LinkedIn Twitter Facebook Share this page RSS


Healthcare Law BlogLegal updates, news, and commentary from the attorneys of Baker Sterchi Cowden & Rice LLC

Telehealth and Cybersecurity Amid the Pandemic

June 30, 2020 | Paul Penticuff and Megan Sterchi Lammert
“The New Normal.” “Social distancing.” “Stay home.” “Unprecedented.”
You’ve probably heard the above phrases more than once, twice, or fifty times over the past couple of months during the COVID-19 pandemic.  Almost all aspects of life are changing and/or have changed, including the way in which we are seeking medical care.

Indeed, telehealth is rapidly becoming a new normal” for routine healthcare visits, a market predicted to reach more than $130 billion worldwide by 2025 and $10 billion by the end of 2020. What is telehealth? According to the U.S. Department of Health and Human Services, Office for Civil Rights, it is “the use of electronic information and telecommunications technologies to support and promote long-distance clinical healthcare, patient and professional health-related education, and public health and health administration.” 

Examples of telehealth and its technologies include: mobile and/or wireless health platforms, real-time interactive services, such as teleconsultation and telenursing, and remote patient monitoring (such as for diabetes, weight gain/loss, and dementia), which are available via the internet, video, steaming media, webcam, live chat and/or video conference.

While innovative, convenient, and helpful to our society, especially in these challenging times, such telehealth programs have also raised concerns about cybersecurity risks to healthcare organizations and the public as healthcare organizations continue to speed toward implementing these programs. Examples of such cybersecurity risks include hacking and data breaches, phishing attacks, ransomware threats, loss or theft of equipment, data loss, and medical device attacks. These threats are especially concerning considering HIPAA privacy requirements. However, during the COVID-19 pandemic, organizations implementing telehealth programs will not likely be penalized by the HHS, Office of Civil Rights for HIPAA violations should the programs fail to comply with the required regulations, as long as they are using non-public facing remote communications in good faith. This leniency is not likely to last forever though.

What makes these threats possible? The fact that these telehealth systems heavily rely on the Internet. Further vulnerabilities of such systems include weak passwords, insecure network services, lack of secure updates, lack of privacy protection, outdated antivirus software, lack of secure data transfer and storage, and lack of device management.

However, to provide some protection, the following non-public facing remote communications are currently permitted: Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Zoom and Skype. These types of communications use end-to-end encryption, allowing only the person or persons communicating on each end to see what is transmitted, require personal accounts, logins, and passwords, and provide the users some control over how the communication occurs (i.e. video, sound, etc.). Not included in this list are Facebook Live, Twitch, TikTok, and similar video communication applications, as they are public facing. Such public facing forms of remote communication are not secure for such telehealth programs due to being open to the public and permitting more open and uninhibited access to the communications taking place.

Telehealth is likely here to stay, which is why it is so important that organizations and individuals ensure that steps are continuously taken to protect the platforms from breaches and protect users’ private information. There are many other organizations providing continuing recommendations of how to mitigate and otherwise address cybersecurity risks and actual breaches. See American Hospital Association and National Institute of Standards and Technology.  To learn even more about cybersecurity risks and practical approaches to effectively defending against and/or addressing breaches, BSCR previously did a three part series on cybersecurity risks, which can be accessed here, here, and here.
About Healthcare Law Blog

The BSCR Healthcare Law Blog examines issues of interest to healthcare providers in emergency departments, hospitals, private practice, ambulatory surgery centers, pharmacies, urgent care centers, EMS, long term care facilities, home health care and more. Learn more about our Healthcare Law practice.


The Healthcare Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.


Do not include confidential information in comments or other feedback or messages related to the Healthcare Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Healthcare Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.


For Important Legal Updates and Resources on the Coronavirus Click Here.