Phishing and Security Risks in Telehealth and Video Communication

With the sudden influx of telehealth communication platforms rising to meet needs during COVID-19, barriers to telemedicine have been breaking with record speed. Unfortunately, with the increased use of technology comes increased security risks—risks that leave patient information vulnerable to hackers. 

Since COVID-19, phishing attempts and successes have increased significantly. In mid-April, Google saw more than 18 million daily malware and phishing emails related to COVID-19. The pandemic has changed our relationship with technology and how we operate on a day-to-day basis. Now, fewer people are suspicious about receiving a text that appears to come from a government agency or a trusted healthcare provider. And even in legitimate technological encounters between providers and patients, unsecured information can fall into the wrong hands and give scammers the opportunity to make their phishing messages look more believable. 

According to PhishMe, 91% of cybersecurity threats come from phishing attempts. Phishing scams use emails, text messages, and video conferencing to target victims with fake messages that appear to come from reliable sources, such as government agencies. By changing a single letter or symbol in an address, scammers can take advantage of the recent social upheaval to seem legitimate and get their targets to follow their link and confirm or divulge sensitive information.

Video-enabled platforms are not safe from these types of attacks, especially if they were not specifically designed for healthcare. Since many telehealth appointments begin with the patient clicking on a link or joining a call from an unverified source, it presents a new opportunity for bad actors to take advantage of patients while they're vulnerable. When healthcare providers use common, unsecured video conferencing platforms to conduct appointments, there is no way for patients to verify their identity. Scammers may use phishing messages to send patients legitimate-looking links to a fake appointment or web page, and from there convince them to divulge sensitive information. 

There are a multitude of options for telehealth available now, and it can be difficult to know what the best option is. Ideally, you should look for something that serves your immediate needs AND has the necessary security in place to fend off cyber attacks. Leading up to recent Senate hearings, experts have warned that the relaxation of HIPAA guidelines should only be temporary. Nadia de la Houssaye, a partner with the Jones Walker law firm, emphasized the importance of returning to pre-pandemic levels of HIPAA and data security measures in order to protect patient privacy. To that aim, it is vital that new technologies also adhere to the rigorous standards healthcare has long adhered to. Virtual appointments with patients should be conducted through a secure platform that is HIPAA-compliant and specifically designed for healthcare interactions, with the necessary security in place to protect patient information. 

Pulsara Patient allows physicians to send patients a secure message with a one-time link to a video call. The interaction is encrypted and completely secure. As an extension of the Pulsara platform, Pulsara Patient benefits from the layers of time-tested security built into the system. Unsecured video-conferencing platforms may not allow you to verify where the link is coming from, and whether it will take you to the expected video or to a malicious website. But if the interaction takes place through Pulsara, you can rest assured knowing that any invitation can only come through your provider. The only way to call is to be a registered member. If it comes through Pulsara, it’s been vetted.

The Pulsara product is designed with security in mind. Pulsara is a SOC 2 Type II compliant company that also uses a wide variety of cybersecurity frameworks to optimize our security footprint. Our platform is encrypted at both ends and subject to third-party penetration testing, as well as internal vulnerability testing on all applications. It was developed with multiple layers of security and undergoes a thorough vetting process with the IT group at each hospital prior to implementation. Pulsara is hosted by Amazon Web Services, the leading cloud-based service in healthcare. Protecting PHI is extremely important to us, which is why we are also completely HIPAA-compliant. 

According to Pulsara’s Technical Services Manager, Shawn Olson, the first line of defense against phishing attempts is education. “Your technical safeguards are extremely important, but it’s up to the person,” he said. “No matter how strong your security is, ultimately it’s up to the individual to avoid falling for phishing attempts.” The Pulsara development operations team works around the clock to continually monitor security, and is always ready to combat any potential security threat. We emphasize security awareness and conduct internal phishing tests on all employees, with industry high success rates. (Compared to a national failure average of 37%, we’ll take those odds.) 

Pulsara was designed by healthcare providers, for healthcare providers. Unlike one-off or temporary solutions that focus on serving one immediate need, Pulsara is an all-encompassing solution that can scale up or down to meet the unique needs of your organization while putting the security and protection of your organization and your patients first.

Looking for a secure telehealth solution that works for you? Find out how to choose the right platform for your team.