Telehealth App Breach Spotlights Privacy, Security RisksGlitch Briefly Allowed Potential Access to Patient Consultation Recordings
A software error that briefly allowed a few individuals to potentially access other patients’ telehealth appointment recordings serves as a reminder of the possible security and privacy risks involving telemedicine applications, especially as the use of the technology soars during the COVID-19 pandemic.
The glitch in a video appointment teleheath application from U.K-based software provider Babylon was reportedly discovered by a user on Tuesday, according to media outlet BBC.
When the individual used the app to check a prescription, he noticed that he had about 50 videos in the “consultation replays” section of the app that did not belong to him. Clicking on one revealed that the file contained video of another person's appointment, the BBC says.
The software application allows Babylon users to speak to a doctor or other health specialist via a smartphone video call and, when appropriate, sends an electronic prescription to a nearby pharmacy.
Babylon’s website notes the company partners with employers, insurers and healthcare providers – including the National Health System in the U.K. and Mount Sinai Health Partners in New York – to provide telehealth services to individuals.
A Babylon spokesperson in a statement provided to Information Security Media Group says one of the company’s clinicians actually discovered the issue on Tuesday about an hour before the patient-user of the app stumbled upon the problem.
“Within two hours we had switched off the video access and already begun assessing who had been impacted,” Babylon says.
”Our investigation showed that two other patients, who had booked and had appointments … were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon App,” the company says.
“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly.”
Babylon says it notified the U.K. Information Commissioner’s Office and “will share all the necessary information around this.”
The incident only affected users in the U.K., and this did not impact the company’s international operations – including U.S. customers, Babylon says.
Some experts say that the incident involving Babylon’s telehealth app spotlights a variety of risks facing these technologies, especially as their use is growing during the COVID-19 pandemic.
”The sudden onset of the coronavirus pandemic necessitated quick expansion of the availability of remote healthcare treatment options to help reduce the spread of the virus,” says privacy attorney David Holtzman of the security consultancy CynergisTek.
”Many of the tools and technologies for video conferencing and messaging were not built with strong privacy and security controls,” he notes.
For starters, when it comes to U.S. health data breaches, incidents involving misconfigured IT are a reoccurring problem.
In fact, in 2019, two of the five largest health data breaches added to the Department of Health and Human Services HIPAA Breach Reporting Tool website involved misconfigured IT (see Misconfigured IT Again Leads to Big Health Data Breach).
The HHS website lists health data breaches impacting 500 or more individuals.
Reported breaches involving telehealth applications could potentially become more common as well, especially as the use of telehealth applications during the COVID-19 pandemic has been soaring.
Several factors are fueling the sudden growing popularity of the remote health apps during the coronavirus crisis, in which healthcare organizations are trying to safely screen for cases while also reducing the risk of potential exposure for patients who need to be seen for unrelated health issues.
“There was already a shortage of security experts and practitioners; unfortunately this means that the shiny new ‘virtual doctor’ app may get rushed through.”
— Ian Walters, Coalfire
For instance, in the U.S., the HHS’ Office for Civil Rights in recent months has at least temporarily eased some of its HIPAA restrictions around the use of certain telehealth technologies - and HHS’ Centers for Medicare and Medicaid Services has also expanded coverage of certain reimbursable telehealth services during COVID-19. (See COVID-19:HHS Issues Limited HIPAA Waivers).
”In the necessary rush to telehealth, healthcare organizations were not always able to perform the same level of due diligence and, even if they were, the much larger use of telehealth makes it more likely that security issues will arise,” says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
During this week’s ISMG healthcare security virtual summit, several CISOs also noted that while their institutions had already deployed various telehealth platforms prior to the COVID-19 outbreak, clinicians and patients have also introduced the use of certain preferred telehealth apps into their organizations.
Sometimes these new products have been used in recent months without the more extensive security review usually given to third-party software, the CISOs admit.
”There was already a shortage of security experts and practitioners; unfortunately this means that the shiny new ‘virtual doctor’ app may get rushed through,” says Ian Walters, principal of healthcare risk assurance services at security consulting firm Coalfire.
Some experts predict reports of health data breaches occurring during COVID-19- including those involving telehealth - could spike in the coming months.
”While there is a temporary stay on enforcement of the HIPAA Breach Notification Rule, it would not be surprising if some [telehealth] breaches dating from this period are first discovered long after the OCR notice of enforcement discretion expires, potentially creating breach notification obligations,” Greene says.
While the Babylon breach appears to involve a software glitch that was corrected quickly after it was discovered, misconfigurations and other related vulnerabilities can potentially put telehealth data at risk for more malicious incidents, Greene notes.
”Healthcare is a large cyber security target, so it’s probably safe to assume that the bad guys are looking for ways to exploit the move to telehealth,” he says.
Walters offers a similar assessment. “Unfortunately COVID-19 is just another situation to be taken advantage of for some people. The speed at which new web sites and apps are being developed is potentially creating thousands of zero day vulnerabilities for them to exploit.”
Software and other technology vendors need to be vigilant in the security of new products that are being introduced and deployed, especially during the COVID-19 crisis.
“Security testing must be an integral part of the software development life-cycle,” Walters says.
“This must include patching and a robust change management program that documents every change made, the intended result, and extensive testing and product owner acceptance before release,” he says.
“Change and release management must include a risk analysis of the proposed release, a go/no-go authorization for the app/software to enter production environments, and roll-back instructions if there is product failure or a vulnerability discovered.”
Meanwhile, healthcare entities deploying telehealth apps need to carefully scrutinize new technologies, as well.
”Mistakes and vulnerabilities are unavoidable, but one of the best ways to minimize them is having a reputable outside security firm review the application before it goes live,” Greene notes.
Telehealth technologies provide healthcare organizations with more tools to offer treatment for patients at home, but the tools may not adhere to the same data protection safeguards as telehealth products that are designed with the information security requirements called for by HIPAA, Holtzman notes.
“Now that the immediate crisis has slowed in some areas, CISOs and CIOs should be working to steer their organizations to employ telehealth solutions that have strong privacy and security controls that meet the requirements of the HIPAA Security Rule,” Holtzman says.