In 2019, more than 759 healthcare providers were hit with ransomware.[1] Meanwhile, 2020 showed us the necessity of creating new digital channels to enable critical care. Scrambling to keep patients and doctors connected, many healthcare organizations leveraged new telehealth capabilities as the 2020 pandemic arose.
But is telehealth safe? Or is it placing healthcare organizations at an additional security risk?
We consider some of the risks — and how to stay protected.
Healthcare Organizations Are Already Under Attack
In 2019, healthcare data breaches cost the industry over $4 billion. Overall, 93 percent of healthcare organizations have experienced a data breach in the last three years, with 57 percent facing more than five data breaches.[2] The sharp increase in successful attacks by criminal and nation-state-backed hackers illustrates how attractive and vulnerable these healthcare enterprises have become to exploitation.
Healthcare providers in particular remain highly susceptible to ongoing attacks. And the damage, when it is inflicted, is costly to recover from. Healthcare organizations spend more than all other sectors on data breach recovery — about $1.4 million to recover from a cyberattack.[2] Moreover, since 2015, more than 300 million healthcare records have been stolen, affecting about one in every 10 healthcare consumers.²
When it comes to telehealth, it is essential to bear in mind the risks associated with the technology used to deliver telehealth. It is crucial to assess the ways in which sensitive data could be accessed by hackers — and the consequences, if that were to happen.
Considering the Risks
- Consider what — and who — could be exposed: In addition to “traditional” healthcare data, telehealth can potentially give hackers a glimpse at everything from a patient’s appearance to the home environment or broader workplace.
- Poor data control can mean HIPAA violations: Fail to secure your telehealth data adequately and you could face a HIPAA violation. Healthcare organizations face regulatory compliance implications if their systems are not properly secured.
- Generic access can invite danger: Setting up telehealth systems with generic logins that don’t tie back to the organization’s core authentication structure — for example, being tied to a room rather than individual user — can invite unnecessary risks.
It’s clear that attackers have no intention of slowing down their malicious healthcare-focused activity, despite the ongoing pandemic. Recently, even the US Health and Human Services Department witnessed an attack; as have dozens of medical institutions globally.
The prospect of malicious actors targeting devices connected to telehealth systems adds an additional layer of concern. Besides the fact that such attacks could be fatal, hackers can infiltrate these devices to steal personal health information, demand ransom from devices manufacturers, or leverage vulnerable devices as gateways to access larger networks.
LogRhythm Telehealth Security
However, there are solutions. The LogRhythm NextGen SIEM Platform offers comprehensive, single pane-of-glass visibility into legacy systems and cloud-based solutions, including telehealth and telemedicine. LogRhythm can help bridge detection and response for security threats by correlating that information with health records violations and other healthcare operational technology, such as medical devices and physical security. As a result, LogRhythm enables you to quickly respond to threats and prevent breaches of electronic health record (EHR) data.
To learn more about securing telehealth systems and patient data read the use case for our NextGen SIEM, here.
[1] Ransomware Attacks on Healthcare Providers Rose 350% in Q4 2019, 2020
[2] Data Breaches Will Cost Healthcare $4B in 2019, Threats Outpace Tech, 2019