Cybersecurity for Telehealth

Editor’s note: This text-based course is an edited transcript of the webinar, Cybersecurity for Telehealth, presented by Josiah Dykstra, PhD.

Learning Outcomes

After this course learners will be able to:

• Describe three potential security vulnerabilities in telehealth delivery.
• Explain three mitigations for delivering improved security for telehealth.
• List sources for further information on implementing secure telehealth.

Introduction

This course covers how to deliver telehealth securely. It is not a course about how to set up telehealth. There are lots of office management systems and commercial products to support you in delivering telehealth. You can find other courses on AudiologyOnline in regard to getting started and setting up telehealth in your practice. The other topic that I will not talk about is the legalities of licensure and whether telehealth is covered in your scope of practice as defined by your state licensure. Your state may have certain restrictions about where you physically have to be to do telehealth, and it is very important for you to get that information before delivering services via telehealth, but it will not be covered in today's course.  

Medicine is immersed in technology and audiology is no exception. You have been using technology in your practice day in and day out, and that is nothing new.  There has been a massive growth of technology use in medicine during the COVID-19 pandemic, which has accelerated things such as telehealth. I did see a statistic in a hospital review that said that 48% of physicians used telemedicine of some kind in 2020. More surprisingly was that his number had increased from just 18% in 2018. Note that the statistic referred to physicians, not audiologists, but this is significantly rapid growth. In my career in cybersecurity, I have observed that with technology, we focus on functionality first, and security is sometimes an afterthought. First, we make sure the technology does what we need to do, and then security lags behind. We have seen this with cars, and even internet-connected light bulbs - it is not unique to telehealth. However, because security sometimes trails technology doesn't mean that it's any less important. I am here to advocate for security in telehealth. It shouldn't be an afterthought. It is never too late to implement some of these things I will discuss today, and there are a lot of important reasons to do so. First, security protects your liability. It will help with your HIPAA compliance, and it is the right thing to do. Protecting patients' private health information, their security and their privacy is very important. Your patients expect it of you, as I am sure you expect your own healthcare providers to do the same.  

The Technologies Behind Telehealth

Terminology and Examples 

When it comes to terminology, terms commonly used include telehealth and telemedicine. There are others that are often used like teleaudiology, and e-audiology.  Whichever term you use, telehealth does not refer to what happens between the provider and patient physically sitting in the same room. There is some remoteness, some distance to it.  So, telehealth is an alternative to in-person office visits. And as you probably know, telehealth is more than just video conferencing even though that's the platform we may be using the most.

Video conferencing is one example of telehealth. Video conferencing is a synchronous, face-to-face appointment alternative that you can do from different locations. There are other ways to deliver telehealth, too. Asynchronous, sometimes called store-and-forward, telehealth is where data is collected from a patient and then stored on a computer somewhere that the healthcare professional can view at another time. It is not happening in real time, but still features that remote digital connection between the provider and the patient.

Another type of telehealth is remote patient monitoring. For example, someone with a chronic disease like diabetes may upload data to their hospital about their glucometer.  This is a form of telehealth although it is not usually the first thing that comes to mind. Mobile health is another form of telehealth.  If you take portable equipment out of your office and go to the patient's location, that is also often considered a form of telehealth.

Other examples of telehealth include email or text reminders about appointments - those also qualify as telehealth under the definition in the law. 

There are many benefits to this rapid rise in telehealth, as well as some risks. We want to ensure the benefits outweigh the risks. We would not want to embrace technology that was more dangerous than what it was worth. I think telehealth is here to stay, even after COVID-19 is behind us, so it is important to get it right in terms of security.

This is the definition of teleheatlh used by The Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services (HHS): "The use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and landline and wireless communications."

The key point here is that telehealth refers to the use of electronic information or telecommunications to support long-distance healthcare, education, and administration. This is the definition that I will be using in this course. You can find it at the HHS website. Others may use broader or more narrow definitions. 

