Cybercriminals see opportunity in the rise of remote health care

Martin Daks//November 16, 2020


Cybercriminals see opportunity in the rise of remote health care

Martin Daks//November 16, 2020

Telehealth, electronic medical records and other hi-tech health care advances continue to drive patient-care improvements. But many of them also raise new legal questions.

John Fanburg
John Fanburg –

For the most part, telemedical and telehealth legal issues are governed at the state level, according to John Fanburg, managing member at Brach Eichler LLC, and chair of the law firm’s health care law practice. “Before the COVID-19 pandemic, an out-of-state health care professional generally needed to be licensed in New Jersey before they could render remote services to a New Jersey resident,” Fanburg noted. “However that’s been modified, so during the pandemic a provider who’s not licensed in New Jersey can generally provide services to residents here, as long as they meet certain requirements.”

Senate Bill 2467, which passed in July, does provide for certain conditions, including that “a health care practitioner must be validly licensed or certified to provide health care services in another state or territory of the United States or in the District of Columbia, and is in good standing in the jurisdiction that issued the license or certification.” In addition, “the health care services provided by the health care practitioner using telemedicine and telehealth are within the practitioner’s authorized scope of practice in the jurisdiction that issued the license or certification.”

“So just because you can provide services through Zoom or another platform, the physician still has a responsibility to make sure they can provide medical services appropriately,” added Fanburg, who recently had a remote session with a physician. “I understand that the COVID-19 social distancing concerns have sparked a jump in acceptance by physicians and their patients, which isn’t unusual since it means less travel for the patient, and less exposure for them since a person doesn’t have to spend time around other people who may be ill. Additionally, some third-party payers are being more supportive of reimbursing patients for telehealth visits. But it remains to be seen if that trend will continue once the pandemic is brought under control.”

With a jump in the number of COVID-carrying and at-risk individuals who are under health-related stay-at-home orders, particularly in New Jersey, some technical Health Insurance Portability and Accountability Act of 1996 security regulations have been relaxed in a bid to made it easier for them to access medical care, Fanburg noted. “But health care providers must ensure they make a reasonable effort to safeguard sensitive patient data,” he said, by taking steps like encrypting email activity to secure the information. “If you are hacked, I advise clients to report it to the proper authorities, instead of trying to hide it. As long as you can document that you took reasonable steps to protect the information, authorities will usually work with you.”

Of course the key phrase — in a hack or other event — is “reasonable precautions.” Fanburg pointed to a New Jersey psychologist who was previously sanctioned for revealing confidential patient information when he turned over delinquent receivables to his practice’s collections lawyers.
“From what I’m reading in the health care trade publications, a tremendous number of HIPPA violations stem not only from hacking, but from such simple activity as lost or stolen laptops containing sensitive patient information,” he noted. “It’s a very serious issue, and I advise clients about their legal exposure; and the need for internal and external compliance and training programs.

Convenience and risk

Diane Reynolds
Diane Reynolds –

A remote health care visit may be safe and convenient, “but it can also be more difficult to verify that the person on the other end is really who they say they are,” warned Diane Reynolds, a partner law firm McElroy, Deutsch, Mulvaney & Carpenter, LLP whose focus includes privacy and data security. “Password protection with dual authentication can help.”

So far, at least, she hasn’t seen a jump in remote health care, medical Internet of Things, and other med-tech-related lawsuits, “but it’s a still a new area that got a big push from the pandemic,” said Reynolds. “We’ve been advising clients about the need to keep their anti-virus software updated, and about other precautions; and we’re working with a third-party tech group on best practices. Still, things are evolving constantly.”

COVID-19 is spurring more individuals to avoid in-person interactions and office visits with medical care providers, but it’s not the only driver, said Karen Painter Randall, a partner at Connell Foley LLP and chair of the law firm’s Cyber Security & Data Privacy practice. “Telehealth connected devices like inhalers and Apple Watch monitoring apps also assist medical providers in collecting data” used to treat elderly patients and those in rural areas, she added. “However, adopting this technology presents serious potential cybersecurity and privacy liabilities for patients, medical providers and even insurance companies. Health care providers have a legal and ethical obligation to safeguard a patient’s protected health information. The U.S. Department of Health and Human Services has issued guidance to providers, including refraining from conducting telehealth services in a public setting and or using speakerphones. A cybercriminal can exploit a vulnerable, unvetted third party telemedicine platform.”

Karen Painter
Karen Painter Randall

Randall also advised providers to “consider using end-to-end encryption, multifactor authentication and secure logins. Also, research American Medical Association-acceptable platforms and vendors, and make sure you monitor new risks or vulnerabilities applicable to your telehealth technology. Consider also transferring any risk via a cyber liability or malpractice insurance policy.”

There are some carveouts. During the COVID-19 pandemic, “the HHS Office for Civil Rights announced that it would not penalize health care providers for HIPAA noncompliance if they provided telehealth services in good faith and the platform used was not public facing,” Randall added. “One permitted disclosure includes making available — to an EMS dispatch — a list of individuals who have tested positive for COVID-19. The dispatch may disclose the identity of the infected person to EMS personnel responding to a call if there is a risk of infection. Also, 911 call centers are permitted to share PHI about the individual with law enforcement and other first responders if the individual has been exposed to the virus or has contracted COVID-19 — to allow the first responders to take extra precautions, such as by wearing PPE.”

Smart medical, or internet of medical things devices, also “come with security and privacy challenges for health care providers,” she cautioned. “Connected medical devices have been repeatedly targeted by cybercriminals causing attacks that seriously harm facilities and patients. Manufacturers of connected medical devices, like insulin pumps or pacemakers, must take security into consideration at the time of product design to ensure firmware and software meet acceptable standards.”

An unsecured medical device on a health care network “can be used as a beachhead to infiltrate the facility’s network or servers resulting in the installation of malware and detonation of ransomware,” warned Randall. This vulnerability can lead to “the unauthorized access and exfiltration of protected health information and in some cases the publishing of sensitive healthcare information on the ransomware group’s ‘Wall of Shame.’ Medical devices must be tested for safe coding and cybersecurity before being procured and used by medical institutions and providers. As the sophistication of connected medical devices grows, so must the FDA guidance on device security and safety. As such, it is important that any organization using IoMT understands the technology being used, and takes efforts to eliminate and/or mitigate any vulnerabilities.”

Even simple devices can present a hacking risk

The COVID-inspired jump in remote-medical treatment has opened up new cybersecurity concerns, but even before then, health care professionals had plenty to worry about, according to Lani Dornfeld, a member at Brach Eichler LLC.

“Today there’s a wide array of machines and equipment that store or transmit health care data, which means there’s more opportunity for cybercriminals,” said Dornfeld, whose practice includes counseling clients on such regulatory and compliance matters as HIPAA, OSHA, and corporate compliance. She also assists with developing and implementing policies, procedures, and training required by these laws. “In addition to computers, mobile and wearable devices, the portable dictation machines used by many doctors also store sensitive data. These and other devices are like tiny computers, so healthcare providers need to perform risk assessments to safeguard the data, and purchase the devices from appropriate, vetted vendors.

Another law form, McElroy, Deutsch, Mulvaney & Carpenter, LLP, is helping a client determine how a ransomware hacker paralyzed its systems. “A medical group based in the northeast part of the country paid the ransomware and its system was released,” said Diane Reynolds, a partner in McElroy Deutsch’s privacy and data security group. “We were called in after the files were frozen, and we helped to negotiate a solution. Now we’re trying to see if the hacker got into their system because of employee error or another reason.”