The novel coronavirus COVID-19 has changed a lot about what we do in medicine. Perhaps nowhere is it more obvious than in the way clinics provide care. Millions of patient appointments that were scheduled in-person suddenly moved online and became virtual visits. For clinics that weren’t used to operating in this space, it presented some significant challenges. Not only were providers forced to figure out how to provide care in a different way, but office managers also have to contend with the potential cybersecurity and HIPAA risks.
Identifying the Threats
Whenever you conduct business online you need to be aware of the risks that third parties could gain access to your data. That is definitely true when it comes to cybersecurity risks related to telemedicine and telehealth. As more clinics are moving patient care online, providing doctor’s visits, and other care over platforms like Zoom, FaceTime, and Google Meet, the risk of interruption and data theft increases.
The Centers for Medicare and Medicaid services allowed clinics to use less-secure platforms during COVID-19 to be able to provide care quickly and without the need for intensive software setups to meet existing privacy and data security requirements. The upside of this is that many clinics that were previously unprepared to provide telehealth and telemedicine could do so on short notice. The downside is that it also left some gaping security holes for hackers to exploit. Zoom callers have infamously experienced hacking in the form of “Zoom-bombing” where someone interrupts business conference calls and family get-togethers; sometimes they just lurk on the call and listen, while other times they share pornographic images and content.
Another concern is obviously HIPAA security. While many doctors’ offices and medical clinics are well aware and have appropriate protocols to address these issues in the clinic, they may not be as prepared to do so over new technology. For example, if providers or clinical staff are meeting with patients over a video chat and don’t have a secure and private workspace, the information that a patient shares could easily be overheard by someone that is not supposed to be privy to the information.
Protecting Your Clinic and Your Patients
The best way to protect your patients and your clinic from the risks of data exposure is to have the right software tools. It’s not enough to hope that your own IT team (if you have one) can manage the threats. You need to work with software vendors that have cybersecurity experts to prevent data theft and secure and encrypt the information you are storing and sharing.
You can also take important steps yourself by:
- Creating secure and complex passwords for programs like your practice management software and EHR access
- Providing clinical staff with added security through password manager programs (like LastPass)
- Avoid using personal email, personal phone text messages, or other non-secure platforms to communicate with patients or share patient information; use a secure patient portal instead
- Create a secure environment for telemedicine visits