Basic Infrastructure

I'm going to introduce three abstract, broad, high-level core components of telehealth. Looking at telehealth in terms of high-level components can help you see where vulnerabilities are, so you can take the applicable corrective actions. The basic infrastructure for telehealth can be thought of in these three buckets: The audiologist, the remote patient, and Internet services. 

The audiologist. The first core component is what happens on your end. You as the audiologist, whether you're in your office or somewhere else, and your computer, are the first component. You have a lot of control over your own environment, including the hardware, software, people, and processes you use; all of these factors are included in this first component  We should also think about the fact that it is common to have technology problems from time to time. I'm a professional computer scientist, and even I have a love-hate relationship with technology. You may have a telehealth appointment about to begin, and then your computer stops working for some reason - maybe you can't connect to the Internet or your webcam won't turn on. If you find yourself using your personal laptop or your personal phone at the last minute, that then becomes part of the telehealth infrastructure. And so we need to be careful about security with all of those other technologies that are not your primary equipment, but you may use as a workaround. I understand that our work needs to get done, and so we need to be cognizant of all of the technology that touches telehealth, even in an emergency situation.

The remote patient. The second component is the remote patient. They have their computer or another tablet device so that they can participate in a telehealth appointment with you. There are other parts of their environment as well - they may have other people in their house or they may have other technology in their house that is more or less secure than the device that they're using. There is a whole ecosystem on the patient side that generally we have very little control over when it comes to security. 

Internet services. The third component is the online Internet service that allows us to connect to the telehealth appointment. Even if the telehealth appointment consists of us calling the patient on the telephone, there's some bit of cloud that allows your telephone to talk to the remote patient. When it comes to security, it is important to consider this third component of the telehealth infrastructure.

COVID-19 Telehealth - HIPAA Relaxations

In March 2020, HHS relaxed its enforcement of regulations around HIPAA and telehealth in order to enable health care providers to use telehealth more readily during the COVID-19 public health emergency. You can read this notification document in detail at the HHS website - it is entitled Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency. This notification remains in effect until the COVID-19 national emergency is declared over. At that time, these relaxations actually go away and the old HIPAA regulations will be in effect unless HHS takes action or Congress takes some action to change the regulations around HIPAA and telehealth. Therefore, it's very important to know that this relaxation of the enforcement of HIPAA rules is temporary and we should be prepared for it to change whenever the national emergency is over. 

The HHS notification indicates that you are encouraged to communicate with patients through telehealth using remote technologies. It goes on to state that the governing body of HHS, The Office for Civil Rights (OCR), will not at its discretion impose penalties on covered health care providers for noncompliance with the regulatory requirements under the HIPAA Rules when providing services via telehealth. Before COVID, it was against the HIPAA law to use some remote technologies that are now in use because of this notification document.   

This document essentially refers to public and private communication products. In general, the broad umbrella says you can use private communications but you may not use public communications when delivering telehealth. HHS understands that healthcare should be private. You should not be using technologies that would be accessible to the public.

The notification opens up a broad door that didn't even exist before to things like Zoom and Skype and Apple FaceTime which allows you to talk to more people.  For example, Apple FaceTime is a one-to-one private communication. When you talk to someone on FaceTime, it is not also broadcasted so that everyone on the Internet can see it. It is private so you could use it according to this notification guidance.  I also understand that lots of office management systems (OMSs) have built-in telehealth technologies. Those also are private communications. Those are not public to the general public. Public-facing applications such as Facebook Live, Twitch, or Tik Tok should not be used, according to HHS. The HHS document gives a shortlist of some kinds of technologies. The government is very careful not to endorse any one platform or to indicate it is giving a complete list. 

I will mention that while we are all familiar with Zoom, Zoom for Healthcare is a special version of that service. Zoom for Healthcare is a little more protected and with this version the company will enter into a Business Associate's Agreement (BAA) with you. They will not do a BAA for the public free version of Zoom, but the paid healthcare version is unique. A BAA helps protect you because it says the company you are working with will help protect protected health information (PHI) while you're using its services. Be careful about which version of Zoom you are using with patients. When in doubt, assume you can't use something for telehealth until you have the assurances that you can. If you're looking for an option for telehealth, consider the companies listed in the HHS notification document. I don't have a specific preference for any of the technologies on the HHS list. 

