The importance of security in clinical telehealth

Published by Steven Strange, April 7, 2020

The shift to online medicine and social connection has resulted in the dissemination of a massive amount of personal health and other information. This information has become a treasured target for today’s cybercriminals. The surge to tele-consultations is a trend that is likely to persist beyond the COVID-19 period.

According to SC Magazine, patient privacy may be little more than an afterthought in the development of numerous apps that are quickly springing up around the world to allow patient-to-doctor and patient-to-other communication. In some cases, scraping valuable patient information might even be part of the apps’ business model. There’s precedence for this.

Heather Federman, Vice President of privacy and policy at BigID, is concerned that apps, even well-known products, haven’t updated privacy policies to explain how medical data will be handled. Apps often collect and sell data. Some don’t even de-identify patient information. Everyone should be concerned about that.

The risk of zooming in

Zoom's teleconferencing platform is one that has become more widely used by medical practitioners in recent weeks as the COVID-19 pandemic has forced millions of employees to work at home.  The company's privacy and security practices have come under increased scrutiny and the latest issue to arise is a feature that's designed to help individuals within an organisation quickly connect to others through the desktop app.

According to a report in Motherboard, the feature can expose email addresses, full names and profile photos for certain users when it should not. The issue would also allow a stranger to initiate a chat with someone.  When someone registers with Zoom, Zoom looks to see if others using the same email domain are registered. If so, Zoom adds them to a sub-menu labelled "Company Contacts."

However, multiple Zoom users have reported that they signed up with personal email addresses, and Zoom pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another.

One user, Barend Gehrels, who flagged the issue to Motherboard, provided a redacted screenshot of him logged into Zoom with the nearly 1000 different accounts listed in the "Company Directory" section. He said these were "all people I don't know of course." He said his partner had the same issue with another email provider, and had over 300 people listed in her own contacts.

"If you subscribe to Zoom with a non-standard provider (I mean, not Gmail or Hotmail or Yahoo etc), then you get insight to ALL subscribed users of that provider: their full names, their mail addresses, their profile picture (if they have any) and their status. And you can video call them," Gehrels said. Or you can “Zoom Bomb” their conference. Zoom bombing sounds benign but it isn’t.

Reports of video-teleconferencing hijacking are emerging worldwide. The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language.

In late March 2020, a Massachusetts-based high school reported that while a teacher was conducting an online class using Zoom, an unidentified individual(s) dialled into the classroom. This individual yelled a profanity and then shouted the teacher’s home address in the middle of instruction.

A second Massachusetts-based school reported a Zoom meeting being accessed by an unidentified individual. In this incident, the individual was visible on the video camera and displayed swastika tattoos.

There are also doubts about Skype's suitability for telehealth and many jokes have been told about the potential to listen in on a consultation about Mrs Smith's haemorrhoids.

Security in telehealth must be baked in

At Health Metrics, we recently launched eCase Telehealth, allowing video-teleconferencing for our customers in Residential Aged Care.  In a first-mover agreement, we decided to leverage the CollabCare TeleConsult platform, which provides virtual health centric tools and has security baked in.

Created specifically for clinicians, the technology is designed with high level security and industry best practice for handling data.  Secure socket layers and layered data encryption allow for sensitive information to stay safe within the system architecture.  All service operations and data repositories reside strictly within Australia.

Features of the system include high definition video conferencing, real-time monitoring, chat messaging, screen and file sharing, calendar integration and major browser support.  The cloud-based technology is compatible with all devices.

Unprecedented times should not result in any long-term removal of our privacy rights, especially in cases where legislation has been rushed through to allow the fulfillment of medically urgent needs for data collection or use.

The privacy regimes in modern, first world countries has been in place for some time now. It operates well in terms of its prescription, as well as its punitive measures. Let’s not throw out the baby with the bath water in the rush to use any old tool to manage communications.

Contact Us