The Rise in Telemedicine May Be Putting Patients at Risk
By Hilmar Eidsson, co-founder and CTO of Kara Connect
The general public’s concern regarding privacy has come in and out of focus a lot over the past decade. Right now, it’s placed top-of-mind while lockdowns persist in countries around the world, forcing people to work from their homes, adopting new methods of communication and collaboration that haven’t yet been able to stand the test of time to verify their trustworthiness.
As all face-to-face meetings have transitioned into the digital space, the world is beginning to face a new problem, namely the unwanted intrusion into video conference calls by groups or individuals. Its exponential rise has led to hundreds of organizations, schools, and governments ceasing use of certain platforms altogether in fear that their meetings may be eavesdropped upon, despite the swift changes being made by the companies behind them to upscale the security measures in place for their users.
The fact is, this novel form of a cyberattack requires little to no technical knowledge, only that the perpetrator is cunning enough to locate the target’s meeting ID (and password in some cases).
Cause for Concern
The healthcare industry is a prime example of workers adapting to their environments, with many GP surgeries, as well as independent specialists and mental health practitioners taking up video consultations in order to continue providing clinical support during a time when face-to-face appointments aren’t readily available.
This is fantastic in theory. However, what are the repercussions when healthcare professionals use insecure platforms to host private consultations with vulnerable patients?
Something that these professionals must consider when holding remote consultations is the privacy and comfort of the patient. This rings especially true for psychologists, whose patients rely on them to provide a safe space to open up about what are often very sensitive, personal topics. Any breach of which has the potential to cause considerable psychological and reputational damage.
The primary concern here is that confidential and sensitive patient information may be at risk of being overheard, or worse, exposed, which could be extremely damaging to a patient’s mental wellbeing. There is also a chance it could be seen as a breach of patient confidentiality and possibly even a breach of GDPR.
What to do
The answer lies, of course, in encryption. For any healthcare practitioner who is finding themselves in the middle of this new age of telemedicine, unsure where to start, encryption is the key (mind the pun). However, it’s important to note that ‘standard’ levels of encryption should be heavily scrutinized when looking for a platform with which to interact with patients.
Many services will have encryption in place but it’s important to unpack how the encryption works. Certain, basic levels of encryption mean that messages are encrypted by the sender, and then filtered through a server before being passed along another encrypted channel to the receiver. With this type of standard encryption, whoever has access to the server also has access to all the decrypted messages. This works the same way with video conferencing systems that use standard encryption. The provider can, if they want to, access any call data, including recordings, or simply just access live sessions. If this were to be breached by a third party, the data is anyone’s for the taking. End-to-end encryption, however, means that only the video conference participants can access the decrypted data, which in this case, is the live video feed. Even if the service provider wanted access, end-to-end encryption would prevent them from doing so.
The prevailing advice is that given the duty of care they have to their patients, healthcare practitioners should only use platforms that offer the highest levels of end-to-end encryption.
There is a multitude of video conferencing platforms on the market and, during times of urgency, it can sometimes be enticing to just go for the biggest name or the free option to cut costs. However, this isn’t a time to be foregoing security in the name of perceived trust or money. Every month we are hearing of new data breaches from some of the biggest, most well-known organizations in the world. Just because they are well-known, doesn’t mean they have the best interest of the end-user at the top of their priority list.
For healthcare professionals, independent consultants, and even specialist educators, it’s important to do research. Use platforms that offer end-to-end encryption as standard, where compliance with privacy policies, such as GDPR, is made clear from the offset and therefore brings with it peace of mind, knowing that services are being provided in a safe and secure way, without the constant fear that consultations might be spied upon.
Hilmar Eidsson, former co-founder and CTO of Kara Connect
Article first published in SC Magazine on June 11th 2020
