TLP White
In this edition of Hacking Healthcare, we explore how the rise of telehealth in the wake of COVID-19 has created opportunities to showcase both its many benefits and new privacy and security vulnerabilities. Additionally, in a follow-up to last week, we dive into how a major COVID-19 contact-tracing partnership between Google and Apple impacts the privacy debate.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
1. Telehealth’s Rise Introduces New Vulnerabilities.
COVID-19 has forced healthcare organizations and the patients they serve to drastically adjust how they interact with each other. From added protective equipment, to instances where the mildly sick are advised to avoid healthcare facilities to lessen the burden on limited resources and avoid the risk of more serious infection, COVID-19 has upturned conventional treatment options. Telehealth, despite being a still evolving approach to healthcare, is quickly growing to fill gaps created by the viral outbreak.
Within a short span of time, and aided by the easing of government regulations, the broader healthcare sector has developed new telehealth related services and greatly expanded telehealth capacity.[1] All of which has been needed as demand has increased precipitously since March. For example, Kaiser Health News reported “the Cleveland Clinic is on track to log more than 60,000 telemedicine visits in March,” whereas that health system previously “averaged about 3,400 virtual visits a month.”[2] Additionally, NYU Langone Health has seen their average of 50 virtual visits a day skyrocket to around 900 per day in late March, and Teledoc saw a 50% increase in usage in March in comparison to February.[3]
Two of the key drivers in this uptick in telehealth usage are the relaxation of regulations that previously prohibited or restricted the types of technologies that could be used by healthcare providers to provide telehealth, as well as the expansion of benefits to cover telehealth services. The relaxation of certain HIPAA requirements has even gone so far as to allow video consultations and teleconferencing on the personal phones of healthcare providers.[4] While these changes appear welcome under the current circumstances, it does introduce new privacy and security vulnerabilities that the US Department of Health and Human Services (HHS) is keen to remind healthcare organizations to consider.[5]
While HHS has specifically mentioned Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype as products that could be used without risk of compliance violations, they note that telehealth providers should be aware that “these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.”[6] Furthermore, HHS encourages that they disclose the potential increase in risk to their patients.[7]
2. Apple and Google Develop Contact-Tracing Partnership for COVID-19.
In a follow-up to last week, Apple and Google have announced they will be partnering to develop a technology for their devices that would allow users to opt into secure and anonymous contact-tracing for COVID-19.[8] The ubiquity of Apple’s iOS and Google’s Android OS have led some to estimate that the potential reach of this initiative is around three billion individuals worldwide.[9] However, the partnership will allegedly develop their technology in a two-stage process and may not be fully implemented until after COVID-19’s peak in many countries.
Stage one appears to be on target for a mid-May roll-out. This initial step will see the creation of an application programming interface (API) for iOS and Android OS that allows public health organization applications to connect.[10] The API will use a device’s Bluetooth capability to monitor the proximity to other devices. If the owner of the device comes into contact with another device belonging to someone who later tests positive for COVID-19, an alert will be sent to that individual.[11]
Stage two, targeted for June, would remove the need to download an application and would directly imbed contact-tracing into the operating systems themselves. However, this second stage will still require the user to opt in, and some form of application will be required for the user to be able to notify the system if they test positive.
