New Security Risks and Vulnerabilities: Engaging in Telehealth During the Coronavirus (COVID-19) Pandemic

Most of us are under stay at home orders and video-teleconferencing (VTC) platforms have surged.[1]  Services such as Zoom, among others, are being used for people to connect socially when they cannot in person.  Who would have thought that we would see weddings, baby showers, or social gatherings occurring all by VTC?  This has become commonplace for many of us.  These VTC platforms are also being used by Allied Healthcare Professionals as they need to adapt and engage in alternative types of practice, such as telehealth.  Following the coronavirus outbreak, one company reported that their platform experienced an increase in services of 312% in New York and 700% in Washington alone.[2]    

In our prior Blog post, “Your Changing Practice – Telehealth During the Coronavirus (COVID-19) Crisis,” we noted that many states have instituted emergency orders improving access to telehealth, while at the same time, federal regulations, under HIPAA, have also been relaxed.[3]  New risks have emerged due to the increased use of these platforms.  No matter which VTC platform you use, it is important to exercise due diligence in selecting a secure platform.  Additionally, it is critical to have security systems in place to minimize security breaches.

One new emerging risk involving security breaches is “Zoombombing” -- a new form of harassment in which hackers intercept video calls and post hate speech and offensive images, including pornography.[4], [5]  This has occurred in multiple locations, both domestically and internationally, including: two Massachusetts-based schools, a San Diego, CA high school, during a doctoral dissertation at California State University, Long Beach, and incidents that have prompted the New York City Department of Education and schools in Singapore to stop using the platform.[6], [7]  These incidents reportedly occurred while specifically using the Zoom platform.  Consequently, the FBI issued a warning for users to engage in certain practices to reduce the risk of being hacked:

  • “Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
  • Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
  • Manage screensharing options. In Zoom, change screensharing to “Host Only.”
  • Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
  • Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.”[8]

Additional Steps to Reduce Risk

In addition to some of the steps above, Allied Healthcare Professionals can take additional steps to minimize risk: 

  • Use a service that has a “waiting room” option.  As the meeting organizer, this will allow you to admit the specific patient into the chat and will minimize the risk of unwanted attendees.  
  • Use a VTC platform that has a password option.  This will provide an additional level of protection.  
  • Do not create a public meeting.  This allows hackers to join the meeting as long as they have a link. 
  • Restrict the screen sharing option to yourself.  Unless you have a reason to allow a patient to use your screen, the patient should not be able to do so.  This may not be an option, however, with some Allied Healthcare Professionals.  For example, a Speech Language Pathologist working with a child on word finding games may have to share their screen with the patient.  If you need to share your screen with your patient, ensure that he/she does not have access to your computer beyond the specific treatment-related document/program.  
  • If you engage in a group session, it is important to manage participants.  Again, use passwords and consider “locking” the session after it starts.  Locking the session will limit additional persons from entering the session once it has started. 
  • Remove any unwanted participants.  Check to see if your VTC platform has a participant’s tab and if you are able to hover over and click to remove the person.  This is particularly important if you have a Zoombombing incident.  
  • “Mute” participants, if necessary.  
  • Ensure that your patient telehealth consent form has a provision discussing the potential for unauthorized access.  We encourage you to review our prior Blog post, “Sample Telehealth Consent Forms,” for sections that address this. 
  • Know the applicable federal and state regulations.
  • Seek legal or risk management advice should you have questions.

