Telehealth – cybersecurity and privacy considerations
Source: digitalhealth.gov.au
Provided by:
digitalhealth.gov.au
Published on:
24 July 2023
Automated Introduction: Welcome to the Australian Digital Health Agency podcast, supporting health professionals to realise a healthier future for Australians through connected healthcare.
Dr. Andrew Rochford (Facilitator): Hello and welcome to this podcast on the topic of telehealth web conferencing and cyber security threats, hosted by the Australian Digital Health Agency. But before we begin, I would like to acknowledge the traditional owners of the land on which we are broadcasting from and in which you are listening. I wish to acknowledge their continuing connection to land, sea and community, and pay my respects to them and to Elders past, present and emerging, and extend the respect to any Aboriginal and Torres Strait Islander peoples joining us today.Â
In today’s digital age, telehealth has become an increasingly popular way for medical practitioners to provide health services remotely. However, as with any online activity, telehealth and web conferencing systems are vulnerable to cyber security threats. In this podcast, we will explore some of the key considerations that healthcare organisations need to keep in mind when implementing these systems. We will delve into the significance of using online conferencing systems and compliance with Australian privacy laws, and additionally share some useful tips for setting up a telehealth consultation that prioritise both patient care and cybersecurity.Â
Today, we are joined by Danielle Pentony, Director of Cybersecurity Operations at the Australian Digital Health Agency, with over 15 years’ experience in the technology and cybersecurity space focused on financial services as well as healthcare and government. We’re also joined by Oscar Bem, Acting Director of Privacy at the Australian Digital Health Agency. Oscar has over 10 years’ experience providing privacy assurance to the public sector, having worked with the Department of Health and Aged Care, Services Australia and the Office of the Australian Information Commissioner. And Dr. Amandeep Hansra, a GP with 18 years clinical experience, who is also known for her work as a digital health consultant, entrepreneur, and investor, who has been a digital health advisor with the Australian Digital Health Agency for five years. And I’m Dr. Andrew Rochford, a medical doctor and spokesperson for the Australian Digital Health Agency, and I’ll be hosting today’s podcast.Â
To kick things off, I’m going to go first to you, Danielle, and I’d like to ask you about how have cybersecurity threats evolved in the era of telehealth and what are some of the considerations that a practice needs to think about when implementing a telehealth or web conferencing system?
Danielle Pentony (Director of Cybersecurity Operations): Thank you, Doctor. As healthcare organisations continue to evolve digitally, one thing has become clear: patient welfare cannot come first if the digital systems supporting it are threatened. As virtual healthcare increases in capability and popularity, healthcare organisations will need to continue to invest in securing their services.Â
Over the last decade, healthcare has offered new lines of services such as telehealth and remote patient monitoring and has expanded accessibility and ease for both patients and healthcare professionals. This has supported innovations that have improved patient outcomes. Now, it’s a profound digital transformation. IT is continuing to play a pivotal role in this ever-expanding healthcare delivery model, and it is important to do so in a secure manner, whereby patient privacy and data security are not compromised.Â
Now healthcare’s digital transformation has created so many opportunities, not only for patients and care providers but also for threat actors. As healthcare operations have become digitised, attackers have taken notice. The healthcare industry is now a top target for ransomware attacks. When these are successful, those attacks can impact operations in a way that is life threatening beyond simply harming the business.Â
The use of Cloud is growing across healthcare. As organisations move to the Cloud, having the right security controls and visibility in place is a must-have requirement. The success of telehealth could be undermined if serious privacy and security risks are not addressed, and without adequate security and privacy protections for underlying data in telehealth systems, providers and patients will lack trust in the use of these telehealth solutions.
Dr. Andrew Rochford (Facilitator): Thanks, Danielle. Oscar, did you have anything to add with regards to practices and what they should consider from a privacy perspective?
Oscar Bem (Acting Director of Privacy): I do, Doctor and thank you for that Danielle. Under the Privacy Act, you have the Australian privacy principles, and one of these is Australian Privacy Principle 11. Now, what this does is it tells you about the steps you need to take to secure personal information. So, what this really means is that you have to take reasonable steps to prevent it from being misused, interfered with, or lost, or also preventing it from having any unauthorised access, modification or disclosure.Â
What this really means in practice, because of course ‘reasonable’ is not defined in the Privacy Act, it will honestly depend on the circumstances of your particular practice. The kinds of information that you’re holding, the resources you have available to you, the size of your organisation, these are all factors to keep in mind.Â
But one thing which we have in privacy, which we think about is something called ‘privacy by design’. What this really means is that you think about how personal information is handled from that moment you first collect it until the moment you no longer need it. You need to think about everything that occurs between these two stages, and when you’re looking at telehealth, it’s about what is happening between those two points. How is the information being handled, and what can you do to control that?
