Covid, telemedicine, and risk management transfer
The Covid-19 pandemic has furthered large-scale changes in the behaviour of the American population. Unsurprisingly, one of the most visible resultant changes has been in the sudden growth in telehealth services. The use of telecommunications and Internet–based systems to connect patients to physicians, or medical professionals to medical professionals, experienced a meteoric surge in growth in 2020.
One study, made by the major healthcare information technology company Epic Systems, found that telemedicine visits increased 300-fold year-to-year in the first month following the announcement relative to 2019. A similar study made by the Department of Health and Human Services (HHS) found a 350-fold increase from February 2020 to May 2020 for Medicare primary care telehealth visits.
Changes in federal regulation made this extremely rapid growth in telehealth and telemedicine possible. Medicare restrictions that only compensated the use of telemedicine in selected rural locations were lifted, allowing patients to use telecommunications technology at any location (including the home) for medical services that previously had been required to take place in person, with private payers following suit.
The full requirement for an established relationship between the patient and physician was also waived. Because of its socially distanced nature, telehealth has been a lightning rod for established methods of billing fraud, predating the advent of the Covid-19 pandemic. For example, the charges brought against more than 86 defendants by the Department of Justice at the end of September 2020, involving more than $4.5 billion in allegedly fraudulent claims, are characterised by a lack of direct patient interaction or established patient-physician relationships. There has also been an escalation of cyber-specific threats using the growth in telehealth as an opportunity to gain access to sensitive data. Despite the clear challenges, telehealth efforts should be commended and enhanced to reduce long-term healthcare costs and improve access to medical professionals.
From the standpoint of cyber security, the most important waiver has been the discretionary notice made by the Office of Civil Rights (OCR) at HHS that allows certain HIPAA-noncompliant telecommunications applications to be used in the good faith provision of healthcare services during the pandemic. HIPAA, otherwise known as the Health Insurance Portability and Accountability Act of 1996, is the legislative guarantor of patient privacy in the United States, protecting not only the personally identifiable information stored in medical records, but the specific details of the health and medical history of private individuals.
HIPAA’s actual cyber bonafides are mixed at best and OCR would do well to enforce higher degrees of preparedness and investment against the NIST Cyber Security Framework which is being adopted more broadly and where more expertise exists. Regulators should also be mindful that frameworks and compliance standards do not result in security - mature programs, practices and resourcing do.
The OCR’s notice allowed healthcare providers to use video chat applications to provide telemedicine services without fear of penalty, specifically naming (without endorsing) Apple FaceTime, Facebook Messenger, Google Hangouts, Skype, and Zoom, while deprecating the use of Facebook Live, TikTok, Twitch, and similar public-facing applications. These applications are distinct from the HIPAA-compliant patient-facing video communication platforms previously developed and approved for telemedicine use.
The patient-physician relationship is the highest-profile interaction in telemedicine, and the one with the largest measured growth. However, this aspect of telehealth is supported by a pyramid of other interactions which have also been affected by the pandemic, mandating work-from-home and offsite access, including the administrative and laboratory functions of the hospital, the clinic, and the physician’s office. It has also affected the spectrum of healthcare business associates, including claims processing and pharmacy benefits management, which may require access to protected healthcare information, as well as conventional healthcare financial and business operations. This entire supply chain should be in-focus for regulators and for operational healthcare executives.
The swift adoption and high-volume expansion of third-party telemedicine applications has been crucial in meeting the healthcare needs of patients during the pandemic. However, the widespread adoption of telemedicine has also meaningfully expanded the potential attack surfaces for cyber intrusions. For example, the expansion and intensification of these services have been accompanied by an expansion of new and unfamiliar users of these services among patients, healthcare professionals, and healthcare business associates. Established patterns of user behaviour and even IT staff practices will necessarily change in this environment due to the influx of these new and occasional users.
