Telemedicine was a steadily emerging alternative to traditional, in-person medical care prior to Covid-19.  Insurers loved it for its built in cost savings.  Medical providers loved it for its ability to economically scale their reach.  Patients, though more slow to embrace the new engagement model, had been reporting increasingly positive sentiment to adding telemedicine to their overall health care service choices.  

Then came Covid-19.  

Without any ability for patients to make alternative choices, telemedicine was suddenly forced upon them at scale.  Fairview Tracker reports over a 15,000% surge year-over-year for the northeast region of the US alone in March, and similarly large numbers across the country. Sometimes the times decide the speed of adoption of emerging technologies, and so has been the case with telemedicine.  

This sudden rapid adoption prompts many questions, not the least of which is: When a patient or doctor works with a telemedicine application over the Internet, is the patient’s shared medical data secure?

In short, unfortunately, the answer to that question is – not as safe as it could or should be.

Virtual Visit Platform Data Security

So how do telemedicine platforms stack up compared to some of the most commonly used platforms where customer data moves back and forth?  In the chart below we compare the 10 telemedicine platforms that we evaluated against five major US-based banks and Facebook’s Messenger. We asked three pretty basic security questions:

  1. Does the application use encryption?
  2. Is the encryption vulnerable to attack? (Specifically a Man in the Middle attack)
  3. Is the security of the inflight data auditable? 

If you were expecting telemedicine to be more secure due to the nature of the data they are responsible for protecting, the results will disappoint you:

Our analysis found that these platforms weren’t even implementing the best practices from the currently security architecture in use today.  Your Facebook message to wish your grandma a happy birthday is more secure than the video consult you just finished with your physician.  Why is this the case?

What Drives Security?

Healthcare is arguably the most regulated industry in the United States with respect to information security.  But regulations are backwards looking.  They learn from what the bad guys have already done. Lawmakers do not move as quickly as technology or hackers who are always trying new things. Their “best practices” for cybersecurity are always a generation, sometimes more, behind.  So meeting regulatory requirements are achieved by employing older, off the shelf solutions even when there are better more modern means available to thwart cybercriminals. If there is a breach, it is the patient who has their private information exposed. So, bluntly, there is no financial impact if these protections don’t work for the platform provider. 

Banks have obvious financial exposure if their app communication is hacked, such that depositor funds are stolen. Facebook’s exposure is less direct, but they have taken many hits for their privacy execution (including a $5 Billion fine) and have pivoted to shore up their information security as much as possible.  Without equally compelling requirements or downside financial risk, these telemedicine companies don’t provide nearly the same protections for your most private medical data.  

Attacking Data is Hard, Right?

Wrong.  These attacks are real and honestly relatively easy using free hacker software. Your username, password and health data are all vulnerable. Using a created profile with no data to actually access, we ran a hack on ourselves.  Here’s how our login to a well known pediatrics application looks like to an attacker using this technique:

It’s pretty easy to see the vulnerability! The question is not whether it is real, but how dangerous this vulnerability is. The most common objection we receive when pointing out this vulnerability runs something like, “Sure, this attack is theoretically possible, but it’s so difficult that it probably seldom, if ever, happens.” To that I would offer three points:

  • All banks in the U.S.A. (plus Apple, Facebook and some others) have done the extra work to address this attack. If the threat isn’t real why did they address it?
  • The US Department of Defense does not allow their confidential data to be secured this way. If the threat isn’t real, why are they concerned?
  • The most insidious aspect of this attack is that you can’t tell that it is even happening. You can only hope that it isn’t, and no provider can honestly tell you that it isn’t happening regularly. With cybersecurity, hope is not a strategy.

So, there is ample evidence that this attack is real, that it is credible enough that many institutions address it and that there is no way to know when you are being attacked. If a telemedicine platform is not going to invest in better security to protect data –  What can you do about it?

A Prescription for Better Security

As a consumer, you can avoid using telemedicine applications or web interfaces with public WIFI and instead use a cellular connection. You can also install a VPN to keep your local connection more secure. While not perfect, these methods stop many attacks.

But more importantly, health care consumers need to advocate for themselves.  A health application provider can absolutely solve this problem. But they have to want to solve it. After our research, we contacted dozens of telemedicine and other medical application providers to ask if we could help them solve this problem. Most didn’t respond. Some said, “Thanks. But no thanks.”  Consumers need to force the conversation that today’s cybersecurity standards are inadequate and better solutions must be aggressively pursued. 

And to each platform owner we ask the following questions about in flight data protection:

  1. Are you protected against Man in the Middle and other identity based attacks? 
  2. Do you have evidence (e.g. audit logs) that will demonstrate the security of your data in flight? 
  3. Are all means by which your users access private information adequately secured (mobile, web, other)?
  4. If you aren’t comfortable with your answers above, how will you defend against a HIPAA violation?

We’ve spoken to data privacy regulators around the world about this problem. They also acknowledged the issue and were interested in how to address it. Regulation will eventually catch up and force the industry to change. But we should address these problems now.