When I started Sanford’s MPP program, I was immediately drawn to the dynamic nature of technology policy. It wasn’t until after taking a health care course through the Margolis Center that I recognized the vast impact technology has on the health care sector.
Each year, more and more health services are provided in a virtual format. Telemedicine has an undeniable potential to make health care more accessible. However, policymakers and health care professionals must not lose sight of another priority: keeping patient information secure.
This summer, I am working as an intern for the Triangle Privacy Research Hub, where I am researching the pandemic’s effect on telehealth. The hub is collaborating with Professor David Hoffman’s Cyber Policy Program to pursue work on national security, health data, gender violence, and access to data. My project is part of the health data policy area and fits in with other COVID-19 student projects on contact tracing and telehealth delivery.
The COVID-19 pandemic has forced the U.S. to rapidly adopt telehealth as a viable means of care delivery. To reduce face-to-face contact, policymakers at both the federal and state levels have made it easier to utilize telehealth. As part of my internship, I developed a repository to track these changes. For example, at the federal level, the Centers for Medicare & Medicaid Services are now reimbursing physicians for a greater share of virtual services; the Office for Civil Rights has relaxed certain aspects of HIPAA. Many states have waived licensure requirements, allowing health care workers to practice remotely across multiple states. These changes have been fundamental in mitigating the risk of in-person health care services throughout the pandemic.
Unfortunately, the mass shift to telehealth presents another risk: cybersecurity attacks. Cyberattacks have posed an ongoing threat to the health care sector for years, but the pandemic has exacerbated the issue. Cybercriminals are known to take advantage of vulnerabilities in new, rapidly deployed technologies, and telehealth fits this criteria.
Through the research I’ve conducted this summer, I've learned that many physicians have resorted to using personal networks, home laptops, and even smartphones to provide telehealth. Understandably, health care workers haven’t had the time or resources to implement security measures. These conditions create a perfect storm for malicious actors. Experts have noted a particularly concerning uptick in ransomware attacks. These attacks occur when malware renders a system inaccessible until a ransom has been paid.
I recognize that cybersecurity may not seem like a high priority during a pandemic, but health care entities cannot afford to let security take a backseat. Recovering from just one ransomware attack would pull valuable time and resources away from COVID-19 response efforts. Health care organizations must exercise risk management to prepare for and prevent cyberattacks.
Fortunately, various policy organizations are working tirelessly to identify best practices for risk management in the health sector. For example, the National Institute of Technology and Standards (NIST) has released a framework on how to improve critical telehealth infrastructure. NIST is also collaborating with the National Cybersecurity Center of Excellence to develop a Cybersecurity Practice Guide. The guide will address privacy and security risks associated with telehealth and remote patient monitoring. Crypsis, a security advisory firm, has also published an Incident Response Report that provides guidance on how to deter, detect, and disrupt cybercriminal activity.
To me, the preventative measures outlined in these resources are the most salient. Health care professionals can enhance their security through simple actions, like using industry-standard encryption, implementing multi-factor authentication and limiting the use of privileged accounts.
The COVID-19 pandemic has shown me that cyber threats never take a break. In the words of General Michael Hayden, former director of the CIA and the NSA, cybercrime is an “ongoing, rigorous grind that requires diligence, care and expertise.”
After my time at Sanford, I hope to pursue a career where I can help organizations strengthen their digital infrastructure and mitigate cyber threats. In the midst of an ever-changing health care sector, the world urgently needs policymakers who will work with stakeholders to develop best practices for more robust privacy and cybersecurity.
Jaymi Thibault is a rising second-year MPP student at Sanford. She earned her bachelor's degree in political science from the University of Maine in 2017. Her previous research involved a project to improve digital municipal communication throughout the city of Bangor, Maine. Thibault is interested in the intersection of technology and health policy. After Sanford, Thibault intends to pursue a career where she can advocate for consumer privacy and cybersecurity.