Many healthcare organisations do not have mature third party risk management practices or sufficient visibility into their networks. Many more still have widespread use of legacy authentication protocols and lag behind their financial services equivalents in IT modernisation. In this environment, ensuring observability and critical controls are in place is a core business leader responsibility - not just an IT team task. Risk-based security programs require more than buying a laundry list of vendor products tagged against a clumsy risk register. Guiding scenarios for management should be put in place and guide discussions around programs, practices and supporting technology requirements.
The expansion of telehealth functions under pandemic conditions is therefore a lasting shift in the cyber environment, one which provides attackers a greater opportunity to infiltrate and exploit core health and telehealth systems alike. Like all sudden shifts in the environment, however, awareness will be key to an equally agile and adaptive solution.
Establishing the ground truth about health networks with sufficient visibility and capturing enough data to allow for adequate response and forensic analysis of possible cyber intrusion with speed and accuracy is essential to the proper management of this increased risk. Healthcare professionals have experience dealing with many other risk management challenges in their existing delivery of care to patients; often this experience is relevant to cyber risk management. Although the volume of telehealth and telemedicine services may change with the intensity of the pandemic and the needs of patients, healthcare organizations and their business associates will need to adjust to a new normal - technology is increasingly a core dependency. Our healthcare risks are inextricably linked to information technology, and it’s time to act accordingly.
Zoom enters the healthcare market - a timeline
Since the pandemic began Zoom has become an integral part of daily life for people working from home, as well as a vital tool for families and friends to communicate. However it's also been eyeing up the healthcare space since 2017, and following the boom in telehealth the company has been rolling out additional services. Here we chart Zoom's move into healthcare.
2011 - 2013
Zoom is founded in San Jose, California, by Eric Yuan, formerly of Cisco. He got the idea to create a video calling platform from his visits to his girlfriend while he was a student, which would take 10 hours by train.
A beta version is released in 2012, which can host up to 15 participants. In 2013 this rises to 25. By mid-2013, Zoom has 1 million users.
2014 - 2017
Zoom attracts investors, including Sequoia Capital, Emergence and Horizon Ventures. By January 2017, Zoom has a series D funding worth $100 million.
2017 - 2019
Zoom for Telehealth launches, including an integration with EHR system Epic. It has cloud-based video, audio, and content sharing features, a "waiting room" for patients, and can easily be integrated into healthcare provider's workflows.
In 2019 Zoom goes public, with its IPO rising 72% in one day.
As a result of the pandemic, Zoom gains 2.2 million new users, more than in the whole of 2019. On the 23rd of March alone - the day the UK lockdown was announced - the platform was downloaded 2.13 million times around the world.
Share prices rise to around $150, and founder and chief executive Eric Yuan becomes one of the world's richest people, with an estimated net worth of $7.9 billion.
Early security issues are addressed by encrypting data with the Advanced Encryption Standard (AES). By now the the platform allows 99 people to be on a call simultaneously
New features launch, including Zoom Home and Zoom for Chats. Throughout the year the platform is used to replace most kinds of real life events: work meetings, online classrooms, church services and social events.
Renamed Zoom for Healthcare, users can share secured video, audio, and content through desktops, mobile phones, and conference devices. As well as Epic, it can be integrated with Strmr, IntakeQ, and Practice Better.
It can also be used with diagnostic cameras and other point-of-care devices, including digital stethoscopes.
In an interview with Korea Biomedical Review, Zoom Global Healthcare Lead Ron Emerson said: "Our service is not simply a virtual care and telemedicine platform but a multi-purpose platform that can satisfy the needs of healthcare institutions."
"It can be used for administrative tasks, including telemedicine, medical team meetings, recruitment, medical education, employee training, and disease prevention. Analysing electronic records managed by Zoom could provide meaningful insights into patient care."
Phoenix Children's Hospital, Belfast's Hospital Services Limited, Butler Health Services and the global Project ECHO are among Zoom for Healthcare's current customers.