A good example of this and looking into those basic principles is what happened with the AETNA data breach. Just to give you a bit of background, this was an American health insurance company who had already actually breached the privacy of their customers and then wanted to send letters out to basically tell them about the settlement arrangements. Of course, they then caused an additional data breach, but in a way that was really unexpected. The actual envelopes themselves had windows that were too big, which simply meant that the customer’s name and the fact that were taking HIV medication was visible to anyone who picked up that letter. The result of this was a 17 million dollar settlement.Â
Now obviously that’s under U.S. law, so it’d be a little bit different if we were in Australia, but it raises the point that you need to think about the fundamental use of a particular telehealth solution and how it actually works. Is it suitable for you and the steps you can take about security of information and the way in which you use it and your customers use it? That can be a really great way of making sure that a telehealth solution you have is suitable for purpose.
Dr. Andrew Rochford (Facilitator): Amandeep, to you now. Looking to get an idea from a doctor’s point of view, how’s your experience been with telehealth and what measures have you taken to ensure that your patients’ data is secure during those web conferencing sessions?
Dr. Amandeep Hansra (Medical Doctor, Agency Digital Health Advisor): Look, great question. I think as healthcare professionals, this isn’t something that we have been very familiar with in the past until telehealth came about, in terms of some of those risks that are out there. But we’ve got to remember that as health professionals, we’ve routinely been handling sensitive health information about our patients. Many of us in our practices would already have policies around how we collect this information, how we store it, how we disclose this information. We’ve always been careful, and I think it’s important that we continue those principles as we move into the digital space.Â
The first step really is to understand the privacy and confidentiality requirements, both from a state and federal perspective. One of the first places to go, I think as a practitioner, is to make sure that you do have good IT support. So, for us, at our practice it was about ensuring that our IT support organisation actually understands and is aware of all the relevant medical practice guidelines and standards that apply for our situation. Then when we move into sort of video calls, we need to make sure that those video calls, or web conferencing facilities, are going to meet the same requirements as a face-to-face consult when it comes to maintaining confidentiality. This also applies to things like patient consent and the security of patient information.Â
So, one of the key considerations for us was what infrastructure are we going to use when we move to telehealth? We had to make sure that we used a platform that was designed for health consults, and there’s many of these available. There are obviously free services that we use for video conferencing meetings. But for us as a practice, we really wanted to make sure that we had the right software that was actually going to make sure it protected patient confidentiality and security.Â
I think once you have worked out more from the IT infrastructure perspective and making sure that you do have up-to-date software, that all of your antivirus, anti-malware software is also up-to-date, we then look at the actual physical environment of where we’re going to be conducting those telehealth consultations.Â
In the same way that we have physical consultations in a secure, private place where patients can talk to us about anything, we’ve got to make sure that we recreate that same environment in the telehealth space. So wherever the patient is talking to us from, they are in a quite private space. That there’s great visual and audio facilities available for them to communicate with us and that we do the same on the other side. Once you start to set up those appropriate environments, then it’s moving on to the actual flow of the consults, and we had to make sure that, again, during that consult, any data that’s exchanged is obviously protected. We needed to ensure that there wasn’t any data going overseas, and obviously, these are to meet the regulatory requirements here in Australia.Â
Once we’ve gone through a consult process, it’s also important to remember that during a telehealth consultation, there is often exchange of information post the consult. This might be sending somebody a script or sending a referral letter or a pathology request form. Again, these need to be done with data privacy in consideration. So, if you’re going to email these or SMS, or if you’re going to post anything out, ensure that you have the patient’s consent, that you’re doing these in an appropriate way that is not going to put them at risk of any breaches. There are a lot of guidelines around how you communicate in those scenarios, including how to use email in a safe and effective way. A lot of these guidelines are available through various resources with the Colleges (the Royal Australian College of General Practitioners), the Australian Digital Health Agency, and other resources that are available.Â
But, you know, we’ve really had to come on a big learning journey during the COVID pandemic, and I think as practitioners, we’ve all had to be refreshed on some of those underlying principles. But they remain the same whether we’re seeing a patient face-to-face or if we’re moving into the digital and online world. We just need to be aware of what are some of the requirements that we need to maintain.
