Telemedicine Raises New Security Issues
In an exclusive interview, Linkous:
Linkous heads the largest membership-based organization in the world focusing on providing healthcare through telecommunications technology. The ATA advocates for changes in laws that promote the development of telemedicine. He formerly served as senior consultant with Issue Dynamics Inc., which specializes in telecommunications and technology policy.
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. Today we are talking with Jon Linkous, CEO of the American Telemedicine Association. Thanks so much for joining us today Jon.
JOHN LINKOUS: It is my pleasure.
ANDERSON: Telemedicine has been evolving in recent years to include a much wider variety of applications. For starts, what is the best way to define the term telemedicine now in light of that evolution, and what are the biggest areas of growth?
LINKOUS: Well you know you are absolutely right, it is growing tremendously both in terms of the number of activities and the type of activities involved. Telemedicine broadly defined is the use of telecommunications technology to provide healthcare, but it is primarily oriented toward providing assistance to patients, to individuals. Its involvement in healthcare is broad, but it is really focused on direct patient care of some sort. And that can be anything from robotic surgery, to reviewing an intensive care unit from a distance, to cell phone applications -- the m-health revolution that is hitting now. It is kind of amazing how fast it is growing.
ANDERSON: What particular areas are growing fastest at this point?
LINKOUS: There are about 6,000 applications that are available over digital phones related to either healthcare or fitness. Some of those are direct to consumers, and some of those are used by health professionals. So certainly that is a rapid growing activity, and how it fits into the healthcare continuum is one of the challenges that we have today.
Anything related to home monitoring, particularly for chronic care, is a hot topic of discussion. It is growing. Certain applications, like using telemedicine to identify strokes, using telemedicine for ICU review within hospitals, are fairly rapidly growing....
ANDERSON: As telemedicine in all of its forms continues to grow, what do you see as the most critical information security issues that users need to address?
LINKOUS: It is always a challenge to make sure when you are using telecommunications that the information is properly encrypted and to make sure that the transmission of the information is properly protected. But of course, some of the interesting challenges to telemedicine have often occurred not so much in the transmission but in the use of the information at the host institution.
It could be something as simple as when a physician is talking to a patient, using interactive video, where is the physician located? Is it in an open area where people can walk by or look over the shoulder and see who is on the camera? So there are some interesting challenges that we have right now in privacy that are very simple in many cases.
ANDERSON: Does the association have a set of security and privacy guidelines for its members?
LINKOUS: We don't have our own, per se, but we did recently adopt the privacy guidelines that were developed by the American College of Radiology. We felt rather than reinventing the wheel we would look at what other organizations have been doing. At our annual meeting last week, our board of directors approved the ACR guidelines. We thought they were in pretty good shape.
ANDERSON: Can you give us the highlights of what is in those guidelines?
LINKOUS: They looked at protecting the privacy of the information...that is transmitted and how you protect the images in a standardized way using encryption.
ANDERSON: How typical is it for personal health information, including identifiers, to be exchanged via various forms of telemedicine?
LINKOUS: Well whenever you do a clinical interaction, it is extremely important that the physician or health professional have access to that data. And so whenever there is a telemedicine interaction, of course, by its very nature, there is communication of patient information back and forth. Therefore, there is sharing of information every time there is a telemedicine application.
Now in terms of the actual transmission of the full electronic database containing a patient record, it would depend upon the type of interaction that is going on. For example, if you are using telemedicine for collecting vital sign data, what is really involved is...transmitting that data from the patient via a cell phone or a Holter monitor into a monitoring center, a data reading center, or maybe in directly populating their electronic medical record. But the record itself is not transmitted; it is in a receive mode. And so the information that is being sent is only the specific information relevant to that interaction on that one day.
ANDERSON: Are there particular forms of telemedicine that are more vulnerable to security threats?
LINKOUS: Well again, it is when you get out of the clinical environment and into the consumer environment that we have this interesting challenge ahead of us because telemedicine will enable consumers to be much more involved in either getting information from healthcare or sending in information....
Doctors for 100 years now have been providing information to patients over the telephone and interacting back and forth. Of course, back in the early days, those were party line phones and anybody who was on the party line could pick up the phone and listen in.
So electronic privacy has been an interesting issue almost since the beginning of telecommunications. As we get to digital phones, which have better encryption and some privacy elements that are already built into the phones, that will help. But it is going to be an interesting journey as we move ahead with some of these applications that are getting much more broadly deployed to individuals.
ANDERSON: Do you have any other advice for telemedicine users when it comes to complying with the HITECH Act and its toughened HIPAA privacy and security rules?
LINKOUS: Well I think it is important to look at the Act itself and understand the basics of it. Often a technology itself is not certified as compliant, it is more about what you do with the information. There has been a lot of discussion, for example, about the online services like Skype and Oovoo, and some of the other services that could be used just on your PC. Most of those are encrypted in some form or nature, but you don't necessarily always know.
So...if you are going to be using some of the new forms of technology and telecommunications, make sure that the technology is appropriate and how you use the technology is appropriate for...following the guidelines for privacy.
ANDERSON: Thanks Jon. We have been talking today with Jon Linkous of the American Telemedicine Association. This is Howard Anderson of Information Security Media Group.