The pandemic threw healthcare into unknown territory in 2020. To accommodate patients and continue to provide treatment, providers early on during the COVID-19 health crisis had to quickly turn to new technologies such as telemedicine to provide care virtually. As practices return to normal, it is imperative they be mindful of possible security issues related to the devices they used to enable patients to receive care remotely.
“We are trying to remind people that they may have distributed iPads or laptops or cell phones that need to be managed,” said Laura Hoffman, assistant director of federal affairs for the American Medical Association (AUA). To assist in that effort, the AMA has released IT considerations for medical practices and hospitals.
Practices should consider that devices used outside of the office might not have been updated with software security patches or distributed laptops without encryption capabilities, Hoffman noted. As their in-person caseloads rebound, practices that gave healthcare providers expanded access to protected health information (PHI) during the pandemic should return to normal PHI access controls.
Hoffman urged practices to enter into a business associate agreement (BAA) with vendors who provide telehealth platforms, if such an agreement is not already in place. Some major vendors historically have not signed BAAs, but they might be more amenable to doing so now to keep the market share they gained during the pandemic.
“I will be interested to see how that plays out when the public health emergency ends,” Hoffman said. “But if they [vendors] are not willing to sign a BAA — barring regulatory changes — providers will need to find a new platform because they have a responsibility to protect patient information under HIPAA.”
In the meantime, practices need to take every security feature a telehealth vendor’s platform offers, including end-to-end encryption, Hoffman said.
On top of pandemic-related threats, providers should be thinking about everyday compliance issues that could impact cybersecurity. They should be familiar with the software used in their devices and medical records systems and keep in mind that vendors can stop supporting older software. Hoffman said AMA has pushed practices to use a software bill of materials, a list of operating systems in medical devices and computers so practices know what components are in the system.
Hoffman recommends looking to a public/private partnership from the Cybersecurity Working Group of the Health Sector Coordinating Council for information. This group provides education and advocacy around cybersecurity and has a section with resources for small and large practices.
A practice’s security officer or someone in charge of managing IT vendors should be in charge of talking with vendors to assess possible outdated technology or other security concerns. The AMA has online resources providers can use that include questions to ask vendors to gain a clearer understanding of IT risks.
Annual discussions with vendors are usually sufficient to remain up to date on security measures, but an increasing incidence of attacks on healthcare systems may necessitate more frequent discussions. Personnel responsible for cybersecurity should be alert for security patches that become available to stay up to date on software changes.
State and national health associations for various specialties are good resources for providers as well. They may have lists of preferred vendors for telehealth or other services.