Here again is the link for the full document at the HHS website: Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency.

Example: Remote Hearing Aid Programming

Telehealth has been around a long time, even in audiology. Examples include remote hearing aid programming such as T2 On Demand from Starkey, ReSound Assist Live, myPhonak Remote Support, and Widex Remote Link. There are lots of technological implementations of remote programming whether it's on the user's phone or whether it uses another physical device. I will say I have not evaluated the cybersecurity of these products themselves. I think that is an important thing to do. We should have faith that the manufacturers are doing their due diligence as well. Of course, there will always be software updates. Keeping your software up-to-date is important as these vendors continually improve and not only add new features, but also fix security bugs.

I'm going to spend the next few minutes talking about the vulnerabilities in telehealth before we talk about how to fix them. I do not want this to be a fear-mongering presentation. Some people in security talk about it as if there's no solution and we're all doomed. That isn't the message I want you to take away. I do want you to understand where the risks are because cybersecurity is all about risk management. And if you decide to take action or even do a few things for better cybersecurity, I hope the information in this course will help guide your decisions and give you ideas of how you may want to prioritize. There is no such thing as "100% perfectly secure", but there are many steps you can do to reduce your risks. 

Potential Security Vulnerabilities in Telehealth Delivery

Most of us understand that hackers might go after our computers. There are many ways that hackers try to attack computers. The one that most people think about is someone sitting on the other side of the world attempting to hack into computers over the Internet. While that is technologically true and that does happen, it actually is quite rare. Your computer is a little more insulated from being directly accessible on the Internet. If you have a firewall, for example, that helps block remote exploitation. While attacks over the Internet can happen, they are not what we should be most worried about. In fact, the most likely way that your computer would get hacked is through social engineering (such as email scams or phishing), which takes into account the fact that we are all human and our default is to trust that our email is sent from legitimate sources. Our default behavior is to open the email along with any attachments and to respond.  Hackers understand this and they take advantage of us as people. Phishing is one example that comes in through email.

Another attack that takes advantage of social engineering is one that comes in via a phone call. This is where attackers make up a fake scenario and ask you for a password or other information over the phone. 

To avoid a phishing attack, always be alert when checking email, even your work email. Ask, "Is this something that I expected? Is this a person I trust? Or is it just spam? Is it somebody trying to trick me?" But phishing very much is the most likely way that hackers will attack telehealth. They will send these fake emails to you. They will send them to your patient. They probably send them to the service providers as well and so all of us have to be very diligent about that.

The other way that hackers attack is through malicious webpages and malicious attachments. Be vigilant whenever you think you are downloading legitimate, free software because hackers will send malicious versions of software that get them access to your computer. Hackers target all of us, including our patients. We generally have the most control over our own systems. You can install patches on your computer. You can have a policy in your business about how often that happens. You can let your patients know in a telehealth consent form, for example, that you are doing the very best you can but you cannot guarantee that all of the telehealth components are secure.  You may have seen this in any telehealth forms that you have received from your physicians.  Everyone has some responsibility for security, including your patients.

We know that getting hacked is a problem, but In the case of telehealth, what is the impact? Let's say an attacker, for any reason, does get access to one of your computers. What could happen?  Here are just a few of many examples of what a hacker might be able to do from a compromised computer:

1. Commit medical billing fraud
2. Illegally access live videos between patients and doctors
3. Gain unauthorized entry into other computers
4. Access cloud-based EHR/EMR systems where patient data is stored

We certainly want to prevent fraud. We don't want a hacker to be able to fraudulently bill. We certainly don't want them to be able to watch the video between you and a patient, which they might be able to do if they had access to your computer. If they get access to one computer inside your company network, that may allow the hacker to exploit other computers. They sometimes want to spread a virus to all of the computers in the company, and if they get access to one, that could give them unauthorized access into other devices.

