Offering telehealth? Time to update your cyber security risk management

Around the globe, people are using telehealth 38 times more than before the pandemic, and that’s happening for virtual evaluation, advice, diagnoses, and sometimes treatment, says professional services firm KPMG.

We’ve also seen the advent of virtual rooming assistants who admit patients into digital exam rooms. They take notes about medical histories, saving health care providers time and improving their efficacy.

Not only are patients more willing to use telehealth, but providers are meeting the increasing demand. Last year when the pandemic hit, the Department of Health made telehealth more accessible through reimbursements to providers as well as relaxing laws so prescriptions can be made digitally.

The shift presents an opportunity to adopt further, and redesign, how health and allied health practitioners deliver care, be it virtual, virtually enabled, and — when needed — in-person. It’s becoming increasingly popular with venture capitalists, who have tripled their investments in telehealth between 2017 and 2020.

Online security at the forefront

Health providers’ processes for collection, transfer, storage, sharing, and deletion of personal health data are under the spotlight because this data is lucrative material for hackers and cybercriminals. A complete electronic medical record could fetch up to US$1,000 on the dark web compared to as little as US$5 for credit card details.

Top cyber security risks include ransomware, cloud misconfigurations, attacks on web applications, phishing through emails, and botnets. According to IBM, the lifecycle of a data breach in the healthcare sector averaged 329 days, but companies with fully deployed security automation can reduce this by 74 days.

Health care providers are experiencing a higher rate of attacks compared to all industries.

The Australian Cyber Security Centre says it received 166 cyber security incident reports from the sector in 2020, with the most in April. This compares to just 90 the previous year. Overall, six out of 10 incidents affected small-to-medium-sized businesses, typically about compromised computer systems. This has threatened the delivery of health services, interrupted supplies of critical products, caused reputational damage and financial loss to health companies and even endangered patients’ lives, said the centre.

Here’s why your business could be at risk of a cyber security breach:

  • You’re still running Windows 7, which won’t get security updates, so is riskier for viruses and malware
  • Your staff haven’t had any recent cyber security training
  • You don’t have cyber security insurance, or if you do, you haven’t reviewed and updated your cover and limits
  • You may have less staff doing more work or new untrained staff due to virus infections in your workplace
  • Staff working on their own computers remotely to run your telehealth services may not have the latest virus protection on their devices or Wi-Fi.

Ideally, your organisation has a disaster recovery plan that details how you respond to a cyber security incident. Staff should undergo regular practice to implement it. Such a plan should detail how to patch vulnerable systems, a system for data backup, ensuring multi-factor authentication for logins, and refresher cyber risk training.

Boosting awareness of the risks

The Australian Government has stepped in to guide health care providers about improving their cyber security practices. This official digital health website is a portal to upskill cyber security fundamentals, set up a secure environment, secure data, and extra resources. You can also find its cyber security awareness training here.

That’s why it’s timely to talk to us to help you review your insurance cover to make sure your best managing the extra risks of offering telehealth services. Cyber security liability insurance will give you assurance as your business digitally transforms. A customised policy can include cover for:

  • Claims against your business for privacy breaches and the loss of staff, personal or corporate data
  • Damage or loss to your computer systems, data, and records
  • Business interruption that arises from a cyber event
  • Liability due to a virus or hacker attack
  • Costs to negotiate and mediate an extortion attempt, which should involve the police
  • Breaches of statutory duties
  • Fines and penalties against your business because of a privacy breach
  • Defence and investigation costs due to privacy breaches
  • Costs to protecting your brand and reputation.

Let us help guide you through the new risk landscape of offering more of your services online.