Dr. Andrew Rochford (Facilitator): Thank you, Amandeep. I think it’s a really good point you talk about there, it’s finding those experts as well. Obviously, the clinical world and as doctors we want to be experts in certain areas, but we’re not necessarily experts in this new space that we’re moving into with regards to technology, security, privacy and finding the people that can give us those answers and set that environment up to best suit practitioners, but also patients, I think is so important. Danielle, to you, why is it important when it comes to limiting access to online conferencing systems as part of the overall security process?
Danielle Pentony (Director of Cybersecurity Operations): Doctor Amandeep actually raised some really great points, and I agree it is important to safeguard sensitive patient information and ensure that it remains confidential and secure. Healthcare providers already have policies in place, and therefore, securing telehealth policies should just be built upon existing patient confidentiality practices that you have in place. The number one thing to consider is securing who can access your online conferencing system or your telehealth system. Check your configuration settings in the telehealth platform. The other thing to consider is where is the data from your telehealth platform being stored? For example, is it being stored onshore within Australia or is it being stored overseas? These are some important things that you need to consider.
Dr. Andrew Rochford (Facilitator): Oscar, did you have anything else to add to that?
Oscar Bem (Acting Director of Privacy): I think it was another point which Dr. Amandeep raised, which I think is really fundamental here, and this comes up in privacy a fair bit as well. If you don’t know the answer, it’s totally acceptable to ask someone who may know the answer. We often will go to IT ourselves or even to Clinical Governance to get information about where this may apply, and where that ‘reasonable test’ may actually land. So, if you don’t understand how a particular platform works, or you have questions about it, just try find out because at the end of the day, if it’s not suitable for your purpose, there are plenty of options out there, and I’m sure there’s one out there which is more suitable.
Dr. Andrew Rochford (Facilitator): Absolutely, great advice. So, another way to limit access is the use of multi-factor authentication. We use multi-factor authentication more and more in our daily lives. Can we talk a little bit more about why this should be used as a security feature for your online conferencing system? Danielle?
Danielle Pentony (Director of Cybersecurity Operations): Without multi-factor authentication or MFA, cyber criminals can much more easily gain access to an account, and we’ve seen this as the root cause for a number of recent cyber breaches. So, effective access control also relies on making sure that users are authenticated securely. Using multi-factor authentication provides a far higher level of assurance compared to simply just using the username, a password or a passphrase. MFA adds another form of identification known as a factor to the authentication process. MFA consists of two or more of the following factors: something you know, such as your password or passphrase, something you have, such as a code from a token or a mobile app, something you are, such as your fingerprint or a facial scan. A good platform should have this option and MFA should be enabled wherever possible to ensure a higher level of security and assurance. Security vulnerabilities on your computer or the solution can also undermine the security of your online conferencing solution. So, what you also need to do is ensure that those vulnerabilities are also fixed and ensure that your MFA is in place.
Dr. Andrew Rochford (Facilitator): Taking a look now from a global point of view, Oscar, can you help us understand why it’s important to host your online conferencing system in countries that have compatible privacy laws?
Oscar Bem (Acting Director of Privacy): Definitely. So, looking at the Privacy Act and what it says is under Australian Privacy Principle 8, it basically says that if you disclose personal information, which obviously includes health information into an overseas jurisdiction, they have to have privacy laws that are broadly compatible with what we have in Australia. So, what this means is you have to take reasonable steps, going back to what ‘reasonable’ is again, to make sure that they have this compatibility. So again, part of this means that you have to talk to the vendor, understand what is going to happen and also making sure that nothing unexpected happens.Â
So probably one of the examples I can give is the telehealth company in the US, they’re currently facing legal action because the health information that they collected was then used to target ads to those consumers across social media platforms. So, it comes down to understanding whether they are any unexpected results like this, because there are lots of options out there. Even on a more admin note, it’s important to understand if something does go wrong, if there’s an issue with personal information and someone accessed it without authorisation, that you understand where you can call. Are they even in the same time zone? And obviously a lot of these major telehealth companies right now have a presence in Australia. So, it really, again, comes to understanding what’s going to be happening to your personal information, and also making sure your patients understand as well.
Dr. Andrew Rochford (Facilitator): Thank you, Oscar, and thank you, Danielle, for giving us a picture now around security and privacy, and how we can make sure that we position ourselves to feel as safe and secure as we can. But when it comes to the actual tips about setting up a telehealth consultation, Dr. Amandeep can you give us some tips on how best to achieve that?Â
Dr. Amandeep Hansra (Medical Doctor, Agency Digital Health Advisor): I think the first thing to do really is to understand if a telehealth appointment is actually appropriate for that particular situation with the patient. Not every consultation should be done via telehealth. There are things that do need to be done, face-to-face and there are lots of guidelines available to decide between those two options. I think if you do decide that telehealth is appropriate, you do need to get the patient’s consent for a telehealth consult to be conducted. Patients should always have a choice about how they interact with the healthcare professional.
