Why VPNs and Encryption Services Are Our Digital Masks and Gloves

By Jaren Butts and Nickeyea Wilkinson 

Thanks to social distancing mandates, teleconference platforms have experienced a huge surge in site traffic as new users around the world participate in telehealth, telework, and many other teleservices that have now been transitioned online.[1] As virtual capabilities become more important to our daily lives than ever before, now is also the time to focus on the importance of our daily digital hygiene by gearing up with VPN and encryption services in the same way as we do with our masks and gloves.

Devious hackers poised to exploit the vulnerabilities of weak cybersecurity systems and unsophisticated users have already began launching cyberattacks like phishing campaigns, fraud schemes, and malware distribution. In late March, the FBI warned of “Zoom-bombings” and similar teleconference hijackings after receiving reports of teleconferences being disrupted by threatening language, and lewd and hate-filled images. It was also reported that roughly 530,000 Zoom accounts were hacked and sold on the dark web for pennies on the dollar. Using the stolen Zoom accounts, hackers could access a user’s meeting room, invite others to join, and exploit the user’s contacts by sending malware through the invites.

During COVID-19, many healthcare providers have turned to telehealth as a means of caring for their patients. Although telehealth is a great alternative to in-office visits, the use of technology to communicate health information for treatment and diagnosis isn’t without risk. For example, what if the platform used for your telehealth appointment is targeted, and sensitive protected health information (PHI) is accessed and exploited? The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) published a notice announcing its decision to “exercise its discretion and will not impose penalties for noncompliance with the regulatory requirements under HIPAA’s Security and Breach Notification Rules in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency” (the Notification). Essentially, under this Notification, covered healthcare providers will not face HIPAA penalties if a hack exposes PHI during the provision of telehealth services.[5] “We are empowering medical providers to serve patients wherever they are during this national public health emergency,” says Roger Severino, OCR Director, but at what cost if healthcare providers use deficient third-party applications or fail to exercise good digital hygiene practices?

The Notification goes on to list applications capable of video chat services that may be used for telehealth services without risk of penalty, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype. For additional privacy protections, the OCR suggests that covered healthcare providers seek services through technology vendors “that are HIPAA compliant and will enter into HIPAA business associate agreements in connection with their video communication products,” such as Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, and Google G Suite Hangouts Meet. Importantly, the Notification specifies that public-facing communication applications should not be used in the provision of telehealth, such as Facebook Live, Twitch, and TikTok.

Lastly, the Notification encourages providers “to notify patients that third-party applications potentially introduce privacy risks,” and suggests that providers “enable all available encryption and privacy modes when using such applications.” Although it is only mentioned in a note, the Notification also references general information on the risks and possible mitigation strategies for remote use of and access to e-PHI.

While gearing up with our masks and gloves is a way to exercise good hygiene during these unprecedented times, using VPN, encryption, and other cybersecurity services is a way to exercise digital hygiene. Here are 5 simple steps for practicing healthy digital hygiene habits in the provision of teleservices:[2]

  1. Training, Training, Training! Healthcare providers are not IT experts. Set clear rules, standards, and safeguards for employee remote access to e-PHI.
  2. Supply provisioned devices to remote employees for enhanced security and simplicity.
  3. Require secure VPNs and multi-factor authentication to devices accessing e-PHI.
  4. Configure strong encryption algorithms.
  5. Understand HIPAA compliance requirements for mitigation and notification of improper use and/or disclosure of e-PHI.

It’s important to remember our digital mask and gloves as we continue to navigate this new world of “tele-everything”!

[1] Companies like Zoom have reported a 67% increase in their active user base since January. 

[2] FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency are available here