Lastly, your computer is probably logged in to your OMS all the time. If the hacker was on your computer, there is a potential that they could also access a cloud-based service where probably lots of your patient data is stored. I am almost certain, although I don't have any real-world examples of this, that hackers probably are already doing these things with some success. The hackers also know that some telehealth technology was rolled out very quickly, and that some people are better about their cybersecurity than others. It's very low cost for an attacker just to send a million fake emails to anyone they can find on the Internet. 

In addition to risks from a compromised computer, there are risks from other things. Probably within your arm's reach are several devices and maybe even several people. There may be papers on your desk, and links between your office and the Internet.  All of these things need to be considered in terms of security.

This might feel uncomfortable to you, but I want you to think like a criminal. The best way that we teach people to do cybersecurity is to think like a hacker. Imagine you are a malicious package delivery person who walks into your clinic. What might they do? If they were malicious, could they reach the papers on your printer? Could they plug in a thumb drive into your computer? That is how a criminal might think. If you think like a criminal, then you can take countermeasures to prevent the things you notice.

Information is moving all around us all of the time, particularly in the video conferencing version of telehealth. Private information that may be shared may be visual or auditory. Anyone who can see in your office or hear what's going on threatens the privacy of that information. You can encrypt data so that it is very well protected on a computer, but there's no way to encrypt the things that we say what we may see on a computer screen. That's just the nature of it.

Consider whether you need a special room in your practice for telehealth where you can close the door and keep a clean desk. As mentioned, we have little control over the patients' environments. If they have other people in the room, you can advise them that they might want to ask them to leave or you can invite them to close their door. Lastly, consider your Internet services. Despite the fact that those services are broadly accessible to the Internet, they are a very difficult target for hackers. Hackers are continually trying to attack Internet services but Internet services go to great lengths for security as their livelihood depends on being secure and responding to incidents. In my opinion, Internet services are probably the most secure component of telehealth, although I can't guarantee that as I don't have any insight into how the security of any company like that works, but they are incentivized to be good at cybersecurity. When you sign a BAA with them, you are offloading some of your risk that says they are responsible for cybersecurity and they are responsible if they are compromised for any reason. Signing a BAA with your Internet provider is important for that reason.

Selecting Telehealth Services 

Here are a few considerations when deciding on whether to provide telehealth services. The first thing that most people are surprised about is that the HIPAA law has no special section explicitly about telehealth. Telehealth is treated exactly the same under HIPAA as in-person appointments. The same privacy protections apply whether you are doing virtual appointments or physical appointments in the office.  The law does not say that telehealth technologies are allowed or not allowed. It only says, for example, that you have to have secure communication to protect electronic personal health information (ePHI) and you should only allow authorized users to have access to your cloud system, OMS, or video system. All of those are treated the same. In addition, there must be a system of monitoring communications containing ePHI to prevent accidental or malicious breachers. 

It is important to apply all the same protections that you would in your office to telehealth. That means just like you would be careful who walks in the front door of the building of your clinic, you should also be monitoring, for example, who has accounts and access to your OMS. Are they logging information that will help you find out if something is going wrong? Did somebody try to log in that looks like an employee but maybe the password got stolen? Asking yourself those types of questions can help protect your systems and digital assets just the way that you would protect your physical building.

Here are features to consider when selecting a telehealth provider/solution:

1. Business Associate Agreement (BAA)
2. Strong end-to-end encryption (NIST recommends 256-bit AES)
3. A virtual waiting room
4. Technical support (doesn’t add any security)

First, ensure that the telehealth provider will sign your BAA. If you don't have a BAA, now is the time to get one. Talk to your national association for one that is legally sound.  This is an essential feature to have with a telehealth provider - do not work with telehealth providers that will not sign it. 

