One of the most striking paradoxes of life during the coronavirus pandemic is that people are trying to stay healthy by avoiding going to the doctor at all costs. Social distancing has paused many routine health services, leading to an even more painful paradox: thousands of doctors being furloughed in the midst of the greatest public health crisis in living memory. But even in busy hospitals on the frontline of the pandemic, healthcare professionals seek to limit their exposure to COVID-19 by minimizing contact with patients.
Of course, people need access to healthcare more than ever during a pandemic, so around the world, more and more healthcare providers and patients are turning to telemedicine. Governments in Europe and the United States are lifting long-established legal barriers to telemedicine, and companies are racing to fill the need.
Technologies that give doctors the ability to diagnose and treat patients without physical contact are a godsend at this moment. In all likelihood, many of the protocols being put in place today will far outlast the pandemic. However, for these changes to stick, it’s vital that medical providers implement telemedicine without sacrificing patient privacy and security.
Coronavirus Sparks a Telemedicine Revolution
For decades, telemedicine (patients getting remote clinical services) has failed to gain widespread traction in many countries, largely over data privacy and security concerns. But coronavirus has overridden those concerns and opened the floodgates for a long-overdue re-examination of the benefits of remote healthcare. As one London physician told the New York Times: “We’re basically witnessing 10 years of change in one week.”
In Britain, the NHS is encouraging general practitioners to substitute in-person visits with a phone or digital contact whenever possible. Australia’s government vastly expanded its telehealth services to make them available to the whole country. Canada is also allocating resources and changing its billing practices to expand telemedicine as quickly as possible.
In the United States, the Department of Health and Human Services (HHS) announced that it would not sanction healthcare companies for noncompliance with HIPAA regulations “in cases of good faith use of telehealth during the nationwide COVID-19 public health emergency.” Shortly after, the Centers for Medicare and Medicaid Services (CMS) followed suit and suspended its rules to allow healthcare providers to bill for many telehealth services. That’s a major breakthrough since Medicare/Medicaid’s longstanding refusal to reimburse care providers for telehealth has been one of the major stumbling blocks in its adoption.
By and large, healthcare providers have eagerly seized on this chance to modernize. Planned Parenthood has begun offering telemedicine services in all 50 states, and the shift has highlighted the ways telemedicine can help patients who are poorly served by the traditional healthcare model. Per Time: “Many Planned Parenthood patients are low-income, people of color, LGBTQ people, undocumented immigrants, or those who live in rural areas and underserved communities.” Even before the pandemic, these people often struggled to get to appointments, and once the pandemic is over, it’s hard to imagine going back to the old way of doing things.
To be sure, there are drawbacks to providing remote care, for instance, losing the ability to detect odors or textures. But today’s technology enables fairly comprehensive exams. Infectious disease specialist Kathleen T. Jordan describes “iPads on wheels,” which doctors use to zoom in on parts of a patient’s body, and robots with stethoscope attachments, which let doctors listen remotely to heart and lung sounds. As Jordan writes, “Doctors have acquired competence and confidence in providing remote consultation,” and after the virus, “the demand for telemedicine might be hard to quell.”
The Privacy and Security Challenges of Telemedicine
So why has medicine been so slow to join the digital revolution? One of the most common objections is that, in a world plagued by cyberattacks and data breaches, the danger of patient data or care being compromised is too great a risk.
In a 2018 Deloitte study on telehealth, 57% of patients said they’d be willing to try remote care. Doctors were more skeptical, with a third naming “security and privacy of patient information” as a significant concern. That worry is justified since the medical field is shockingly vulnerable to attack.
According to the American Medical Association, 80% of physicians have been the victim of a cyberattack.
Deloitte’s study identified eight major risks in virtual healthcare, and specifically drew attention to the issue of “complex identity and access management [IAM].” In essence: How can doctors know that the person on the screen is the same person whose chart they’re reading? And how can patients be confident that no unauthorized person is accessing their most private information?
Deloitte named multifactor authentication (MFA) as the best way to confirm patient identity by sending a one-time code or using biometrics such as a fingerprint. They cautioned that “making this work relies on an identity-management system that’s flexible enough to send identity data about a patient to multiple systems, and that means the security concerns are multiplied as well.”
"According to the @AmerMedicalAssn 80% of physicians have been the victim of a cyberattack. Now that #COVID has made telemedicine a reality, what will it take to make sure it securely outlasts the pandemic?"
For the moment, the urgency of the pandemic has overridden security concerns. The U.S. government’s relaxed rules allow for appointments using non-specialized software like Zoom and Google Hangouts. But these consumer products are often vulnerable to intrusion. Apart from any software flaws, patients and doctors need training to use these programs safely. For instance, it’s imperative to create a unique password to access a digital patient portal or messaging program, so the account can’t be compromised in a credential stuffing attack. But without proper training and security-first software design, users could be caught in a privacy nightmare.
Building Telemedicine Capabilities to Outlast Coronavirus
Health providers and software developers alike should understand that once the coronavirus pandemic is over, telemedicine rules will likely evolve, but they’ll still return to the basic principles of data security.
HIPAA’s guidelines on telemedicine and electronic protected health information (ePHI) lay out those fundamental principles:
- Only authorized users should have access to ePHI.
- A system of secure communication should be implemented to protect the integrity of ePHI.
- A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.
Yet, as HIPAA itself admits, “There are some options for physicians who want to provide a HIPAA-compliant telehealth service for patients, but these tend to be both complicated and expensive.”
For telemedicine to fulfill its potential once the pandemic has passed, we need technology solutions that are secure, cost-effective, and user-friendly.
Fortunately, a new generation of startups is looking to ease both the financial and technical barriers to entry in telemedicine.
One Auth0 customer’s software lets patients handle appointment scheduling, payments, and medicine management remotely. They outsourced their IAM needs to Auth0 to ensure their platform didn’t compromise on either security or time-to-market. In particular, using Auth0’s Private Cloud enabled them to maintain greater control over their data, and compartmentalize it by country in order to adhere to varying legal requirements.
"In a digitized world, it doesn’t make sense for our health to be analog. What new steps do healthcare providers need to take to protect their patients when using telemedicine?"
For telemedicine to thrive after the pandemic, the medical industry needs to establish universal standards for using virtual tools. Some of this will come down to training, which is already happening in the trial-by-fire of coronavirus. For instance, clinicians are learning how to use common-sense methods to protect privacy. (HIPAA recommends “using lowered voices, not using the speakerphone, or recommending that the patient move to a reasonable distance from others.”)
Legislators around the world can also help usher in telemedicine by streamlining the patchwork of different laws governing it, which act as a major barrier to innovation. In the United States, each state has its own rules about payment, coverage, and patient consent. Kaiser Permanente named this inconsistency as a primary challenge to the adoption of telehealth since it’s “challenging to scale solutions and workflows across jurisdictions.”
No Going Back for Telemedicine
It’s tempting to say that coronavirus has made telemedicine a necessity, but the truth is that even before the pandemic, the world desperately needed new ways for people to get healthcare. And now that we’ve had a glimpse of a new approach, few people will want to return to the status quo.
In a digitized world, it just doesn’t make sense for our health to be analog — especially once we ask ourselves how many people have failed to seek care because they lacked transportation to the doctor’s office, or couldn’t get enough time off work to sit in a waiting room.
The world needs telemedicine solutions right now, but it also needs those solutions to be stable, secure and built for the long term. At Auth0, we’re excited to be a part of those solutions so the next era of medicine can work for everyone.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and development teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding more than 4.5 billion login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.