Attack Surface on Telehealth

Telehealth and telemedicine face various cyber threats. Healthcare providers, medical device makers, and telehealth platform providers rely on an unlimited of regulations and sources of guidance, including HIPAA, the Department of Health and Human Services, and Food and Drug Administration regulations and general cybersecurity best methods to manage these services. But, these regulations do not expect the full range of threats that can happen inside the insecure network environment of a patient's home.

Let's review the key area of risks related to these digital services.


Human Endpoints: Patients and Doctors

Digital healthcare services have a wide attack surface, extending from the online platforms to the healthcare providers, third-party tools, and services such as cloud storage and VPNs, remotely available medical devices, and the patients' home networks. However, the most likely point of security analysis is at the two human endpoints: patients and doctors. Many doctors may not be getting sufficient security training for the telehealth platforms they are required to use. Basic security devices such as two-factor authentication and session timeouts can be an impediment or inconvenience, which could lead some medical practitioners to ask the IT department to disable them. Given the rapid rollout of telehealth during this pandemic, there is a vital possibility that some doctors will use their laptops or cellphones to carry out virtual consults.

On the patient side, the situation is more complicated. Many of the current cybersecurity standards which healthcare providers rely upon are best suited for a protected network environment, such as a hospital or medical office. Patient homes are just the reverse. Healthcare providers are receiving sensitive data through an insecure network with multiple users, and with other endpoints that are very sensitive to compromise by malware, including general Internet of Things devices and connected appliances. Unlike remote employees, healthcare providers cannot expect patients to take security precautions such as tunneling traffic through a VPN or adding a device firewall.


Remote Medical Devices

Remote medical devices also pose uncommon challenges. In addition to working within an unprotected patient home network, the devices themselves are more exposed to attack because they are resource-limited and patients have unmonitored, open physical access to them. Such as insulin pumps or heart monitoring systems — have restricted processing power, data storage, and battery life. As a result, cybersecurity solutions that we would otherwise turn to, such as secure authentication and encryption, may not be suitable options for those devices.


Privacy Risk vs. Damaging Attacks

Cyberattacks on the healthcare industry have been a dilemma for years but the COVID-19 outbreak has increased many of these risks, particularly when it comes to ransomware. However, even though these disruptive attacks are rising, the healthcare industry has remained largely focused on the issue of patient privacy to restrict information theft or accidental exposures. The same is also true with telehealth and telemedicine. In the emerging field of digital healthcare, providers are mostly worried about privacy risks while not fully accounting for other types of attacks such as device ransomware and the intentional disruption or sabotage of services.


Next Steps

In the haste to roll out telehealth services, some common security processes have been skipped or streamlined to lessen the time to market. This has boosted the level of risk for these services. Service providers need to approach these issues by going back and using security hardening and turning on key security features. Cybersecurity protections like end-to-end encryption, strong access authentication, multifactor authentication, and active monitoring are all fundamental must-haves.


Source: DARKReading