I know you are all familiar with the term encryption but what that means is sometimes ambiguous to people who are not in the technology professions. In terms of strong end-to-end encryption, note that the government recommends something called 256-bit AES. Look for those numbers and those letters, as most telehealth providers indicate their encryption on their webpage.  You may see the telehealth provider state, "Yes, we have encryption that meets 256-bit AES." The government has said that is secure, and you can feel good about that. If the telehealth provider does not advertise their end-to-end encryption, you can ask, "What kind of encryption do you have?" If you're still confused or if it seems like the company is just providing you with marketing or technical jargon, ask more questions. You can reach out to me or your IT consultant as well.  

In addition, consider using a virtual waiting room with your telehealth appointments. You may be familiar with a virtual waiting room as other technologies such as Zoom use one.  A virtual waiting room ensures that anyone with a link does not automatically connect to your meeting - they are put in a virtual waiting room until you, the provider, can allow them in. That gives you time to confirm that, "Yes, I expected this person. They are in the right place." You can do some checking before the person automatically is set up a video link, which is a little bit dangerous.

Lastly, I've also listed good technical support as a feature to consider.  Good technical support will help you troubleshoot and make sure the technology works. I will say explicitly that technical support doesn't add or reduce any security. If a telehealth vendor has a 24-7 customer service line, that is nice and convenient but it does not add security.  This is a 'nice to have' feature but not an essential feature. 

Follow Security Best Practices

Now that you know what some of the risks are and where those vulnerabilities might lie, what can you do about them? There's no need to just live with all of that risk all of the time. There are absolutely things that you can do. Just like you have best practices in clinical audiology, there are best practices in cybersecurity.  There are four things you should be doing continually, not just for telehealth. I sometimes describe them as cyber hygiene.  The four practices are: 1) Keep software updated; 2) Install and turn on antivirus software; 3) Keep data encrypted; and, 4) Use two-factor authentication.

Keep Software Updated 

The same way that you wash your hands to protect yourself from germs, to keep your computer secure, you need to keep the software updated. I know ongoing software updates can be frustrating. However, it is not just about updating software; not doing it could break other things that are working in your practice. Keeping software updated is the number one thing you can do to protect yourself from hackers, because hackers want to use software that has a lot of bugs. Thankfully, most software updates are free and easy. If you have Windows 10, for example, you can configure that system to automatically check for security updates every day so you never have to push any buttons or hire an IT consultant to do that. You can just turn it on and it will continually keep itself updated. The same is true for your iPhone. The same is true for an Android phone. Software companies have learned that it was too much work, too much effort, for the average person to keep their software updated, so they developed free automatic ways to do that. 

Install and Turn On Antivirus Software

Get antivirus software and turn it on. Don't just buy it and install it and then turn it off because NOAH was acting up or your hearing aid software wouldn't work. There are ways to work around all of those troubles but the antivirus is another layer of protection. For example, if you go to a webpage and you think that's a safe webpage, but the website has been hacked and it's trying to hack your computer, antivirus will protect you from that. Microsoft has a built-in free antivirus called Windows Defender. And you can also just turn that on and let it go and it will continually run there and continually protect you. 

Keep Data Encrypted 

HIPAA requires encryption. Encryption protects mostly against physical theft. If you leave your phone at a restaurant or somebody breaks into your practice and steals the computer, that encrypted data essentially can never be read. Windows has a free encryption system called BitLocker. If your computer is configured for that, all of your data stored on your local computer is encrypted. If you store data in the cloud through an OMS or an online backup system, you should make sure that those third-party systems also use encryption.

Use Two-Factor Authentication

Two-factor authentication is an important part of security.  I've actually been very impressed that lots of the audiology OMS now offer this as a feature. What it means is that instead of just putting in your username and your password to log in, it asks for what we would call a second factor, which is sometimes a text message to your phone. It might be a code that is sent to your email. With two-factor authentication, a hacker can't just guess your password, they also have to be able to get this special one-time code. Microsoft actually is saying now that multifactor authentication can block 99.9% of account compromises. If a hacker can guess your password or somehow learns what your password is, that second factor keeps you incredibly safe. It is a very, very secure way to help protect access to your systems.

