehealth should be systematic and diligent in identifying, implementing and testing security controls appropriate to their telehealth environment. This work is not just best practice in information security but also often required by the Health Insurance Portability and Accountability Act (HIPAA). Following are six actions that organizations should take now to protect their telehealth investments:

  • First, understand the components that will make up your telehealth architecture/ecosystem. For a good overview of the components that may come into play, reference the recent Clearwater blog authored by my colleague George Jackson Security Considerations for Deploying Telehealth and Remote Patient Monitoring Systems
  • Once these components are identified, baseline security controls should be identified and implemented.
  • Risk analysis of the solution is then performed to assure that the controls are sufficient to reduce the risk to patients and provider to an acceptable level.
  • Based on the results of the risk analysis, additional controls should be identified and implemented, as necessary.
  • Once implemented, it is time to test the controls to make sure that they are implemented correctly and operating as expected. Ideally, this occurs before the solution is authorized to operate.
  • Once in operation, the system should be monitored to make sure that the controls continue to be sufficient and functional.

There is a cost associated with security. Unfortunately, it is not uncommon for organizations to either completely overlook security costs during planning or, when considered, squeeze the security budget in an effort to reduce overall project costs. It is also not uncommon to see project teams avoid engaging with the security team at all in an effort to speed up deployment. None of these scenarios is advisable. Implementing security after the fact is inevitably more expensive and the cost of an otherwise avoidable breach can be devastating.

Organizations looking for assistance in understanding how to incorporate appropriate information security into their telehealth and telemedicine investments can speak to a Clearwater expert today by contacting us at info@clearwatercompliance.com. For more information on the FCC’s Keep Americans
Connected Pledge, visit: https://www.fcc.gov/keep-americans-connected. For updates on the FCC’s wide range of actions during the Coronavirus pandemic, visit:
https://www.fcc.gov/coronavirus.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Clinical Research Organizations: M&A Goldmine or Data Liability? Why Cybersecurity Must Be on Every Investor’s Radar

Clinical Research Organizations: M&A Goldmine or Data Liability? Why Cybersecurity Must Be on Every Investor’s Radar

The market for clinical trials is experiencing significant momentum in mergers and acquisitions (M&A). Private equity (PE) investment in Clinical Research Organizations (CROs) and Site Management Organizations (SMOs) is being spurred by site consolidation, expansion of specialized services, and technology innovation. These firms are important players in the pipeline of drug development and the best targets for investors who wish to capitalize on healthcare innovation.
8 Easy Ways to Prepare for an OCR HIPAA Compliance Audit

8 Easy Ways to Prepare for an OCR HIPAA Compliance Audit

The Office for Civil Rights (OCR) has officially launched its third round of HIPAA audits, following previous assessments in 2012 and 2016.  Learn 8 easy ways to prepare for an OCR HIPAA compliance audit and safeguard your health information against rising cyber threats. Past audits revealed widespread compliance gaps, prompting increased oversight.
OCR’s Proposed HIPAA Security Rule Notice of Proposed Rulemaking

OCR’s Proposed HIPAA Security Rule Notice of Proposed Rulemaking

In Part 1 of this blog, I provide an overview of OCR’s proposed changes to the HIPAA Security Rule, some commentary on the background, rationale and the potential impact on healthcare, descriptions of key changes in definitions, and OCR’s broader themes. In Part 2, I will dive into specific proposed new or updated standards and implementation specifications and speculate on what may happen next.

Connect
With Us


Let us know who referred you, if you went to an event, found us in search, or liked one of our LinkedIn posts.