The safeguards that would ideally be put in place before launching medicine into cyberspace have largely been ignored during the COVID emergency. Do we need to be worried?
Everything happened so fast. One minute, Medicare-rebated telehealth was a distant dream and the next it was March 2020 and phone and video consults were being rolled out in a matter of days all around the country, fully funded by government.
Between March and the end of June, seven million MBS-funded telehealth consultations were conducted in Australia.
Jeremy Forrester, the principal consultant at IT4GP – an IT service provider for GP clinics – and the CIO at digital GP clinic Qoctor, says his company has never been busier.
As the lockdown hit, GPs were quickly pushing through a suite of IT changes to make telehealth and remote working possible.
With so many GP clinics enacting the same changes at the same time, the demand on IT and software service providers spiked, causing delays at helpdesks and frustrated customers, says Mr Forrester.
But, even though COVID catalysed a telehealth revolution in a matter of weeks, the data security risk didn’t materially increase in primary care because nine out of ten consultations were done by phone, he says.
Many GPs and patients can’t deal with the fiddly nature of video conferencing technology. Calling on a phone is a reliable and easy way to connect. It’s also pretty safe from a data security perspective, says Mr Forrester.
The few GPs who used video conferencing mostly chose generic brands like Zoom, FaceTime and Skype, which are fairly secure, fully encrypted communication services (although, there have been some security concerns raised about Zoom recently, particularly the possibility of Zoombombing or someone crashing a meeting uninvited), he says.
Some GPs are using products such as HealthDirect, which is integrated with Best Practice and is specifically designed for video calls in a GP setting and thus do not increase security exposure, says Mr Forrester.
Every new connection in a network adds a potential failure point, so more GPs working from home could introduce a greater data security risk, particularly if they weren’t using a secure VPN to access their practice software, he says.
But actually, many GPs continued going into the clinic during COVID-19, says Mr Forrester. It’s just too hard for GPs to print prescriptions, send referrals and do all the admin required in a day’s work on their own at home, he says. So, in reality, the security risks from doctors working from home were minimal, he said.
The lack of data security breaches so far during COVID-19 has been documented by the Office of the Australian Information Commissioner (OAIC).
In a recently released report, OAIC found a 3% decrease in the number of notifiable data breaches between January and June 2020, compared to last year.
“While health service providers report the highest number of data breaches under the Notifiable Data Breaches scheme, the OAIC has not identified any trends in relation to breaches involving telehealth services over the first six months of 2020,” a representative of OAIC told The Medical Republic.
Associate Professor Liam Caffery, the director of the telehealth for the University of Queensland Centre for Online Health, says GPs are exposing their practices to a greater data security risk by switching to telehealth so quickly, but that the risks can be managed with some simple safeguards.
Cybercriminals will use the confusion and disruption around IT changes and COVID-19 to their advantage and small businesses like GP clinics are a target, he says.The RACGP has produced some good advice for GPs on data security and video consultations, so that’s a good place to start, he says.
The Department of Health also has an easy-to-read privacy checklist for telehealth services.
It’s not just about having technical safeguards; data security requires good governance as well, says Professor Caffery. Someone in the clinic should be responsible for data security and staff should be trained to not click on suspicious links in phishing emails.
Video conferencing can be made more secure by creating a virtual waiting room so each participant needs to be admitted separately, by limiting the number of participants, by password protecting the session and by not using a recurring meeting link, he says.
Health-specific video conferencing platforms generally force doctors to use all these security settings whereas for consumer-based products all these settings need to be switched on, he says.
Dr Ewen McPhee, the president of the Australian College of Rural and Remote Medicine, says he is not aware of any major data security breaches in general practice during COVID-19 but there are protocols that doctors should follow to ensure privacy and security during telehealth consultations.
“In my practice we have implemented a script that each GP works through at the start of any telehealth consultations, reminding the clinician to check the identity of the caller, who else is present and seek their consent to the consultation,” he says.ACCRM also has some guidance for doctors on how to avoid security breaches using telehealth (bit.ly/31lduMk).
“Our judgment is that it is reasonably safe at the present time to use the majority of video conferencing software for video calls, but that the means of interception and range of organisations able to do this may grow and spread,” ACCRM says. “Use your own judgment about the sensitivity of the consultation and the risk to the patient if the call is intercepted. If the risk is high, use the telephone for the audio component of the call.”
Just because there aren’t many COVID-19 telehealth-specific security risks, this doesn’t mean there aren’t major ongoing data security issues in general practice that could be exploited by hackers or criminals during a pandemic, says Mr Forrester.
GP clinics are often quite vulnerable to attack because doctors don’t generally want to spend money plugging holes in their data security armour, he says.
Some simple measures to protect data are often not taken, such as investing in a commercial-strength firewall and proper anti-virus software.
Doctors love having generic usernames and passwords because it saves time and it’s easy to remember, but shared passwords that are never changed are probably the single biggest cybersecurity risk to the business, says Mr Forrester.
