The COVID-19 pandemic has pushed healthcare organizations to make telehealth a top priority. As they do, they're forced to confront privacy concerns related to information access, usage, and alteration, as well as the security of public cloud services where health data is stored.
As the Cloud Security Alliance (CSA) explains in a new report on protection of health data, "telemedicine" and "telehealth" should not be used interchangeably. The former refers to the clinical diagnosis and monitoring by technology; the latter has a broader definition. Telehealth covers clinical healthcare and tools such as kiosks, website monitoring applications, mobile apps, wearable devices, and videoconferencing technology to link patients with healthcare providers.
Health delivery organizations (HDOs) are ramping up telehealth capabilities such as remote patient monitoring (RPM) and telemedicine to treat people at home and reduce the risk of exposure for both providers and patients. This will continue to grow long after the pandemic, the experts write.
The increasing reliance on telehealth in the cloud is expected to drive privacy and security risks for healthcare institutions. Most hospital systems delivering telehealth use videoconference tools as well as cloud and Internet technologies, creating a range of potential issues and demanding security teams take a closer look at their architecture to identify flaws and decide on controls.
This is a shared responsibility between the HDO and cloud provider. Healthcare organizations must understand the regulatory requirements of patient data and the technologies they use.
Public cloud services are accessed over the public Internet, which experts say does not mean the cloud is inherently secure but should be considered in a cloud security model. HIPAA requires HDOs maintain "reasonable and appropriate" administrative, technical, and physical protections to protect public health information (PHI). HDOs are also mandated to do a security-threat risk analysis, which includes cloud-based threats and provides information needed to make risk-based decisions.
Healthcare organizations should also identify the security controls they have in place and ensure they're working as intended. As part of these assessments, the HDO should talk with its cloud service providers about governance, compliance, confidentiality, integrity, availability, and incident response and management. Stakeholders must consider the end-to-end security of the systems, including internal policies for access control and user provisioning.
Protected health information is at the core of privacy concerns related to telehealth, and the emergence of targeted attacks against information systems to access PHI is concerning. The HIPAA Privacy Rule, which regulates the collection, use, and disclosure of PHI, provides insight for better understanding the privacy implications. It mandates health organizations to track the use and disclosure of PHI and notify patients when their data is used. The EU's GDPR, which gives people certain rights when data is used, may also apply, depending on where PHI is stored.
Healthcare organizations must know how their cloud providers handle data retention and monitor how they access and use data. If there's a breach of health data, the provider should have a plan for how it will notify the HDO and launch incident response. Cloud providers should also sign a business associate agreement, another requirement under HIPAA.
CSA also emphasizes the importance of a continuous monitoring program to make sure HDOs enforce and improve their security operations for internal controls, as well as privacy and security programs used by a cloud service provider. This monitoring is maintained throughout the data, applications, and systems life cycles and should be altered over time for continuous risk awareness and compliance, the experts explain in their report.