The use of cloudbased platforms to send, receive and store patient data in teledermatology adds security risks.
One often-cited benefit of teledermatology is convenience. The patient can connect with his or her dermatologist by smartphone, tablet, or computer at any time and from anywhere, and receive personalized treatment.
But teledermatology’s heavy reliance on mobile devices and use of cloud-based platforms to send, receive, and store patient data create additional security risks. The patient’s active role in the process adds further complications.
While mobile devices facilitate communication between patient and provider, they are also aggressively targeted by cybercriminals, as they often lack even basic security. Mobile devices frequently lack password protection or firewalls, have out-of-date operating systems and applications, and are unencrypted. Downloaded apps may contain malware or security vulnerabilities. Mobile devices are also easily lost or stolen. The use of mobile devices on unsecured wireless networks presents another security risk.
Several steps can be taken to minimize the risks of mobile devices:
While it is common for many providers to use their personal devices for practice business, using dedicated devices is more secure.
Most teledermatology practices use a third-party, cloud-based platform to communicate with patients and store and access patient data. These cloud-based platforms offer many benefits, including simplicity of use (patients and providers can create an account and access the platform often with just a username and password), lower costs (pay a monthly fee rather than having to buy and maintain in-house servers and software), flexibility, and access from anywhere.
But as with mobile devices, with these benefits come security risks.
Using a cloud-based platform means that you are using a third-party’s software to access data stored on that thirdparty’s server, rather than on your own computer.
Hosting data with a third-party vendor increases risk, as the vendor is itself subject to data breaches, account hijacking, insider threat, malware, denial of service attacks, and data loss.
Using these platforms requires clear understanding of the vendor’s security. To determine a vendor’s level of security, consider these questions:
A RISK-BASED APPROACH
Every teledermatology practice is different, both in operation and objectives. The risks outlined above are general risks that may apply differently to each practice. Creating an effective cybersecurity program requires understanding and addressing the specific risks to a practice. This can be accomplished by following three steps:
1. CONDUCT A CYBER RISK ASSESSMENT Similar to a HIPAA risk assessment, a cyber risk assessment examines four areas:
The results of the assessment can be used to prioritize risk and determine what areas require the greatest allocation of resources.
2.CREATE STRONG POLICIES AND PROCEDURES Once the risks are identified, create written policies and procedures detailing how to protect the practice from security threats. Common policies include:
As cyberthreats are constantly evolving, cyber risk assessments and policies and procedures should be regularly reviewed, at least once a year.
3.PROVIDE MEANINGFUL TRAINING TO STAFF AND PATIENTS Once completed, the policies and procedures should be shared with all staff, and used as a basis for educating staff on cybersecurity. The goal is to enable staff to understand and recognize security threats, understand how the policies and procedures relate to threats, and be aware of their responsibilities in protecting against threats.
As patients represent a security risk themselves through their potential use of unsecured personal devices, unsecured networks, or weak or shared passwords, they should also be regularly educated on the security measures the practice takes to protect their medical data, and how they can help protect their own data. This education can be started as a part of patient intake, and followed up with a short video or handout.
No cybersecurity program is completely secure, but following a risk-based plan as outlined can help mitigate the additional cybersecurity threats faced by a teledermatology practice.
Joseph E. Guimera is an attorney and founder of Guimeralaw Cybersecurity Advisory where he helps organizations plan, build, and execute cybersecurity programs. He can be reached at jguimera@