Asked whether he had any tips to share with clinicians, Mr. Hottman noted that the best time to have a plan is before something dire happens.
“I would make [the possibility of cyberattacks] part of the emergency preparedness program. What if you don’t have access to computers? What do you do?” It’s important to answer those questions prior to systems going down, he said.
Mr. Hottman reported that after a mechanical failure last year put their computer systems offline for a day, “we started putting all critical information on paper and in a binder,” including phone numbers for the state police.
Dr. Vahia noted that another important step for clinicians “is to just pause and take stock of how digitally dependent” health care is becoming. He also warned that precautions should be taken regarding wearables and apps, as well as for electronic medical records. He noted the importance of strong passwords and two-step verification processes.
Even with the risks, digital technology has had a major impact on health care efficiency. “It’s not perfect, the work is ongoing, and there are big questions that need to be addressed, but in the end, the ability of technology when used right and securely” leads to better patient care, he said.
John Torous, MD, director of digital psychiatry at Beth Israel Deaconess Medical Center, Boston, agreed that digital health care is and will remain very important; but at the same time, security issues need proper attention.
“When you look back at medical hacks that have happened, there’s often a human error behind it. It’s rare for someone to break encryption. I think we have pretty darn good security, but we need to realize that sometimes errors will happen,” he said in an interview.
As an example, Dr. Torous, who is also chair of the American Psychiatric Association’s Health and Technology Committee, cited phishing emails, which depend on a user clicking a link that can cause a virus to be downloaded into their network.
“You can be cautious, but it takes just one person to download an attachment with a virus in it” to cause disruptions, Dr. Torous said.
After its data breach, Vastaamo posted on its website a notice that video is never recorded during the centers’ telehealth sessions, and so patients need not worry that any videos could be leaked online.
Asked whether video is commonly recorded during telehealth sessions in the United States, Dr. Vahia said that he was not aware of sessions being recorded, especially because the amount of the data would be too great to store indefinitely.
Dr. Appelbaum agreed and said that, to his knowledge, no clinicians at Columbia University are recording telehealth sessions. He said that it would represent a privacy threat, and he noted that most health care providers “don’t have the time to go back and watch videos of their interactions with patients.”
In the case of recordings for research purposes, he emphasized that it would be important to get consent and then store the health information offline.
As for other telehealth security risks, Dr. Vahia noted that it is possible that if a computer or device is compromised, an individual could hack into a camera and observe the session. In addition to microphones, “these pose some especially high vulnerabilities,” he said. “Clinicians need to pay attention as to whether the cameras they’re using for telecare are on or if they’re covered when not in use. And they should pay attention to security settings on smartphones and ensure microphones are not turned on as the default.”
Dr. Appelbaum said the HIPAA requires that telehealth sessions be conducted on secure systems, so clinicians need to ascertain whether the system they’re using complies with that rule.
“Particularly people who are not part of larger systems and would not usually take on that responsibility, maybe they’re in private practice or a small group, they really need to check on the security level and on HIPAA compliance and not just assume that it is adequately secure,” he said.
Dr. Appelbaum, who is also a past president of the APA and director of the Center for Law, Ethics, and Psychiatry at Columbia University, noted that the major risk for hospitals after a cyberattack is probably not liability to individual patients.
“It’s much more likely that they would face fines from HIPAA if it’s found that they failed to live up to HIPAA requirements,” he said.
A version of this article originally appeared on.