by Calvin Hennick
When the COVID-19 pandemic prompted strict restrictions across the country, healthcare systems scrambled to move much of their operations to a telehealth model, in line with safety protocols.
But even as providers were rapidly rolling out new telehealth solutions, they knew they needed to do so in a way that didn’t compromise sensitive patient information.
“We’re all aware of how many new ransomware attacks have occurred in the past 18 months around the world,” says Aloha McBride, global health leader for EY. “These types of attacks have accelerated as health systems quickly adopted new technologies, which was sometimes more about speed to take care of patients rather than security, due to COVID-19. There is no doubt these capabilities around telehealth made a huge difference for access to patients.”
The pace and scale of telehealth offerings over the past year were certainly “an incredible area of rapid evolution,” she says, but cybercriminals targeting the industry are also sophisticated and looking for any opportunity to attack.
As such, organizations are turning to solutions for telehealth security, relying on the robust features from the platforms themselves, with support from multifactor authentication and virtual desktop infrastructure.
“It’s been a period of very quick learning by healthcare systems in terms of the controls and mitigations that they need to put in place,” McBride says.
Telehealth Expansion During the Pandemic
Phoenix Children’s Hospital in Arizona implemented Zoom for telehealth years before the health crisis. But as with other hospitals, the pandemic forced the health system to rapidly expand its offerings.
Early on, the IT department stood up a Zoom Room for each doctor at the hospital. Within 12 days, the solution was fully integrated into the hospital’s electronic medical record system.
“First and foremost, the platform had to be secure and compliant,” says David Higginson, executive vice president and chief innovation officer at Phoenix Children’s. At the same time, Higginson says, hospital officials wanted to make it as easy as possible for clinicians and patients to connect.
“There’s a lot of stress about getting to the right place at the right time, so we try to make that as easy as possible,” he says.
The hospital largely relies on a Zoom feature that automatically generates passwords. When patients and their families click on the links that the hospital sends out via text message, the passwords ensure that a malicious actor or “Zoom bomber” can’t join a session. And because the passwords are generated automatically, they don’t create extra friction for patients trying to join their appointments.
“If you were a random person trying to join by iterating through meeting ID numbers, you wouldn’t be able to get in because of the additional password,” Higginson says.
The hospital texts Zoom links only to the cellphone numbers that families provide during the registration process. But the hospital still requires patients and families to answer security questions before they gain entry to an appointment, just in case a link is somehow sent to the wrong phone number.
When physicians work remotely, they must connect to Zoom appointments through a VPN. The hospital also prevents appointments from being recorded.
“The security in the platform itself was surprisingly robust,” Higginson says.
These security measures will allow Phoenix Children’s to continue using telehealth well into the future, especially to treat patients with chronic conditions who live far from the hospital.
Before the pandemic, Higginson says, one family traveled across the state three times a week for appointments. Today, 75 percent of that family’s appointments are done through telehealth. The patient’s mother told hospital staff: “We got our life back.”
Virtual Care Improves Patient Satisfaction
In response to the pandemic, the Georgia Department of Public Health needed to find a way to remotely offer more than 30 different specialty services to patients, including infectious disease management, follow-up visits for people with sexually transmitted diseases, speech therapy, children’s services and pulmonology.
Health officials chose Webex, which allowed the agency to seamlessly integrate new workflows with its existing Cisco and videoconferencing solutions, scheduling, direct expansion units and room kits. The solution also fit the agency’s need for a secure platform that met HIPAA requirements for patient privacy.
“Our patients have really loved it,” says Suleima Salgado, the agency’s director of telehealth and telemedicine.
She says many patients in remote areas had already been accessing specialty services via telehealth at local county health clinics. When pandemic restrictions kicked in, many of these services were pushed out to patients’ homes.
“That was one of the thoughts behind it: Let’s pick a platform that is comfortable for everyone, regardless of their technical experience,” she says. “Webex lets us send a link to their email and say, ‘Join at this time. Let’s meet.’”
Appointments can now be more of a family affair. “We’re able to integrate a lot more family members into sessions now,” Salgado says. “We can have mom and dad, grandma and any other caregivers all join the meeting.”
Webex enables the agency to lock meetings once patients and caregivers have joined, ensuring that no one else can gain access, even if they were to somehow get credentials.
Also, Salgado adds, the setup allows only one-way traffic. “We can dial out, but no one can dial in to our network without prior coordination and clearance on our end,” she says.
As the agency expanded its telehealth offerings and pushed appointments into people’s homes, Salgado says, its primary security concern was the potential for hacking live meetings.
“We came to a good mutual understanding with Webex through a formal business associate agreement, which outlines who had what responsibility and how much data encryption was behind the solution,” she says. “Knowing that we had the compliance and ways to secure live meetings is really what sold us.”
Adapting with Security in Mind
“Before the pandemic, we were doing virtually no telehealth — no pun intended,” says Dr. Stephanie Lahr, chief medical information officer for Monument Health, a community-based, integrated healthcare system with headquarters in Rapid City, S.D.
The organization quickly rolled out a telehealth offering to nearly every provider across Monument Health’s five markets, which cover several hundred square miles. At the height of the pandemic, Monument Health conducted 600 to 800 telehealth visits each day, accounting for the majority of all outpatient visits.
“We looked at three different companies during the course of one morning, and by that evening we signed a contract,” Lahr says. “Two days later, it was live.”
Although the initial rollout was successful, the organization is now transitioning to Microsoft Teams, which will provide better integration with Monument’s electronic health record system. Teams will also enable features such as group appointments so that multiple providers or patients’ family members can join.
Monument kept some clinicians at home on a rotating basis to avoid internal spread of COVID-19. For clinicians working remotely, the organization relied on a secure virtual desktop infrastructure connection with multifactor authentication. Also, to protect patient privacy, clinicians had to ensure that their home workspaces were in closed rooms without interruptions, and they were prohibited from printing at home.
Monument recently completed the first year of a comprehensive three-year network overhaul, replacing its legacy equipment with Aruba Edge Services Platform infrastructure. Lahr says the network refresh will add another layer of security through measures such as network segmentation.
“If there’s something that is inherently more vulnerable to attack, we can segment that off,” she says. “We’re not left with that being a portal to the rest of our network.”
Security is a top concern when offering telehealth solutions. “Early on in the pandemic, people were using platforms that were not necessarily confirmed to be HIPAA compliant,” Lahr says. “I totally get why people were doing that; we were all looking for fast and easy. But because we went with a solution that had encryption and authentication built in, we knew we were meeting our compliance burden.”