Cybersecurity and Privacy

Data Privacy and Telehealth: Protect the Data, Protect the Patient

Data privacy during telehealth appointment

Lee Kim, JD, CISSP, CIPP/US, FHIMSS

The demand for telehealth services has grown significantly in light of the global COVID-19 pandemic. Patients expect the technology to work well. Patients also trust healthcare providers to protect their data. Data privacy should be top of mind and not an afterthought. After all, data privacy protects the patient by protecting his or her data.

Without appropriate safeguards for patient data, patient safety can be at risk. Safeguards must be in place to keep patient data both private and secure. Data privacy and information security work hand in hand. One cannot exist without the other.

Four Best Practices for Data Privacy and Telehealth

There are several tips to help ensure that patient information is kept private and secure. Best practices include the following:

  1. Strong authentication
  2. End-to-end encryption
  3. Keep a clean machine
  4. When in doubt, throw it out

1. Strong Authentication

First, the telehealth platform should provide for a strong authentication method. This means that the platform has a robust means for authenticating each of the parties prior to their gaining access to any confidential information, such as patient data or otherwise. Often, platforms require individuals to log in with unique usernames and passwords.

Passwords should be strong. This means that passwords should be complex with a combination of upper case and lower case letters, numbers and symbols. An individual’s password should be easy for he or she to remember, but difficult for others to guess. The password should never be visible to others. Thus, the password should not be posted on a monitor, bottom of a keyboard, or in a file where others may be able to find it.

Other means of authentication may be implemented (e.g., biometrics). Additionally, multi-factor authentication may be turned on, where appropriate. The additional factor used to authenticate the user may provide an additional layer of assurance. Further, usernames, passwords, and other credentials should never be written down or stored in an insecure place.

2. End-to-End Encryption

Second, the telehealth platform should provide for end-to-end encryption. Healthcare providers should implement a platform that allows only intended parties to participate in the communication (i.e., a non-public facing remote communication product). To help ensure privacy and security of the communication, the platform should provide end-to-end encryption. This means that only the patient and the person whom he or she is communicating with are parties to the communication. Unauthorized parties are not able to listen in on the communication or otherwise intercept any information that is exchanged between the two parties (i.e., eavesdrop), if end-to-end encryption is appropriately provisioned and implemented.

3. Keep a Clean Machine

Third, healthcare providers and patients should keep a clean machine. The machine (whether a laptop, mobile device, desktop computer, or otherwise) should have the most up-to-date operating system, applications (including web browsers and security solutions, such as anti-virus programs and firewalls), and firmware. Public Wi-Fi networks should never be used if exchanging any kind of sensitive information, including patient information.

4. When in Doubt, Throw It Out

Fourth, phishing is the top cause of significant security incidents. Phishing is very common. Healthcare providers receive large volumes of phishing emails. Patients also receive a large amount of phishing emails. These phishing emails may elicit sensitive information from the recipient. Or, the phishing emails may include a malicious attachment and/or link that is intended to infect the recipient’s machine with malware. In either case, phishing emails should be disregarded. If the email seems suspicious in any way, delete the suspicious email and disregard questionable links.

Good privacy and security necessarily requires the appropriate technical controls to be in place (such as encryption and authentication) and also adherence to best practices. Both are equally important. Ultimately, patient data and other sensitive information should be vigilantly protected: protect the data, protect the patient.

Cybersecurity in Healthcare Guide

In today’s world, discover how cybersecurity in healthcare—and protecting information—is vital for essential functions within an organization.

Explore the Guide