Yesterday US-Cert (Cybersecurity & Infrastructure Security Agency) issued an alert regarding Netgear routers. Since these are extremely popular home networking devices, we're flagging this as a critical alert for our readers. If you have a Netgear router in your office or at home, you must update the firmware immediately. If your device is at end-of-life, we urge you to replace it as quickly as possible. Call us if you have questions or want more details.
The use of telehealth was fast-tracked to reduce COVID-19 exposure to both care providers and patients. While the use and popularity of this technology is long overdue, it's not without security risks. Add to that the fact that OCR, who enforces HIPAA, has relaxed security requirements for the time being, and you have the potential for mass exposure of personal health information. We're going to look at telehealth options providers have and ways to keep their virtual visits more secure.
First, there are numerous telehealth tools providers can use. OCR has listed several, and those include - Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Zoom, or Skype. Such products also would include commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, or iMessage. In addition to those, there are others like Doxy.me, GoToMeeting, and SimplePractice, to name a few more. One of the key considerations with these applications is if they are providing end-to-end encryption. While most offer that, for some, it's an optional setting. It's important to ensure it's enabled. Another important factor is whether the application is public-facing, or provides for private interactions. Obviously, public-facing applications are not to be used for your telehealth sessions. If you're using one of these tools and it's configured properly, you've reduced some of your risk of exposing PHI. But you aren't out of the woods yet.
If you're using a telehealth tool and recording the sessions, if those sessions are being stored on a hard drive, that also needs to be encrypted. Encryption can be enabled on the entire drive, on the folder containing the recording, or on the recordings themselves. How you do it is not important, whether or not you use encrypted storage IS important. For example, it may be fine to be using Word to take your session notes, but if you're saving them in an unencrypted manner, you are not protecting your data. This includes using tools like Google Drive or Microsoft OneDrive to sync your files with the cloud. Ensuring encryption is enabled while data is in transit and at rest is critical for data protection.
What's the penalty for failing to protect your telehealth generated data? At this time OCR is only enforcing HIPAA in this area on a discretionary basis. That means you're unlikely to get penalized for failing to implement and utilize a telehealth platform securely, but that doesn't mean you don't still have to notify your patients if you've exposed their data. You choose what's worse, but many have found the lost trust from their patients has been more damaging to their practices than the fines levied by OCR.
We want you to use telehealth. It's LONG overdue and it's safer for you and your patients, but using it in a negligent manner will eventually catch up to you.
If you want to discuss what your organization is doing with telehealth and get some free feedback, we're happy to help.
If you have any questions or if you are concerned about your organization's cybersecurity, give us a call at (800) 970-0402. We'll be happy to help.
For more HIPAA information, download our ebook - The Ultimate HIPAA Compliance Handbook.
The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.