GP clinics also often forget about maintaining proper backups, he says. If the company did become the victim of a phishing attack and a hacker managed to hold the company to ransom by locking all the patient data, the way to side-step this threat is by having a backup of all their records somewhere else.
But GPs often entrust this task to third-party IT providers who haven’t necessarily taken the time to make sure the backup talks to the practice management system, which makes it somewhat useless, he says.
Another group to watch are the booking providers, says Mr Forrester. The more third-party providers storing information on behalf of the practice, the more work GPs need to do to be comfortable that the data is secure, he says.
HotDoc can extract some personal patient data from practice management software (PMS) including Best Practice and MedicalDirector and can store this data in the cloud, while HealthEngine is integrated with Best Practice.
HotDoc scoops up personal data about patients from the PMS, including patient name, date of birth, gender, contact numbers, postal address, email, Medicare card expiry dates, appointment times, dates, types (e.g. “Skin Check”, “Standard Appointment”), recall due dates and reasons (e.g. “Blood test non-fasting”).
The company does not collect any information about the medical conditions a person has (with the exception of inference from appointment types or recall reasons), their medications, what specialists they are going to see, practitioner notes, their clinical history (with the exception of appointment types and recall reasons), or the name or contents of test results, or tests requested, a company representative told The Medical Republic.
The company does however collect some data from the PMS about patients who have not booked an appointment through HotDoc or signed up for a HotDoc account.
HotDoc stores this patient data with third-party Australian-based cloud computing providers and all data is encrypted in transit and at rest.
HealthEngine says the data it collects about patients is “always transmitted using Transport Level Security on an as-needed basis. Sensitive data is encrypted at rest, within the database.”
HealthEngine can collect personal information such as patient names, contact details, gender and marital status and basic medical information (allergies, medications and emergency contact details).
Sometimes HealthEngine will send patients appointment reminders and surveys via SMS or email.
In these cases, “the information enabling the communication to be sent on behalf of the practice customer remains at all times under the effective control of the practice customer. Accordingly, there is no ‘disclosure’ of personal information by the practice customer to HealthEngine,” a company representative says.
While these two companies were quick to answer our questions on data security, it’s hard to shake a feeling of unease. Do patients really know this is where their personal data is going?
HotDoc acknowledges that for patients who have not signed up for the booking service, their data being shared is “rightly a common area of concern”. While the GP clinic is technically responsible for gaining the consent of patients to share data with HotDoc, HotDoc helps by providing waiting room posters to communicate with patients that they might receive an appointment reminder SMS.
“Proactive, transparent communication greatly reduces patient confusion and discomfort, particularly when clear privacy policies and a strong commitment to confidentiality mean there’s nothing to hide,” a HotDoc representative says.
A HealthEngine representative said, “[We rely] on the practice customer to obtain patients’ consent to the disclosure of their personal information to HealthEngine. This is a contractual obligation of the practice customer as set out in HealthEngine’s Practice Customer Terms and Conditions.”
One of the best security habits to develop in general practice is switching on two-factor authentication because it prevents hackers from being able to log in with a simple password, says Mr Forrester.
But Best Practice does not have two-factor authentication and does not have a policy of forcing GPs to regularly change their passwords, he says.
“No, we do not have two-factor authentication at this time, however other security measures are in place,” a Best Practice representative told The Medical Republic.
“Best Practice’s software is access via named user logins, each user is granted a username and password. Within the Best Practice software, we have comprehensive, role-based user access controls, administered by the practice, which controls what functionality and data each user has access to.”
MedicalDirector was contacted for comment about two-factor authentication.
The other gaping hole in general practice data security at the moment is the reluctance to switch from the old operating system Windows 7 to Windows 10.
In January, Microsoft announced that it would stop releasing security patches for Windows 7, which means any GP computer running this operating system is being left wide open to cybersecurity attacks.
The reason many GP clinics haven’t switched to Windows 10 yet is because computers that are more than about six years old cannot run the new operating system, says Mr Forrester. That means investing thousands of dollars into buying new computers.
Windows 8 and Windows 8.1 were also widely regarded as irritating and hard-to-use operating systems (so much so that Microsoft skipped Windows 9 altogether) so doctors have been burned by that previous transition, says Mr Forrester.
Nick Savvides, the senior director of strategic business for Asia Pacific at Forcepoint – a data protection company, said GP clinics are particularly vulnerable to cyberattacks during COVID-19 because there is much more interaction with multiple networks when patients and GPs are linking in from home.
Cyber attackers will exploit the current climate of rapid technological change by, for example, finding out what telehealth or software providers the GP clinics are using by Googling the practice website, mocking up a fake email address and impersonating the provider in an email to staff. The staff then click on a link in the email and malware gets downloaded on the computer.
Data security is less about choosing the right software provider or technology and more about making sure the humans using the system are being smart about security, he says.
“No matter what provider you choose, telehealth is ultimately a doctor, a screen, a camera and a mouse on one end and a patient on the other,” he says. “It’s the humans, not the system, that will let you down.”