Then I think the next step is really to explain the process. It’s really important that the patient understands what would be the workflow? What do they need to do? Do they need to download an app? Do they need to go to a website? How does it work? Will they be invited into a waiting room, a virtual waiting room? Or will they be notified when they need to join the call? I think all of that needs to be thoroughly explained to the patient.Â
For some patients who may have a little bit of trouble with technology, or it may be their first time, it’s really important for somebody to run through the process with them. Sometimes we’ll get our reception staff at our practice to contact the patient before the appointment and just check that they’re all ready and they understand how it’s going to occur. They also need to make sure they’ve got everything they need at their end, if they need to bring along medications to the consultation or any results. And they have to have a quiet space, make sure that it’s free from distraction, that it’s private, that they can talk freely, that they’re not worried about being interrupted by people on their end.Â
Same goes for the healthcare professional on our end. There are many healthcare professionals now that might work from home, now that they can do telehealth. So, we need to make sure that this area is just as private and quiet and needs to replicate the environment that you would expect in a face-to-face setting.Â
It’s also important to have a backup plan. We all know that technology can fail, and if you are doing a video consultation and it gets interrupted halfway through for whatever reason, it’s good to explain to the patient before the consult how you might continue that consultation, and more often than not, that involves you picking up the phone and calling them back. So, make sure that you’ve got access to a phone number to contact the patient. When you are doing the consult, it’s also important to confirm the identity of the patient. You know you haven’t physically seen them walk into your practice, so we need to do some of those identity checks just to make sure we’re talking to the right person.Â
Then at the end of the consult, when you are sending information, whether it’s back to the patient, you’re sending them a medical certificate or a prescription, or you might be sending a referral, you may also be sending it to a third party. Again, it’s important to get consent about how you’re sending that information. If you are using things like email, it’s important that this email is sent securely and that might be with password protection or using some sort of encryption software. There are also services where you can send it via a secure website. These are all really important considerations when you’re doing a telehealth consultation just to ensure you continue to maintain that privacy and security and patients’ confidentiality.
Dr. Andrew Rochford (Facilitator): Some great tips there. Is it difficult to get that balance? The need for security with the need for accessibility and convenience for your patients when using telehealth platforms?
Dr. Amandeep Hansra (Medical Doctor, Agency Digital Health Advisor): Telehealth now is a normal part of how we’re delivering care post the COVID-19 pandemic. We’ve seen demonstrated that it provides great access and gives patients choice in how they interact with us. I think it’s important that we continue to offer it, but that doesn’t mean we should compromise any of the quality and safety issues around delivering healthcare.Â
As long as we adhere to the regulations, both from a state and federal perspective, and that we do maintain those principles of making sure the patients’ data security and confidentiality and privacy are protected. Then there is no reason we shouldn’t be able to continue to offer patients the choice in having telehealth when it’s appropriate, and I think this is something that we as practitioners have now had a lot of experience in. But it’s important to continue to stay vigilant and make sure that all of the pointers and the tips that we’ve given during this discussion that practitioners do take that on board and make sure that they comply with the regulations here in Australia.
Dr. Andrew Rochford (Facilitator): Thanks Amandeep. Oscar? Any final thoughts from you?
Oscar Bem (Acting Director of Privacy): There are a lot of things to think about with privacy and the way you use telehealth. Ultimately it comes down to this: privacy is only difficult if you ignore it. It’s important to engage with privacy early on when you’re developing or updating or selecting new telehealth platforms. If you understand that and make sure your patients are along for the journey, it can really help to be about what privacy is really about, which is basically allowing people to do what they want with their personal information. So that’s really the only tip I would give.
Dr. Andrew Rochford (Facilitator): As we wrap up this discussion on telehealth and cybersecurity, it’s clear that while telehealth offers many benefits, it also presents unique challenges when it comes to data privacy and security. It’s up to all of us in the healthcare industry to stay vigilant and informed about the latest threats and best practices for protecting patient data.Â
Thank you to our guests for sharing their insights and expertise on this important topic. We hope that this conversation has been informative and helpful to all of our listeners. We encourage you to continue exploring the latest developments in telehealth and cybersecurity. Thank you for tuning in to today’s podcast and we hope to speak with you again soon.