The future of healthcare? Cybersecurity must come first in telemedicine

Babylon Health suffered a significant data breach after one user discovered they could access dozens of patients' video recordings.
10 June 2020

4 bleeding-edge tech trends influencing startups in 2021. Source: Shutterstock

Telemedicine is an industry that has been waiting to rocket. In theory, it’s the perfect solution to an overburdened industry, enabling patients to consult virtually for certain complaints. 

It allows patients to meet with the most relevant specialists from around the country, or even around the world, without the need to wait or travel to a clinic or surgery. 

Up until now, though, it hasn’t really taken off. Much of that can be owed to low reimbursement, and while rules are evolving, telemedicine represents a small amount of total healthcare spend. In 2015, Medicare spent approximately $14.4 million on services delivered via telemedicine — less than 0.01% of total spending on healthcare services.

There has also been a lack of awareness and infrastructure support. In the US alone, 82% of consumers had never used telemedicine services, while there have also been concerns about the quality of care received. 

But the demands of the COVID-19 pandemic have shone a very bright light on this long-to-emerge sector. By necessity, social distancing measures – and the need to keep hospitals and healthcare facility footfall to a minimum – have meant non-critical consultations have been cancelled, deferred, or taken online with telemedicine. 

With work, schooling, and most other types of consultations going online, telemedicine was quickly accepted by consumers as a viable means to receive healthcare advice. Both the CDC and WHO advocated the use of telemedicine to monitor patients and reduce the risks of the coronavirus spreading. 

Plenty of these solutions existed albeit underused, and as healthcare organizations and patients scrambled towards these solutions, the market rocketed. Telemedicine platforms have seen a 3x-4x increase in demand across the industry; PlushCare – which enables appointments in the US for a co-pay or “$99 per visit” – reported appointments had hiked by 70%, while Amwell saw app use increase by 158%. 

Even tech giants like Cisco, which offer virtual conferencing software, are eyeing this market as a valuable new prize. The telemedicine market is truly on the map and now regularly features in discussions about the ‘the future of healthcare’ as a potentially ‘critical’ component that will “continue to move healthcare delivery from the hospital or clinic into the home.”

A report from Grand View Research estimates that, catalyzed by the events of the last few months, the telemedicine industry could continue to grow at a CAGR of 15%, hitting a worth of 155.1 billion within the decade, aided by further advances such as user-friendly wearable devices, sensors and diagnostic equipment for virtual visits, as well as artificial intelligence deployed as interactive virtual assistants or chatbots. 

But, like many industries swiftly thrown into new digital ways of working, the sudden spike in telemedicine usage hasn’t been without its oversights, and while a recent surge is highlighting its benefits, it’s also revealing its drawbacks. 

Yesterday (June 9), Babylon Health – an app which connects patients to GPs for telehealth appointments – was found to have suffered a significant data breach, after one user discovered they had been given video access to dozens of video recordings of other patients’ consultations. 

A follow up check found that a “small number” of its total 2.3 million users could also see other patients’ recorded sessions. 

Babylon Health quickly addressed the issue, confirming that it was a software error rather than a malicious attack: “On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording,” it said in a statement.

“Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.”

The news of Babylon followed other earlier reports of Zoom meetings, which included telehealth consultations, being left viewable on the internet. The Washington Post reported finding recordings of one-on-one therapy sessions, a telehealth training session which included people’s names and phone numbers, and other “deeply intimate” conversations. 

Speaking to ZDNet, Natali Tshuva, CEO of IoT security company Sternum, said the rush to scale telemedicine solutions, and the rapid adoption by healthcare organizations, had led to a number of issues, including user accessibility due to lack of internet and insurance coverage, for example, but security was the most pressing concern.

“While hospitals have continued to make stringent efforts to ensure security of their networks, particularly following notable ransomware attacks in the past few years, individual devices, at-home patient monitors, and remote-care devices have no embedded security and remain vulnerable,” Tshuva said. 

“The rush to cybersecurity should be as fast as the rush to telemedicine […],” she added.

The healthcare sector remains the most-targeted industry in terms of cyber attacks. A third of all data breaches happen in hospitals, and the number of breached personal records in the healthcare industry nearly tripled from 2018 to 2019, jumping from ​15 million to 40 million​. Patients’ personal data is a valuable commodity to cybercriminals. 

A report by Deloitte highlighted that, if not managed correctly, telemedicine risks adding to the attack surface of the healthcare industry, risking security, privacy and compliance with issues such as tech failures, lack of informed consent, complex identity management and unpatched consumer software. 

Telemedicine brings great benefits in providing flexible, accessible healthcare to those that need it, but it is a different way of working for the industry – taking it online successfully requires much greater awareness and preparedness in the face of the sophisticated medley of cyberthreats now present.

For the healthcare sector to realize its advantages beyond the pandemic, and for the telemedicine industry to prosper as a result, users will need to know and trust that their meetings are as private and confidential as the consultation room.