Report: Legacy Equipment Puts Telehealth Consumers’ Data At Risk

A significant majority—73%—of frontline healthcare workers use equipment with legacy operating systems containing potential security vulnerabilities and about a third of them say patient data was compromised during telehealth sessions in 2021, according to a report from Kaspersky.

“The more complex and critical technology is, the more awareness it requires from people who work with it,” said Denis Barinov, head of Kaspersky Academy, in a Dec. 20 press release of the report. “This is particularly important for the healthcare industry entering the new digital stage and increasingly facing issues connected to privacy and security.” 

The cybersecurity firm interviewed hundreds of practitioners from healthcare organizations across the globe to investigate the data security of telehealth services, the availability of which has ballooned in the U.S., aided by government efforts to adapt to the pandemic.  

On Dec. 21, the Federal Communications Commission announced its approval of another 68 applications for funding through a COVID-19 Telehealth Program it launched in April 2020. 

“This is the FCC’s fifth funding announcement of approved Round 2 applications, bringing the total to over $208 million awarded to health care providers in each state, territory and the District of Columbia,” according to a press release from the agency.

But industry observers have expressed privacy and cybersecurity concerns associated with the government’s decision in the summer of 2020 to loosen restrictions on the industry under the Health Insurance Portability and Accountability Act to facilitate greater provision of telehealth services to help relieve the demand on healthcare workers and reduce the spread of the virus. 

“Covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that [the Office of Civil Rights] might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency,” Health and Human Services wrote.   

The Kaspersky report suggests more than half of telehealth practitioners rely on such third party services, and home devices like smart speakers are amplifying the risks, according to the National Institute of Standards and Technology. 

“Practitioners may find challenges associated with deploying mitigating controls that limit cybersecurity and privacy risk given that devices may use proprietary or purpose-built operating systems that do not allow engineers to add protective software,” the agency wrote in the abstract for an upcoming practice guide on the issue. 

NIST said practices and guidance available for safeguarding computer systems—the ability to provide usernames and passwords, for example—may not be applicable because “smart home devices use voice command and response, which differ from text- or graphic-based user interfaces.” 

Some lawmakers see telehealth as a tool to advance equity beyond the pandemic and have called for measures like the relaxation of HIPAA enforcement to become permanent.