These four security practices are absolutely essential. If you need help with them, most IT professionals or cybersecurity professionals can help you set them up. 

More Security Practices 

In addition to these four security best practices, I want to discuss a few additional security measures to consider for your practice. Because most of us are doing telehealth with video, it might be that you purchased a webcam just for that purpose. Or, if you've purchased a laptop in the last several years it most likely has a webcam built in. Give very serious thought to covering up the webcam when you're not using it. It is a reality that some hackers, if they get access to your computer, can look through the webcam. This doesn't happen every day. You don't have to be losing sleep over it but it is a very easy piece of security to implement. Get a cover and flip the cover down to cover up the camera. Even if somebody could turn on that webcam, they couldn't see through it. When you're looking to purchase a webcam cover, what you need will depend on what kind of camera you have. If you have a laptop, some people will sell little stickers or little sliders. Make sure the cover is not see-through.  Please do not rely on a do it youself post it or piece of paper stuck on the webcam. Don't rely on tape or stickers or Post-it notes. It might look to you like it it's covered up but in fact, if you were to turn on your camera, it may be see through. Webcam covers are sold on Amazon and other online stores and they are inexpensive. It is good protection that you should invest in.

Immediately Before the Appointment 

What should you do immediately before a telehealth appointment to help keep it secure?

Prepare the room. I know we're all very busy. Your appointments are probably back-to-back all day, every day. I certainly appreciate that. Taking even one minute to prepare the room will go a long way to helping your security. Whether you have a clean and tidy desk or a busy desk, make sure that the person looking at you in the video (such as your remote patient), can't see any sensitive information. Just like you should be hiding patient records when another patient walks in your office - maybe you turn them upside down and you put them in a folder so they're not visibly accessible - you need to take similar precautions when you are on a video call. Take a scan around your room and make sure your patient can't see another computer in the background that has another patient's audiogram on it. Make sure the records and the papers on your desk are turned over. Then, close the door. Closing the door helps keep auditory and visual information secure during the appointment.

Log in and connect to the appointment. Do not open your camera and unmute your microphone until you are connected to the appointment. 

Open your camera and unmute your microphone. When you are connected, then open your camera lid and unmute your microphone. That can be the very last thing that you do.

Get into the habit of doing those three steps in that order to keep telehealth appointments secure. You might even put those steps into a policy in your employee manual. You might make it the standard practice for all of your audiologists. Every time a telehealth appointment is conducted, the whole office has decided collectively on the process, and you can make sure everyone follows the process.  Formalizing the process by adding it to your employee manual will help ensure compliance across your team.

Checklist 

Here is a checklist of things you can do today to improve your security. This checklist and other resources can be found on my website, www.designersecurity.com. 

• Purchase and install a webcam cover
• Review/Update your Employee Handbook
• Review/Update your Notice of Privacy Practices
• Create a Telehealth Consent Form for patients
• Confirm/Obtain a BAA with telehealth providers
• Install the latest updates for all software and devices
• Update and run an antivirus scan

As previously mentioned, webcam covers are a very easy, fast purchase. You can probably have one installed today or tomorrow. Review your employee handbook and ensure it includes all of your procedures, particularly for telehealth. I always encourage practice owners to have a security policy in their employee handbook. It should include how to select good passwords, never share your password, and other security best practices. Your employee handbook could also have a whole section devoted to telehealth. It might say, for example, that employees are only allowed to provide telehealth from inside the practice. It is not allowed from home, or the car, or anywhere outside the practice. It is for practice owners to decide the parameters, and then the employee handbook is the appropriate place for documenting those parameters.

Next is your mandatory HIPPA notice of privacy practices, which is something you give every new patient. Add a section for telehealth, if that is a service that you offer. It should include how you are going to protect privacy during telehealth appointments. If you need help with language for that, the national audiology organizations probably can advise you, as can your attorney. You can probably find templates so that you do not have to create the form from scratch. Make sure that the language you are using is clear to your patients.

