The very sudden and very dramatic shift into robust telehealth-based care delivery in U.S. healthcare was necessitated by the emergence this spring of the novel coronavirus, COVID-19. While some hospitals, medical groups, and health systems have been making progress in integrating telehealth strategies into their delivery of patient care, until very recently, many patient care organizations had not kicked their tele-delivery into high gear. But obviously, with infection control concerns suddenly becoming urgent and overwhelming, the leaders of patient care organizations nationwide have had to shift quite dramatically into the delivery of care, including triaging, into screen-based and telephonically based interactions, as often and as quickly, as possible.
As Healthcare Innovation reported last month, “On Monday, March 30, the federal Centers for Medicare & Medicaid Services (CMS) announced the creation of a series of blanket waivers, apparently expanding some of the agency’s waiver activity of the past few weeks, in light of the COVID-19 pandemic.”
As our March 30 article noted, CMS announced on that date that, “Building on prior action to expand reimbursement for telehealth services to Medicare beneficiaries, CMS will now allow for more than 80 additional services to be furnished via telehealth. During the public health emergencies, individuals can use interactive apps with audio and video capabilities to visit with their clinician for an even broader range of services. Providers also can evaluate beneficiaries who have audio phones only. These temporary changes will ensure that patients have access to physicians and other providers while remaining safely at home. Providers can bill for telehealth visits at the same rate as in-person visits. Telehealth visits include emergency department visits, initial nursing facility and discharge visits, home visits, and therapy services, which must be provided by a clinician that is allowed to provide telehealth. New as well as established patients now may stay at home and have a telehealth visit with their provider. CMS is allowing telehealth to fulfill many face-to-face visit requirements for clinicians to see their patients in inpatient rehabilitation facilities, hospice and home health. CMS is making it clear that clinicians can provide remote patient monitoring services to patients with acute and chronic conditions, and can be provided for patients with only one disease. For example, remote patient monitoring can be used to used to monitor a patient’s oxygen saturation levels using pulse oximetry. addition, CMS is allowing physicians to supervise their clinical staff using virtual technologies when appropriate, instead of requiring in-person presence.”
Since then, CMS has clarified that the historic restrictions on licensure have been, for now, very much relaxed, opening the door to cross-state physician and nurse practitioner participation in care delivery, as needed.
This sudden shift has necessarily been disruptive, along a number of dimensions—one of them being cybersecurity elements. Cybersecurity experts are warning that the sudden rush not only into telehealth-based delivery, but also especially the shifting of massive numbers of clinician and non-clinician hospital, medical group, and health system staff members to remote-based work, has opened the doors to security and privacy gaps and vulnerabilities.
One of those who sees the potential problems in that area is David Finn, executive vice president of strategic innovation at the Austin, Texas-based CynergisTek consulting firm. A former hospital system CISO and well-known speaker in healthcare, the Houston-based Finn salutes the shift into tele-delivery in healthcare, even as he warns that it will be incredibly important to now fix all the security and privacy vulnerabilities that the sudden shift has opened up. Finn spoke recently with Healthcare Innovation Editor-in-Chief Mark Hagland regarding the importance of thinking through cybersecurity issues at this moment in healthcare, as mass numbers of patient care organization staff members, both clinical and non-clinical, are shifted to remote work, and care delivery is shifted as much as practicably possible, to telehealth-based formats. Below are excerpts from that interview.
When you look at this sudden, dramatic, necessitated shift into both remote work and telehealth-based care delivery, how do you see this moment, as a cybersecurity leader?
Well, to begin with, what’s happening right now is really a microcosm of how healthcare was eventually going to be eventually, and in some ways was meant to be, after the industry went through changes related to the HITECH Act and the Affordable Care Act. We’ll have to address some real gaps now, but the reality is that the whole care delivery model needed to change anyway.
What do you see as the major security concerns related to the very sudden, dramatic, massive shift into telehealth?
Absolutely; there are some really huge privacy and security concerns right now. We know there will be HIPAA waivers for certain requirements around the hospital response; and we have to do that. Care will always trump privacy and security, and that’s appropriate. But as we make that shift and realize that telehealth can be effective, we have to figure out how to do this right. And healthcare was already fairly high in remote workers, though it wasn’t usually clinicians. Healthcare was 15 percent-remote, but it was primarily coders, and people in the supply chain, etc. I was talking to someone who said that one hospital went to nearly 90-percent remote users, and went to that over a weekend. And so in many cases, they’re at home with their families and the same devices. And so in some cases, you’ve got kids playing video games on computers that have patient information on there.
But CISOs will have to go back and start putting controls on those devices; and certainly that needs to be put in place before things are made permanent. Our Department of Homeland Security and the UK’s version, released a joint warning two days ago about phishing; and phishing was up in March almost 700 percent from the month before. It’s really breathtaking. And now people are at home, and no longer behind a firewall, and it’s an unmanaged device. And most were sent home without any additional training. We’re expecting a wave of attacks. So we need to start planning for the future.
So what should the series of next steps be, now?
