I recently registered as a patient on a leading telehealth provider’s website. I was very surprised around the lack of identity assurance. The only verification requested was my insurance card and I had the option of skipping that step since insurance is not a prerequisite for service. WOW! In an era of stolen credit cards, stolen identities and ever prospering cybercrime, this is really not acceptable.
Telehealth can become a game changer as it pertains to how care is delivered. And a very welcomed one at that. However, it is lacking even the very basic security mechanisms put in place by other heavy lifters in the digital services community such as banking and personal finance. I have attempted to find out why that is and if telehealth may put us, as patients, at risk for cybercrime and ID theft.
HHS defines telehealth as “as the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications”.
As wonderful as telehealth is, it comes with risks, particularly around trust and security. I am well aware that telehealth service providers are HIPAA Compliant, but that is really just the floor in terms of security. With our healthcare system in the cross hairs of cyber criminals, “the floor” is no longer acceptable.
Some states require that the healthcare provider and the patient meet in-person before engaging in telehealth, while others have no such requirement. There needs to be a solid chain of trust throughout the system. That starts with knowing that the parties involved are who they claim to be. Is the patient really who they say they are? Perhaps it is the patient’s brother, an identical twin. Most important, is the healthcare provider who they claim they are? Are they licensed? As strange as it seems, this basic step is omitted from telehealth laws thereby exposing this 21st century technology approach to fraud, identity theft, medical record errors and potential lawsuits.
As with all areas of healthcare, telehealth requires accurately identifying the patient. HHS cautions on its website, “Processes related to patient identification are complex and require careful planning and attention to avoid errors.” The fact is, physicians and other providers are trained in medicine and are typically not trained to identity proof patients, nor should they have to be bothered. Identity proofing should be performed by a third party, certified by a US Government-approved Trust Framework Provider (TFP), such as SAFE Bio-Pharma or the Kantara Initiative, at NIST’s Level of Assurance 3.
Moreover, patients have a right to know that the person on the other end of a videoconference call is really a doctor. Imposters posing as physicians and practicing medicine is not only illegal, it will undermine trust in the entire telehealth movement.
Beyond identity proofing, authenticating into telehealth systems needs to provide higher confidence and trust. Issuing a static password for parties to access telehealth is not acceptable and could lead to hacking of and the compromising of protected health information. To quote former Secretary of Homeland Security, Michael Chertoff, “A closer examination of major breaches reveals a common theme: In every ‘major headline‘ breach, the attack vector has been the common password. The reason is simple: The password is by far the weakest link in cybersecurity today.” 1
I look forward to utilizing telehealth in the future, but I will seek service providers that have taken the proper steps to know that I am who I am and also have elevated security and authentication beyond the HIPAA Security Rule’s floor to protect my privacy and security.
For more details about VASCO’s security solutions for healthcare visit https://www.vasco.com/solutions/healthcare-information-security/index.html