Medicine and privacy are concepts that have always gone hand in hand. Indeed, a commitment to medical confidentiality is even mentioned in the Hippocratic Oath, historically taken as an ethical code by physicians. But disclosure of health-related information may significantly affect a person’s private and personal life, so this kind of data is naturally something that one would prefer to control and, in some cases, keep secret.
Today however, privacy in medicine is no longer just a matter of doctors’ discretion or preservation of medical records. In recent years the healthcare sector has experienced some major changes: a survey from BDO confirms that 93% of healthcare organizations already have a digital transformation strategy, or are in the process of creating one, while the American Medical Association reports that in 2020, 79% of physicians use telehealth in their practices – compared to only 25% in 2018.
As well as creating new opportunities, this transformation also poses new risks. According to a Kaspersky survey conducted among healthcare workers, 52% of respondents have experienced cases where patients have refused to have a telehealth session due to privacy concerns.
People understand that data gathered and stored by healthcare organizations is highly lucrative for cybercriminals, with health records worth 50 times more than credit cards and social security numbers on the black market. This concern is heightened by an uncertainty in the cybersecurity awareness of hospital staff, doctors, and patients themselves.
Thus, doctors, especially those who conduct remote sessions, must be ready to speak about the basics of information security, as well as answering medical questions. In this article, we’ve gathered several tips that will be helpful for medical practitioners, addressing the most common doubts that patients have regarding telehealth appointments.
How can I be sure that healthcare organizations won’t compromise my data?
Our report suggests that almost half of clinicians (42%) conducting telehealth sessions do not have clear insights into how their patients’ data is being protected. Of course, doctors have a lot of important information to keep in mind, but a basic knowledge of cybersecurity measures implemented by the medical organization would allow them to be more confident in dealing with online resources and patients’ data.
Ask executives or your IT department to explain the common principles of information security, including: how sensitive data is protected within the organization; whether or not it is compliant with the laws regulating PII/PHI protection (like GDPR in Europe, CCPA and or HIPPA in the USA, etc.); how many data breaches and incidents have occurred in recent years; and what the results are of any recent third-party audits. Self-education is also another option. Cybersecurity may seem like rocket science for some users, but there are sources available that explain the basics in simple, easy to understand terms.
A general knowledge of the cyberdefenses in your organization won’t require special training, but will be helpful when reassuring patients.
Why do I have to use unfamiliar apps to talk to a doctor?
54% of global frontline remote telehealth providers agree that some of their clinicians conduct remote telehealth sessions on apps that aren’t designed for telehealth. These apps, such as FaceTime, Facebook Messenger, WhatsApp and Zoom are convenient and popular. They’re used in everyday life and people don’t expect to face any problems with them.
However, unlike apps designed specifically for telehealth services, they haven’t been certified to safeguard sensitive personal data. In addition to possible data leakages, the usage of inappropriate apps may lead to disciplinary measures and heavy fines. Those who fail to put the right tools in place could also be violating billing requirements for telehealth and might miss out on purpose-built telehealth features, such as the integration of patient records or the safe sharing of live data from remote devices.
Both doctors and patients need to be aware of the risks that bypassing this high level of protection can bring.
What measures do you personally take to protect my personal information?
While a doctor shouldn’t be expected to bear all the responsibility for data safety, they should follow all the necessary actions to keep their patients protected:
- Strong passwords: one of the most obvious, yet often overlooked, tips to protect your devices and accounts is to strengthen passwords. Passwords must be long, strong, and unique: at least 12 characters with a mix of numbers, symbols, and upper and lower case letters. Where possible, implement multifactor authentication to access your devices and accounts.
- Regular updates: people often postpone software updates because they see no reason for them. Updates, however, contribute a lot to keeping your data safe. As well as adding new features, they can also provide security patches and repair vulnerabilities that may be used by criminals.
- Vigilance against phishing: cybercriminals often disguise themselves as legitimate email senders to penetrate a company’s infrastructure. They use different approaches for different goals, so their bait seems more interesting to a potential victim. For example, when attacking a medical organization, a criminal may send emails related to medicine. This is why it’s important to think before clicking a link in an email. Pay attention to any irregularities, such as a misspelling or an odd syntax, and always check the link before opening it. If you are not sure whether you should trust the email you received, contact your IT personnel or information security team in your organization. Asking for advice won’t hurt, but it can prevent a potential attack on you or your entire organization.
- Keeping everything in order: if possible, remove any unnecessary patient data stored on your personal and medical devices, and uninstall any software applications that aren’t essential to running the practice or are no longer needed.
- Double back: if you are conducting telehealth sessions from outside the office, connect to the internet through a VPN to prevent adversaries from spying on you (consult with your company’s IT/IS teams on an approved VPN solution you can use). This way any data transmitted during the session will be encrypted, regardless of network settings, and outsiders will not be able to read it.
- Attention to detail: bad things can happen, but if you notice them in time and warn your IT security team, the consequences may be far less serious. Look out for any unusual behavior, including the inaccessibility of digital services or any notifications about attempts to access your account and let the relevant specialists know about them.
No company is completely immune to cyberattacks and data breaches. However, gaining a basic knowledge of cybersecurity and following simple rules is the key to ensuring robust protection. It won’t take long and will contribute to your patients’ trust.
By Denis Barinov, Head of Kaspersky Academy
23 March 2022