Whether you’re on the clinical side or the IT side or even supply chain—we’ve been putting a lot of this off to the side for a long time. And it isn’t rocket science. Most our CISOs knew what to do.
But they were overwhelmed by the day-to-day, right?
Yes, exactly. And they lacked the resources. So now we not only need to patch the boat, we need to get ready for the next salvo that we know is coming. So they’ve got to get ready for real risk assessment. People get so focused on HIPAA-mandated risk assessment. But the goal of the process really is an ongoing risk management process. Sometimes, we’ll choose to make high-risk decisions, and that’s OK as long as they’re thought out. When we get into trouble, it’s when we don’t make conscious decisions. It’s time to create a serious security program, privacy program, and compliance program. So now these CISOs are going to have to go back and look at their internal networks, look at VPNs for home users; and they’re going to have to start instructing home users on how to set up VPNs. And we’re all at home, and so every last tenant on our router knows our password. So we have to look at shared devices. Anthe threat will now come from outside our network.
One of the most important elements will be your incident response strategy. You’ve got the c-suite and executives and clinician leaders, and their in a room, with a level of collaboration and support, and you can’t even do it that way if everyone’s at home. So how do you respond to the next incident, when it occurs in the middle of this incident?
Physicians especially will need the “why” explained to them, right?
I heard it for 25 years in the provider space, and for many years as a consultant. And I’ve never met a stupid doctor right. And you’re exactly right—it’s going to take a bit more. I’ve always heard they’re the slowest to adopt technology; my experience is that they’re actually the quickest to adopt technology. But I’ve had to spend a lot of time explaining to them the why of things. And for years, we’ve been hearing our employees and clinical staff whether employees or not, are our first line of defense. But we’ve never actually explained clearly to them why this is important. And you’re absolutely right: it’s going to take more time. And the security people are going to have to learn to understand workflows and even change some workflows. The good news is that we have the technology to maintain security and privacy for patients, without adding hours to the day. If we have to add 10 seconds for multi-factor authentication, I think that we can explain that to physicians, because not only are the patients at risk, so are they. And you’ve got two kids doing streaming classroom work, and both parents working at home.
What is the elevator speech to clinicians and other end-users?
We need to think of multi-factor authentication, and anti-malware software, as the technological equivalent of PPE. And we need it to protect patients, providers, and everyone on the system. And when I’ve sat and explained it to clinicians, they would get it, they would understand. They would be a little irritated, but as long as it worked the way I told them it would work, it would be OK. If it didn’t work as I had promised, well, you don’t get a second chance. And that’s the story: If you have no encryption, no multi-factor authentication, and you’re using your son’s iPad to come into the EMR, you’ll be infected in some way, and then it won’t be a 10-second delay, it’ll be a day or longer And it won’t be acceptable for them to have to wait in line for the help desk.
How do you see this evolving forward in the next several months?
Struggling through this will be a day-to-day effort going forward. And you’re not going to be fable to fix everything as we battle through this, but clinicians and security people will have to take notes, and then I hope that CEOs, CMOs, CNOs, CMIOs, CNIOs, CIOs, will sit down together and figure this out. I drew a graphic about 10 years ago that really shows that the care delivery model needs to change, and the care delivery model would be IT-facilitated, and the IT model would have to change to support the care delivery model. And then COVID-19 came along, and poof, here we are. So IT will have to support telework. And it’s time for clinical operations and supply chain to say, this is how it’s going to be. And we’ll come together and work this out—which is how it should have been as early as 2009. And health IT delivery will have to change. And I think we’ll see a huge drive to more wearables. Today, we talk about Fitbits and phone clicks; but just imagine if we’d been more advanced at this point, and we had an app on your phone that could tell you that you had a fever, and that could be run into the EMR, and alert clinicians.
I recently interviewed the chief medical officer/chief innovation officer of Sheba Hospital in Tel Aviv, Israel. They’re doing amazing things with patients who are being cared for in their homes, including using Bluetooth-enabled thermometers, stethoscopes, and pulse oximeters. There are so many possibilities.
That’s amazing, and cool, and that’s where we’re headed in healthcare. And the only way to bend the cost curve in healthcare is to keep people healthy, and that [the use of remote technologies] will connect with that. And so that will be important. I can’t tell you how excited I was to hear the CMS advice that physicians could practice across state lines. Why wouldn’t we do that? The licensing was so old-school; we have got to change that.
The emergency relaxation measures around licensure and telehealth will be made permanent, probably, many are speculating.
Yes, and that needs to happen.
Is there anything else you'd like to add?
There are no magic bullets here, in terms of creating these changes. And since the HIPAA rule rolled out for privacy in 2003 and for security in 2005, and then meaningful use, everyone’s been waiting of the silver bullet; but there’s no silver bullet. And this is the time to fix it and to implement those changes. We’ve been talking about it for 20 years, and now it needs to start happening. And you’ve got to do it right, or that will just cause more problems. And it’s not going to be easy. And I won’t pretend it will be. But it has to happen, this time. And I think this will drive data standards as well, because we need to advance interoperability.
