When telehealth’s the norm, so is cyber risk

The adoption of telehealth services in response to the pandemic was swift.  

Performed rapidly and under immense pressure – in some cases overnight – it’s no surprise many were deployed with inadequate planning.  

Praised as a means of granting access to vital medical care to those in quarantine and those most vulnerable within our community, as well as those simply wishing to remain socially distant where possible, it created the ability to cater to the medical and health needs of our country, and all over the world. 

While this rapid adoption was a necessary lifeline used to combat covid-19, and to ensure that everyone had access to health services, it has inadvertently broadened the attack surface of many healthcare organisations, creating rapidly evolving security concerns. 

With the Australian government’s announcement of a $100 million investment to make telehealth a permanent fixture within our healthcare system, it’s incumbent on the healthcare industry to properly analyse and address the potential security issue to ensure safe, continued use.  

Given the way telehealth transformed Australia’s healthcare during one of our most difficult periods, we can forgive some security shortcomings – however, the government must now prioritise security, given telehealth’s permanent place in our health systems. 

It’s only money … 

There’s no question that cyber-attacks can be expensive. As reports of ransomware attacks worldwide become more and more prevalent, so do reports of the financial cost to organisations and individuals.  

More often than not, we gauge the cost of a cyber-attack on dollars lost, productivity compromised, or privacy invaded. However, it’s not just money at risk in the context of healthcare.    

Telehealth is a term generally used to describe health service consultations via a video-conferencing application. But, in reality, it’s a fast-developing medical and health Internet of Things including all manner of health and medical services facilitated by remote access; two physicians discussing with a patient via video conference, wearable and implantable devices that record, store, and send information for monitoring and evaluation; highly specialised applications; or even robotic surgery. 

Organisations with broad-reaching and poorly defended perimeters – for example, a telehealth service assembled quickly, made up of a number of applications and services, across multiple clouds – are critically vulnerable. They provide hackers with multiple points of infiltration, through which they can access not only data, personal or financial information, but more importantly, compromise applications, services, and in some cases, medical devices, and hardware. 

In one of the first reported examples of such an attack leading to the death of a patient, an Alabama mother lost her infant daughter soon after a cyber-attack had crippled the hospital’s computer systems. Fetal heart rate was not monitored properly before delivery, contributing to the child’s death. 

Put quite simply, the stakes are highest when it comes to our health, and security must factor this in. 

Where to next? 

With a distributed, multi-cloud environment comes distributed security and a host of challenges – multiple technologies, different controls for different environments, multiple users, multiple apps, and lack of visibility, difficulty reporting, and often low maturity. 

Too many tools across too many layers make attacks not only difficult to predict and prepare for, but also prevent effective defence when an attack occurs. 

While issues such as these across any environment require attention, when fundamentally responsible for medical and health services, putting adequate measures in place to address these concerns, is of critical importance. 

The modern telehealth environment is here to stay, with services and applications distributed across multiple clouds and data centres. Moving forward, security must shift to the application layer, ensuring that it is intrinsic to the tools clinicians and patients are using.  

This means implementing and using security from the start of an app or a program, rather than after. 

In a perfect environment, security should be deployed in a uniform stack, suitable for the consistently evolving telehealth environment, able to be rapidly deployed and decommissioned anywhere and anytime it is needed, with security controls that are mature and enterprise grade. 

There should be a central control point; a single point to define policy once and deploy globally. The central point would also provide a unified point of visibility, control, logging, and reporting. 

We have been fortunate enough in Australia to have avoided the direst consequences in our healthcare systems so far. However, with a permanent telehealth future set and increased digitalisation across Australia’s healthcare systems, our luck will run out if we don’t measurably improve our security posture to reflect this reality. 

Jason Baden is the Regional Vice President, ANZ for multi-cloud security and application delivery company F5