While Bluetooth has been a feature of numerous 3rd party contact-tracing proposals over the past few weeks, direct involvement by Google and Apple has the potential to optimize the technology to the fullest. Apple currently imposes limits on Bluetooth access as a privacy measure, and both Apple and Google are in a position to maximize battery life and power efficiency for what will need to be an ‘always-on’ feature.[12]
Congress –
Tuesday, April 14th:
– No relevant hearings
Wednesday, April 15th:
– No relevant hearings
Thursday, April 16th:
– No relevant hearings
International Hearings/Meetings –
– No relevant hearings
EU – No relevant hearings/meetings
– No relevant hearings
Conferences, Webinars, and Summits –
–H-ISAC Security Workshop – Cambridge, MA (POSTPONED)
https://h-isac.org/hisacevents/h-isac-security-workshop-cambridge-ma/
–H-ISAC Security Workshop – Atlanta, GA (POSTPONED)
https://h-isac.org/hisacevents/h-isac-security-workshop-atlanta/
–H-ISAC 2020 Spring Summit – Tampa, FL (CANCELLED)
https://h-isac.org/summits/strike-back-summit/
–2020 Asset Management Trends: As IT Complexity Increases, Visibility Plummets by Axonius – Webinar (4/14/2020)
https://h-isac.org/hisacevents/axonius-asset-management-trends/
–H-ISAC Monthly Member Threat Briefing – Webinar (4/28/2020)
https://h-isac.org/hisacevents/h-isac-monthly-member-threat-briefing-7/
–H-ISAC Security Workshop – Frederick, MD (6/9/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-frederick-md/
–AAMI Exchange – New Orleans, LA (6/12/2020-6/15/2020)
https://h-isac.org/hisacevents/aami-exchange/
–H-ISAC Security Workshop – Lisbon, Portugal (6/17/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-lisbon-portugal/
–H-ISAC Security Workshop – Buffalo, NY (6/23/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-buffalo-ny-2/
–H-ISAC Inaugural APAC Summit – Singapore (6/23/2020-6/25/2020)
https://h-isac.org/summits/apac-summit-2020/
–Healthcare Cybersecurity Forum – Mid-Atlantic – Philadelphia, PA (7/17/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426497
–Healthcare Cybersecurity Forum – Rocky Mountain – Denver, CO (7/20/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426499
–Healthcare Cybersecurity Forum – Southeast – Nashville, TN (9/9/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426517
–H-ISAC Security Workshop – Greenwood Village, CO (9/16/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-greenwood-villiage-co/
–Healthcare Cybersecurity Forum – Northeast – Boston, MA (9/22/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/427126
–Summit on Security & Third Party Risk – National Harbor, MD (9/28/2020-9/30/2020)
https://h-isac.org/hisacevents/summit-on-security-third-party-risk/
–Healthcare Cybersecurity Forum – Texas – Houston, TX (10/8/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/428840
–CYSEC 2020 – Dubrovnik, Croatia (10/27/2020 – 10/28/2020)
https://h-isac.org/hisacevents/cysec-2020-croatia/
–H-ISAC Security Workshop – Mounds View, MN (10/27/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-buffalo-ny/
–Healthcare Cybersecurity Forum – Pacific Northwest – Seattle, WA (10/28/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/428886
–Healthcare Cybersecurity Forum – California – Los Angeles, CA (11/12/2020)
https://h-isac.org/hisacevents/healthcare-cybersecurity-forum-california-2/
Sundries –
–Federal agencies recommend U.S. bar China Telecom over cybersecurity concerns
https://www.cyberscoop.com/executive-branch-agencies-recommend-us-bar-china-telecom/
–Meet dark_nexus, quite possibly the most potent IoT botnet ever
–Congress Hears Options—And Concerns—for Using Smartphone Data to Fight COVID-19
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html
[2] https://khn.org/news/telemedicine-surges-fueled-by-coronavirus-fears-and-shift-in-payment-rules/
[3] https://khn.org/news/telemedicine-surges-fueled-by-coronavirus-fears-and-shift-in-payment-rules/
[4] https://www.nextgov.com/policy/2020/03/trump-relaxes-patient-data-rules-allow-doctors-telehealth-using-personal-phones/163847/
[5] https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html
[6] https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html
[7] https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html
[8] https://www.apple.com/newsroom/2020/04/apple-and-google-partner-on-covid-19-contact-tracing-technology/
[9] https://www.bloomberg.com/news/articles/2020-04-10/apple-google-bring-covid-19-contact-tracing-to-3-billion-people?srnd=premium
[10] https://www.wired.com/story/apple-google-bluetooth-contact-tracing-covid-19/
[11] https://www.wired.com/story/apple-google-bluetooth-contact-tracing-covid-19/
[12] https://www.wired.com/story/apple-google-bluetooth-contact-tracing-covid-19/