Hackers have been developing yet more devious ways to harm people since COVID. They are banking on the elevated levels of stress and confusion experienced by many providers. Many privacy protections have been loosened with limited and discretionary enforcement of HIPAA rules by the Office for Civil Rights (see Secure COVID Telehealth Services: Has HIPAA Gone Away? and Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency).
The debate about whether or not telehealth offers a secure means of communicating with patients is ongoing. Many experts argue that the only way to secure telehealth sessions is by forgoing the use of WiFi and connecting directly to the internet router using an ethernet cable. Although this offers more telehealth security, it also poses some security risk while restricting users physically, by forcing them to be near their router to have a connection, whether or not other household members are in the vicinity. Using a virtual private network (VPN) however, offers telehealth providers maximum security while giving them the flexibility to work from anywhere.
A virtual private network (VPN) is a service that extends a private network over a public net. When using a Telehealth VPN to connect to the internet, all data passing through the VPN is encrypted (encryption masks data, making it unreadable to unauthorized users). As such, connecting to a VPN provides the most secure connection and prevents even the most advanced hacker from accessing data.
VPN is often offered as a subscription service, where users can connect to any WiFi connection available, then enable their Telehealth VPN service. By logging onto a VPN before opening a telehealth platform, the session is encrypted as soon the telehealth platform is launched. VPN can quickly and easily provide telehealth security whether sessions are conducted from a home office or another remote location. For example, if a healthcare provider was traveling and needed to conduct a telehealth session from their hotel room, using the hotel’s public WiFi, the provider could connect to the hotel WiFi and then activate their VPN service to provide a secure telehealth session.
Telehealth Security and HIPAA
Under HIPAA, a telehealth VPN service provider working with healthcare clients is considered a business associate as they have the potential to access PHI as part of the service they provide for their clients. Therefore, for HIPAA compliant VPN use, telehealth providers must have a signed business associate agreement (BAA) with the VPN service provider before using the service. A BAA mandates the security and privacy measures the business associate is required to have in place. It also limits the liability for each signing party, as each party is responsible for monitoring and maintaining their HIPAA compliance.