Steps to Take If You Experience a Hacking Incident

As you exercise due diligence in selecting a platform and implementing a process to minimize risk, hopefully you and your patient will not experience a hacking incident.  It is important, to discuss the potential for this with your patients prior to engaging in telehealth with them.  We are seeing more emerging issues every day, and you may have already started using a VTC platform with patients.  If so, discuss with them at your next session, and document that you advised them of this issue.  If your session is hacked, have a process in place to immediately terminate the session and implement a process to follow up with the patient.  In addition, if you experience a hacking incident, the FBI has an Internet Crime Complaint Center where the incident can be reported.  Keep in mind that should you report an incident, adhere to state and federal laws concerning patient privacy.[9]

Conclusion

Each day the risks are changing.  We are seeing reports of hacking incidents, and consequently, Allied Healthcare Professionals should be aware of this issue, and take steps to minimize risk.  This Blog is not an exhaustive list but is intended to be an overview of some of the issues to consider.  We will post additional Blogs as circumstances dictate in order to provide you with the most current information possible. 

Additional Resources

Refer to our TRMS COVID-19 landing page for a list of resources.  The link can be found at: https://www.trustrms.com/Resources/COVID-19-Resources    

 

Kristen Lambert, JD, MSW, LICSW, CPHRM, FASHRM
Healthcare Practice and Risk Management Innovation Officer
Trust Risk Management Services, Inc.

 

NOTE: This information is provided as a risk management resource and is not legal advice or an individualized personal consultation.  At the time this resource was prepared, all information was as current and accurate as possible; however, regulations, laws, or prevailing professional practice standards may have changed since the posting or recording of this resource. Accordingly, it is your responsibility to confirm whether regulatory or legal issues that are relevant to you have since been updated and/or to consult with your professional advisors or legal counsel for timely guidance specific to your situation. As with all professional use of material, please explicitly cite The Trust as the source if you reproduce or distribute any portion of these resources.  Reproduction or distribution of this resource without the express written permission of The Trust is strictly prohibited.



[1] Secon, H., Woodward, A.  “About 95% of Americans have been ordered to stay at home. This map shows which cities and states are under lockdown,” Business Insider, https://www.businessinsider.com/us-map-stay-at-home-orders-lockdowns-2020-3, [last accessed April 8, 2020];  Rana, A., McLymore, A., “Teleconference apps and new tech surge in demand amid coronavirus outbreak,” https://www.reuters.com/article/us-health-coronavirus-teleconference/teleconference-apps-and-new-tech-surge-in-demand-amid-coronavirus-outbreak-idUSKBN21033K, March 13, 2020

[2] Garrity, M., “Telehealth visits up 312% in New York, causing major lag times,” Becker’s Hospital Review, https://www.beckershospitalreview.com/telehealth/telehealth-visits-up-312-in-new-york-causing-major-lag-times.html, March 25, 2020

[3] The Council of State Governments, COVID-19 Resources for State Leaders,” https://web.csg.org/covid19/executive-orders/; U.S. Dept. of Health & Human Services, “Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency,” https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html

[4] Bond, S., “A Must for Millions, Zoom has a Dark Side – And an FBI Warning,” https://www.npr.org/2020/04/03/826129520/a-must-for-millions-zoom-has-a-dark-side-and-an-fbi-warning

[5] Setera, K., FBI Boston, “FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic,” https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic, March 30, 2020

[6] Ibid; Taketa, K., “San Diego ‘Zoombombing’ incident highlights need for schools to use safety controls,” The San Diego Union Tribune, https://www.sandiegouniontribune.com/news/education/story/2020-04-08/san-diego-zoombombing-incident-highlights-need-for-schools-to-use-safety-controls, April 8, 2020; Clark, B., “NYC classrooms cancel Zoom after trolls make ‘Zoombombing’ a thing,” https://thenextweb.com/security/2020/04/06/nyc-classrooms-cancel-zoom-after-trolls-make-zoombombing-a-thing/    

[7] Soo, Z., “Singapore stops Zoom for online education as hackers strike,” Associated Press,  https://www.msn.com/en-us/news/technology/singapore-stops-zoom-for-online-education-as-hackers-strike/ar-BB12q42f?ocid=spartandhp, April 10, 2020

[8] Setera, K., FBI Boston, “FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic,” https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic, March 30, 2020

[9] Ibid