Security and Privacy for Telemedicine

Telemedicine is taking the medical world by storm. And one can easily see why.   Telemedicine, the remote diagnosis and treatment of patients by means of telecommunications technology, allows healthcare professionals to provide services in ways not known before in traditional medical appointments.

While telemedicine may not be perfect, it enhances efficiency and productivity of medical treatments by not only making information available to patients electronically, it also offers multiple options for a quicker contact with patients rather than bringing them in for a traditional consultation or follow-up, resulting in increased convenience and reduced costs.   Patients in remote areas could get access to specialists without traveling to see them for each appointment.   Remote patient monitoring becomes a lot easier with technology. Consultation between specialists is also facilitated, thereby improving overall patient care.   The Virtual Doctor is here to stay!

This is all possible due to advances in technology.   But where there is technology, there needs to be security, privacy and control.   With cybercrime and medical identity theft rising at an alarming rate, telemedicine channels, data and equipment are just as vulnerable or even more vulnerable than traditional treatment channels, and therefore must be secure.   Processes followed for telemedicine must be as private as in a traditional consultation in order to properly protect patient health information.  It also falls under the scope of HIPAA, so medical practitioners must ensure that their annual HIPAA Risk Assessment reviews their telemedicine channels, equipment and processes as well.

Let’s look here at what steps a medical practice must take to keep their telemedicine channels, equipment and data secure and private.

1. In any telemedicine consultation, both parties must authenticate themselves to one another, through passwords and/ or other keys that are known only among themselves.   Not only must the patient be sure that he/ she is talking with the right physician, but also the physician must be confident that it is the right patient on the other side.
2. The channel of communication – telephone, video, etc. – must be private.   Any data transmitted electronically must be encrypted end-to-end.
3. Are all parties in the communication authorized to receive that data?    In addition, all users in the electronic consult must have unique user ids and sharing of user ids must be discouraged.
4. Access alone is not enough – what can that person do with the data?   Its important that access control is clearly specified and followed – who has rights to view, modify and delete data that is part of the telemedicine transmission.
5. The system used should have sufficient audit logs and the process at the physician’s office should involve periodic review of audit logs that show who has accessed what data, and what has been done with that data.
6. We have discussed technical controls, but physical controls are just as important.   Equipment used for telemedicine consultations should be kept in a private place with access provided only to authorized personnel. Conversations on phone and video should be conducted privately so that no unauthorized person can hear.

In summary, physicians should ensure that their annual HIPAA Risk Assessment addresses their telemedicine service in depth, reviewing data privacy, security controls and physical security.     Incident response plans must cover telemedicine channels and equipment so that appropriate action can be taken in the event of a medical data breach.   All steps must be taken to protect Patient Health Information in telemedicine with at least the same security and privacy processes used in all other areas of healthcare operations.     Telemedicine can be very effective by providing the right care in the right place at the right time to patients who need it - all it requires is implementing the right controls for the right levels of safety, security and privacy.

By Rema Deo.