In a recent discussion, regulatory attorney Betsy Hodge of Akerman LLP emphasized the imperative for healthcare providers utilizing telehealth and remote patient monitoring services to integrate these systems into their comprehensive enterprise risk management frameworks. With the expansion of telehealth services, she noted the critical need for organizations to develop strategies for managing vulnerabilities—specifically regarding patch management for devices that are now accessed remotely.
Hodge articulated that covered entities—such as hospitals and clinics—must embed considerations for remote patient monitoring and telehealth into their enterprise-wide risk assessments. This integration should subsequently inform the organization’s risk management strategies. A pivotal factor to address is how these entities plan to execute patching or updates on devices operating outside of their physical facilities. Hodge cautioned that it is essential to evaluate these risks before launching a telehealth or remote patient monitoring initiative, particularly given that certain devices, such as implants, may not permit easy updates due to their design specifications.
Given the complexities presented by these devices, Hodge raised concerns about the compensating controls that organizations will need to implement to safeguard the security of their systems. In her audio interview with Information Security Media Group, Hodge elaborated on key issues surrounding privacy and security in the context of telehealth and remote monitoring technologies. These discussions highlighted the need for vigilance regarding compliance with HIPAA regulations, especially in light of the rapid adaptations that have occurred since the COVID-19 pandemic.
The evolution of regulatory standards during this period has created new challenges and opportunities for healthcare providers. Hodge underscored that the proposed updates to the HIPAA security rule could significantly impact the landscape of telehealth and related healthcare services, necessitating that organizations remain informed and proactive.
Hodge, who specializes in compliance and regulatory challenges affecting healthcare stakeholders—including providers, payers, and employer-sponsored health plans—also chairs the Health and Information Technology Practice Group of the American Health Law Association. Her expertise, coupled with her role as an author and frequent speaker, positions her as a thought leader in navigating the intricate interplay of healthcare regulations and cybersecurity challenges.
The insights shared by Hodge resonate particularly in light of recent trends and vulnerabilities in the industry. With the ongoing risks associated with remote access technologies, organizations must consider tactics outlined in the MITRE ATT&CK framework, such as initial access and persistence tactics, to better understand potential attack vectors. As telehealth services continue to evolve, the importance of robust cybersecurity measures cannot be overstated, emphasizing the need for comprehensive risk management practices.
