Steps to mitigate cyber risk

The use of cloudbased platforms to send, receive and store patient data in teledermatology adds security risks.

One often-cited benefit of teledermatology is convenience. The patient can connect with his or her dermatologist by smartphone, tablet, or computer at any time and from anywhere, and receive personalized treatment.

But teledermatology’s heavy reliance on mobile devices and use of cloud-based platforms to send, receive, and store patient data create additional security risks. The patient’s active role in the process adds further complications.

MOBILE DEVICES

While mobile devices facilitate communication between patient and provider, they are also aggressively targeted by cybercriminals, as they often lack even basic security. Mobile devices frequently lack password protection or firewalls, have out-of-date operating systems and applications, and are unencrypted. Downloaded apps may contain malware or security vulnerabilities. Mobile devices are also easily lost or stolen. The use of mobile devices on unsecured wireless networks presents another security risk.

Several steps can be taken to minimize the risks of mobile devices:

• Regularly update the operating system and installed apps

• Enable password protection and use strong passwords or biometric authentication

• Enable encryption to make the data on the device unreadable

• Install a firewall to protect against unauthorized connections Install anti-malware and antivirus software to protect against malicious applications, viruses, spyware, and malware attacks

• Install a remote wiping program to delete data in case the device is lost or stolen

• Avoid connecting to unsecured wireless networks

While it is common for many providers to use their personal devices for practice business, using dedicated devices is more secure.

CLOUD-BASED PLATFORMS

Most teledermatology practices use a third-party, cloud-based platform to communicate with patients and store and access patient data. These cloud-based platforms offer many benefits, including simplicity of use (patients and providers can create an account and access the platform often with just a username and password), lower costs (pay a monthly fee rather than having to buy and maintain in-house servers and software), flexibility, and access from anywhere.

But as with mobile devices, with these benefits come security risks.

Using a cloud-based platform means that you are using a third-party’s software to access data stored on that thirdparty’s server, rather than on your own computer.

Hosting data with a third-party vendor increases risk, as the vendor is itself subject to data breaches, account hijacking, insider threat, malware, denial of service attacks, and data loss.

Using these platforms requires clear understanding of the vendor’s security. To determine a vendor’s level of security, consider these questions:

• Does the vendor maintain its own servers or lease space on another vendor’s server?  

• Is the patient data stored on one server or is it spread over several servers?

• Does the vendor offer dedicated servers, or will the practice share a server with other organizations?  

• What are the vendor’s security policies and procedures?

• Does the vendor regularly patch and update its software and vulnerability protection?

• Has the vendor suffered any data breaches in the past, and if so, how has it responded?

• Is the vendor insured against data breaches? 

• Will the vendor’s employees have access to patient data, and under what circumstances?

• Will the vendor provide a service level agreement that covers information security and privacy, network and data access, threat and risk analysis, disclosure and breach reporting requirements, and provides for auditing or verifying compliance?

• Is patient data fully encrypted while stored on the vendor’s servers?

• Does the platform use end-to-end encryption for transmitting data?

• Does the platform use secure logins for both provider and patient with unique identifiers (rather than just a username) and multi-factor authentication (rather than just a password)?

• Does the platform allow a user’s access to be restricted or limited?

A RISK-BASED APPROACH

Every teledermatology practice is different, both in operation and objectives. The risks outlined above are general risks that may apply differently to each practice. Creating an effective cybersecurity program requires understanding and addressing the specific risks to a practice. This can be accomplished by following three steps:

1. CONDUCT A CYBER RISK  ASSESSMENT Similar to a HIPAA risk assessment, a cyber risk assessment examines four areas:

• What assets need to be protected?

• What are the threats to those assets?

• What are the practice’s vulnerabilities to the identified threats?

• What would be the effect of a realized threat to those assets?

The results of the assessment can be used to prioritize risk and determine what areas require the greatest allocation of resources.

2.CREATE STRONG POLICIES AND PROCEDURES Once the risks are identified, create written policies and procedures detailing how to protect the practice from security threats. Common policies include:

• A mobile device policy (whether use of personal devices is permitted or prohibited, what security must be installed on devices, etc.)

• Staff access policy (who can access what data, and for what reason)

• Physical security policy (building access, file storage, servers) 

• Network security policy (email spam filters, firewalls, anti-virus, anti-malware)

• Roles and responsibilities of staff

As cyberthreats are constantly evolving, cyber risk assessments and policies and procedures should be regularly reviewed, at least once a year.

3.PROVIDE MEANINGFUL TRAINING TO STAFF AND PATIENTS Once completed, the policies and procedures should be shared with all staff, and used as a basis for educating staff on cybersecurity. The goal is to enable staff to understand and recognize security threats, understand how the policies and procedures relate to threats, and be aware of their responsibilities in protecting against threats.

As patients represent a security risk themselves through their potential use of unsecured personal devices, unsecured networks, or weak or shared passwords, they should also be regularly educated on the security measures the practice takes to protect their medical data, and how they can help protect their own data. This education can be started as a part of patient intake, and followed up with a short video or handout.

No cybersecurity program is completely secure, but following a risk-based plan as outlined can help mitigate the additional cybersecurity threats faced by a teledermatology practice.

Disclosures:

Joseph E. Guimera is an attorney and founder of Guimeralaw Cybersecurity Advisory where he helps organizations plan, build, and execute cybersecurity programs. He can be reached at jguimera@