The Trump administration has relaxed privacy requirements for telemedicine, or virtual doctor visits: medical staff treating patients over the phone and using video apps such as FaceTime, Zoom, Skype and Google Hangouts. The move raises the chances that hackers will be able to access patient’s highly sensitive medical data, using it, for example, to blackmail the patient into paying a ransom to keep the personal health information (PHI) private.
This relaxation in privacy regulations about telemedicine is necessary, as treating coronavirus patients in quick, safe, virtual ways is a more critical short-term priority than protecting the data. That may sound contradictory coming out of the keyboard of a cybersecurity expert, and that exposes a misconception about how security works.
Security is not about eliminating all risk, because there is no such thing. Security is about prioritizing risk and controlling the most important operations first. Diagnosing and treating patients affected by Covid-19 is a higher priority than keeping every last transmission private.
Put simply, the life of a patient is more important than the patient’s data. With that in mind, protecting the data during transmission and when recordings are stored on the medical practice’s servers is still important.
- Doctors should utilize audio/video services that provide full encryption between the patient and the medical office during all telemedicine visits
- If the doctor’s office keeps a copy of the recording, it should be stored and backed up only on encrypted servers
- Not all employees of the doctor’s office should have the same level of access to telemedicine recordings; all patient data should be protected with user-level access
- Employees of the doctor’s office should be trained to repel social engineering attacks (mostly by phone and phishing email) to gain access to telemedicine recordings
Telemedicine and virtual doctor visits is just one way that the government is willing to accept increased risks during the pandemic. Many federal employees are also now working remotely, accessing sensitive data, often on personal computers that haven’t been properly protected by cybersecurity experts. This poses an even greater problem than putting patient data at risk, because nearly every government (and corporate) employee is working remotely for the foreseeable future. I will address those concerns in an upcoming post.
In the meantime, stay safe in all ways possible.
About Cybersecurity Keynote Speaker John Sileo
John Sileo is the founder and CEO of The Sileo Group, a privacy and cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker, and expert on technology, surveillance economy, cybersecurity and tech/life balance.