Telemedicine privacy risks and security considerations

Virtual health care adoption on the rise

Virtual technologies can potentially deliver health care to more people and places at less cost. Virtual health care—or telemedicine—uses technologies to provide patient-physician interaction, deliver care, and facilitate services without traveling to a care site. Since data is being shared, it’s time to address the privacy risks of telemedicine.

Addressing cyber risk in a new era of medicine

The health care industry continues to seek new advantages in addressing the “triple aim” of access, quality, and cost. Because virtual health care may offer advantages in each of these areas, and because people are increasingly oriented toward the daily use of digital tools, it’s starting to gain in popularity. A recent Deloitte survey found almost a quarter of responding patient-consumers (23 percent) have tried it already. And among those who hadn’t, more than half (57 percent) were willing to try.1

But another Deloitte survey, which polled physicians, found less enthusiasm for virtual health care. One-third of respondents cited the security and privacy of patient information as one of their chief concerns.2

Like many connections, virtual health care requires participation at both ends. To address doctors’ unease and clear the way for greater adoption, organizations will need to execute a cyber strategy that mitigates these risks. Then—just as with online commerce a generation earlier—organizations will need to follow up on the technical achievement with communication that helps both physicians and patients approach this new form of health care delivery with confidence.

As virtual health care increases in capability and popularity, health care organizations will need to continue investing in telemedicine security services to identify risks and keep them at bay. The five key areas to address include:

  • Medical devices and wearables security
  • Identity management and external device authentication
  • Telemedicine security monitoring and behavioral analysis
  • Development, security, and operations (DevSecOps)
  • Telemedicine security training and awareness

1 Ken Abrams, MD, Steve Burrill, and Natasha Elsner, “What can health systems do to encourage physicians to embrace virtual care? Deloitte 2018 Survey of US Physicians,” A report by the Center for Health Solutions, Deloitte Insights, July 18, 2018.

2 “How do health care consumers and physicians perceive virtual care?” (infographic), Deloitte Insights, June 14, 2018.

The landscape of cyber risk

When you add up the points at which an unauthorized user can take data from or otherwise affect a digital environment, the sum of those exposures is the system’s “attack surface.” For the system owner and those who rely on it, the smaller the better.

Yet because virtual health introduces new tools that share information across more locations, it risks adding to the overall “attack surface” of health care in general. Virtual health adds to this risk exposure in key areas of cyber risk, such as:

  • Technology failures
  • Lack of informed consent
  • Complex identity and access management
  • Increased compliance requirements
  • Physical security risks
  • Legacy IT infrastructure
  • Unpatched software in consumer environments
  • Increased third-party risks

By addressing the five key areas of cyber risk identified, provider organizations can bring more consumers and providers into a comfort zone with virtual health. When the actual security is strong, and the perception of it matches that reality, patients and providers alike will be more likely to take part in virtual health and fuel its growth.

Five key areas of cyber risk

3 Wearable Tech Market Set for Significant Growth, MedTech Impact on Wellness, February 12, 2018.

4 Ken Abrams, MD, and Casey Korba, “Consumers are on board with virtual health options: Can the health care system deliver?” Deloitte Insights, August 29, 2018, based on the Deloitte 2018 Survey of US Health Care Consumers and Physicians.

High stakes, hard questions

  • How can organizations maintain the integrity of data as wearables add to the flow of information?
  • How should organizations balance the need for monitoring with security and privacy?
  • What’s the most appropriate way to balance thoroughness and privacy with each type of patient-specific information, ranging from clinical events and consent to scheduling and location?
  • How can organizations maintain privacy while meeting patient demands for convenience and strong user experiences?
  • What kinds of awareness programs are most effective at helping individuals stay connected and vigilant about protecting their data?

Security as a key to broader adoption

There are many parts of the health care environment that rely on data security and cyber risk protocols. Some of them, such as electronic medical records and patient finances, have already reached a maturity level based on years of experience.

Virtual health is a different kind of cyber challenge in part because it’s a frontier—an emerging practice without those years of experience in place. It also relies more directly on cybersecurity: People are concerned about securing their medical records and payment information, but they won’t avoid using the health care system because of those concerns. As Deloitte’s surveys indicated, telemedicine security is a reason some users—particularly physicians—may be reluctant to use virtual health at all.

Taking the steps described here to strengthen cybersecurity in virtual health, and to make people feel confident in those safeguards, is a complex challenge that encompasses clinical technology, digital technology, legal compliance, and consumer relationships. Answering that challenge will require provider organizations to offer innovative new services, protect data, and develop new applications, business processes, and cloud strategies all at once. And of course, this entire undertaking is only one of the competing investment needs a provider must balance.

The argument for putting this investment at the head of the line? It’s a key that can unlock the potential of many others. When virtual health works, provider organizations and their patients can make new strides toward that “triple aim” of access, quality, and cost. But virtual health won’t work that way until a critical mass of people is comfortable using it, and people won’t feel comfortable until they’re confident it’s secure.

Get in touch

Raj Mehta
Deloitte & Touche LLP
+1 713 982 2955

Sean Wright

Deloitte & Touche LLP
+1 404 631 2845

Daniel Poliquin

Deloitte & Touche LLP
+1 312 486 5627


Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?