Create an explicit consent form for telehealth.  I think this is becoming more and more important as the use of telehealth increases. Ask your national associations, "Do you have a template for telehealth consent?" The document should include information about security. You are doing the very best security that you can. You cannot guarantee the complete security of all components and so this is the trade off that needs to be communicated with your patients so they understand. They should sign that document the same way that you have them sign any other consent forms. Of course, whether or not to participate in telehealth in their choice. Most patients probably will say, "Yes, I see the benefit to this. I understand the risks and I will sign that document."

It is worth saying again - if you have not signed a BAA with your telehealth provider, do it today. Every day that you do not have one is a risk to you and your practice.

Go through the cyber hygiene activities as I have reviewed in this course. Check for updates on your devices - not just the one computer that you use for programming, or the one that you use for diagnostics, or the front desk computer. Check them all. They all need to be secure. Hackers could go after any one of them. Check your phone - for more information, refer to the course on smartphone security for audiology. Make sure your antivirus is updated and running. Do a quick anti-virus scan. In just a few minutes you can have some peace of mind that it is working and your computer is free of viruses.  

Review Your Security Posture 

Healthcare changes all of the time, and technology is changing even more rapidly. In addition to new innovations and new devices coming out, there are new threats and compromises happening every day. Hackers are always trying to find new ways to attack.

Review your security posture every month. Every 30 days, make yourself a checklist, and devote half an hour to make sure your software is updated on all devices. Make sure that the user accounts on all your systems are accurate and authorized If you have hired a new person or if a person has left your practice, make sure their account is deactivated. You should not have any extra accounts - everyone who needs access to do their jobs should have it but there should be no more and no less access.

Make sure your ePHI data is backed up and encrypted. If you have NOAH databases on a local server somewhere, make sure that you have an encrypted hard drive and make sure it's backed up. I recommend a monthly check because you do not want to wait a long time between back ups - if a catastrophe happens, you will have lost too much data.

Finally, look for any unusual or anomalous activity in your system logs.  Look for things that look weird to you. You will know pretty well by looking at those logs. "Yes, those are my staff log ins. This is the usual time that they work." If you see people accessing data in the middle of the night, investigate. It might be normal. But the sooner that we know that bad things are happening, the sooner that we can remedy them and the less damage that will have been done in the meantime. 

If you need any help with a longer checklist or if you feel uncomfortable with any of these items, an IT consultant or a cybersecurity consultant can certainly help you with this. Do not wait to get on this checklist. By the time that you hear about problems on the Internet, major data breaches, or major vulnerabilities in the news, they have already been happening for a while. The technology world sort of lives in its own sphere and they talk about things the moment an attack breaks out, but it takes a while for this information to move into the mainstream.

If you are interested in keeping track of cybersecurity news,  I have also included references and resources in the handout that you may find helpful. If you subscribe to Twitter or Facebook groups, I've included a few in the handout that are reputable and easy to understand.

Summary

Remember, there are three core components to telehealth infrastructure to consider when it comes to security: What you can do in your office, what your patient can do in their environment, and what you purchased as a cloud sort of service. You can have assurance in the security of those components by doing the things I discussed in terms of cyber hygiene best practices. When you run your updates on your computer, you are reducing your risk. That is very good for you. Signing a BAA with your provider reduces your risk. Many of these recommendations are very simple things you can do, no matter how much time you have or how much of your budget you want to invest in cybersecurity. I would review the checklist provided and prioritize the things that you can most easily and quickly control.

Telehealth is here to stay. I have no doubt that when COVID is over, and we've all had vaccines and we all go back to school and to our offices again, telehealth will still be here. Continually doing cybersecurity is very important. It is never too late, and it does protect you, your business, and your patients. Today is a great day to get started.  Please feel free to contact me at www.designersecurity.com if you have any follow-up questions.