Health at home raises cybersecurity level
Editor’s note: This is the second installment of a five-article series that will explore the evolution of care to more patient-centric, virtual, and in-home. The first article discussed home-based care from the patient perspective. Additional articles will look at home-based care from other perspectives, including the impact on home health care workers, the scope of digital tools and devices required, and how health IT officers are leading the healthcare to home charge.
Providers collect, store, share, and use highly valuable data that attracts cybercriminals. Protected health information (PHI) and personal identification information (PII) are particularly prized and targeted by hackers. Increasingly popular “health at home” care models introduce new cyber risks due to cloud and remote digital solutions — such as telehealth, remote patient monitoring, wearables, virtual care stations, and mobile health apps — that operate outside the firewalls of the provider’s physical facilities. As more clinicians and patients connect remotely to a provider’s secure internal systems, increased cybersecurity measures are needed to secure personal medical information, control remote device access, and protect the systems against viruses and malware.
Pandemic supercharged home care
“During the COVID-19 pandemic, we witnessed how healthcare providers use technology for home-based care, virtual consultations, and remote monitoring to increase patient-centric care delivery and address budget constraints and staffing challenges,” said José-Marie Tanga, senior director of healthcare strategy for SHI.
The cyberattacks on hospitals and health systems during the pandemic came from all directions, from hacking remote devices to simple email trickery.
In 2020, a cyberattack on the University of California, San Francisco (UCSF) Health system resulted in the theft of patient data from more than 100,000 patients. The hackers were able to gain access to the system through a remote access tool that was being used by UCSF employees.
In 2016, hackers exploited a vulnerability in a patient’s personal device to seize control of the Hollywood Presbyterian Medical Center, Los Angeles, computer system. The hospital paid the requested 40 Bitcoin (then worth about $17,000) to reestablish access to its system.
Still other incidents involved email phishing, which installed malware or viruses resulting in either stolen data, or systems held hostage via ransomware. Hackers have also targeted IOT devices and diagnostic databases in cyberattacks on home-based healthcare organizations that involved more than 100,000 patient medical records. Newer patient-driven technologies, including wearable devices and mobile health apps, are under threat from known methods like malware and phishing, but zero-day attack methods —exploiting vulnerabilities not yet known to manufacturers or users — show how hackers continue to innovate and stay ahead of security., These attacks can negatively impact patient health, identity, safety and trust, as well as provider operations, finances, and reputation.
In these cases, providers responded by implementing stronger security measures, training staff on cybersecurity best practices, and creating response plans in the event of a cyberattack.
Securing health care at home
“Additional measures need to be put in place to ensure PHI data is secure when receiving care at home or virtually,” Tanga advised. “In a homecare setting, this could involve securing personal medical information, preventing remote access to medical devices, and protecting devices from malware and viruses.”
Here are some tips for healthcare providers to use when partnering with their patients to protect against health to home cyberattacks:
- Implement strong security measures, such as using strong passwords and multi-factor authentication.
- Train staff and patients on cybersecurity best practices, such as not clicking on suspicious links or opening attachments from unknown senders.
- Use a zero-trust security model. This means that no one is automatically trusted, even if they are inside the network.
- Use a layered security approach. This means using multiple layers of security, such as firewalls, intrusion detection systems, and antivirus software.
- Keep software up to date. Software updates often include security patches that can help to protect against known vulnerabilities. In the case of newer digital solutions and software applications, vendors and/or manufacturers are responsible for making patches and updates available, and health IT leaders need to ensure these partners’ security practices are in alignment.
- Monitor systems for suspicious activity. This can be done using security tools or by manually reviewing logs.
- Back up systems that could be hijacked or held ransom. Certain cloud and software may include automatic backups.
- Create a bring your own device (BYOD) policy that outlines who and what can access networks and data, and how these devices are managed and monitored.
- Review and assess medical devices and associated security risks. Federal authorities have advised legacy medical devices pose a higher security risk.
- Have a plan in place in the event of a cyberattack, such as having a way to notify patients and law enforcement. HIPAA regulations require organizations have a cybersecurity plan in place.
- Insure against cyberattacks. Insurance can help mitigate financial losses, as well as provide coverage for legal fees, PR expenses, and data and systems restoration.
Many providers need outside help with the digital aspects of home-based care and cybersecurity. Ideal partners offer a collaborative and comprehensive portfolio of technologies and solutions, including infrastructure and security, to help securely connect and enable healthcare providers to deliver patient-centered care to improve patient experiences and promote more efficient and effective care delivery for home-based healthcare services.
This major evolution in care delivery offers patients a more convenient and comfortable way to receive health care, and it improves access for patients in “care deserts” by eliminating the need for expensive and disruptive travel to clinicians, including specialists. However, as the cybersecurity landscape constantly changes and remote care services become more robust and digitally complex, providers need to act swiftly and comprehensively to protect the data, systems, and operations that make home care so successful.
SHI Healthcare is the technology partner trusted by over 17,000 organizations to solve their infrastructure, end-user computing, cybersecurity, and IT optimization challenges. Our concierge approach blends seamless selection, delivery, and financing to simplify hard decisions for business leaders and IT procurement. The result: effective, innovative, and scalable solutions our customers love.