Technologies Supporting Telehealth Have Placed Healthcare Data at Risk

Share this article on:

A new report from Kaspersky shows the massive increase in telehealth has placed healthcare data at risk. Vulnerabilities have been found in the technologies that support telemedicine, many of which have not yet been addressed.

Massive Increase in the Use of Telehealth

The COVID-19 pandemic has led to an increase in virtual visits, with healthcare providers increasing access to telehealth care to help curb infections and cut costs. Virtual visits are conducted via the telephone, video-conferencing apps, and other platforms, and a host of new technologies and products such as wearable devices for measuring vital signs, implanted sensors, and cloud services are also being used to support telehealth.

Data from McKinsey shows telemedicine usage has increased by 38% since before the emergence of SARS-Cov-2 and COVID-19, and the CDC reports that between June 26, 2020, and November 6, 2020, around 30% of all consultations with doctors were taking place virtually.  Kaspersky says that its own data indicate 91% of healthcare providers around the world have implemented the technology to give them telehealth capabilities.

Telehealth has literally been a lifesaver during the pandemic; however, the use of new technologies is not without risk. Many of the products and services now being used to support telehealth include a variety of third-party components that have not been verified as having the necessary safeguards to ensure the confidentiality, integrity, and availability of healthcare data, and they are potentially putting patient information is at risk.

Kaspersky hypothesized that the rapid digitalization of medical services and the wealth of sensitive and valuable patient data collected, stored, or transmitted by these new healthcare technologies has not gone unnoticed and cybercriminals, who are looking to exploit vulnerabilities. A study was devised to explore the security landscape of telehealth in 2020 and 2021 to determine the extent to which healthcare data is being put at risk.

Analysis of Telehealth Applications and Related Technology

In the summer of 2021, Kaspersky conducted an analysis of 50 of the most popular applications that were being used to provide telehealth services to identify vulnerabilities that could potentially be exploited to gain access to patient data, and checked for the presence of malicious code used to mimic those applications or steal data from them. No vulnerabilities were identified in the 50 applications, although that does not mean vulnerabilities do not exist, only that they have not been found by researchers. Deeper analyses of those apps may uncover vulnerabilities.

“In the absence of centralized quality control of telehealth at the application level, their security can significantly vary from product to product,” suggests Kaspersky. “Another unfortunate fact is that smaller companies, like start-ups, simply do not have enough hands and resources to control the quality and safety of their applications. Accordingly, such applications may contain many vulnerabilities currently unknown to the public that cybercriminals can find and use.”

The researchers then looked at wearable devices and sensors, which are often used in conjunction with telemedicine, specifically, the most commonly used protocol for transferring data from wearable devices and sensors – MQTT..

Kaspersky notes in its report – Telehealth: A New Frontier in Medicine- and Security – that MQTT does not require authentication for data transfers, and even if authentication is implemented, data are transferred in plain text with no encryption, which means MQTT is susceptible to man-in-the-middle (MITM) attacks to gain access to the transferred data. If a device is exposed to the Internet, data transfers via MQTT could easily be intercepted.

According to Kaspersky, between 2016 and 2021, 87 vulnerabilities have been identified in MQTT, and 57 of those vulnerabilities were rated critical or high-severity. Many of those vulnerabilities have still not been patched.

Kaspersky reports that the most common wearable device platform, Qualcomm Snapdragon Wearable, is riddled with vulnerabilities. Since the platform was launched in 2020, more than 400 bugs have been detected, many of which have yet to be patched. Multiple vulnerabilities have also been identified in other vendors’ wearable devices.

Cybercriminals Are Looking to Exploit Vulnerabilities to Access Patient Data

Kaspersky warns that cybercriminals are increasingly using medical themes in their phishing campaigns. Between June 2021 and December 2021, more than 150,000 phishing attacks were detected that used medical themes as lures, and as the digitization of healthcare increases, that trend is only likely to continue to increase.

Telehealth is likely to continue to be used to provide care to patients for years to come and there have been calls for the telehealth flexibilities introduced in response to the pandemic to be made permanent. It is therefore vital for app developers and manufacturers of wearable devices, as well as the healthcare organizations that use them, to be aware of the security risks associated with the technology.

Developers need to be aware of vulnerabilities that could be exploited to gain access to patient data and should implement appropriate safeguards to keep data protected. Users of telehealth services, especially frontline workers who have a say in the platforms and devices used for telehealth, should study the security of each application or product and take steps to secure their accounts with strong passwords, multifactor authentication.

“We expected that 2021 would be a year of greater collaboration between the medical sector and IT security specialists,” said Kaspersky. “In some ways, our expectations were met, but the explosive growth of telehealth has brought new challenges to this collaboration which have yet to be solved.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On