In June, Babylon Health, a UK telehealth startup valued in excess of $2BN, suffered a data breach involving confidential patient information. The breach was exposed via Twitter, when a user of Babylon's video consultation app brought to light the fact that he could see other patients' appointments.
At a time when adoption of telehealth services is growing like never before, pratfalls like these stress the tenuous nature of telehealth in general, as well as the importance of adequate cybersecurity and privacy protections to prevent critical patient information from getting out.
To understand the Babylon breach, as well as the stakes of the pressurized race to bring health services online, I reached out to Ted Wagner, Chief Information Security Officer at SAP National Security Services, and Sebastian Seiguer, CEO of emocha, a mobile health company.
Do you think the Babylon Health breach and others like it was inevitable, and will we see more instances like this?
Ted Wagner: In the push to deliver telehealth services to the public, not all collaboration systems have been fully tested for security. The root cause of the breach was likely a software error rather than a malicious attack, but it was a vulnerability, nonetheless. Telehealth providers must put information security at the forefront—there's too much personal and sensitive data at stake.
As the usage of these services widens, so does the risk aperture. Over time, breaches will weed out the providers that aren't prioritizing security. Clients will opt for teledoc providers they feel they can trust, and those will be the ones with information protection frameworks, such as HITRUST CSF, in place. A thorough security assessment is essential and can identify technical, configuration, or procedural vulnerabilities.
How are patients affected when privacy is breached? How can we do better for patients where privacy and security are concerned?
Sebastian Seiguer: Privacy breaches inevitably lead to an extreme loss of trust, particularly for patients with traditionally stigmatized conditions. Breaches of confidentiality can have significant repercussions -- such as if personal health information is disclosed to parties like a person's employer. The onus is on companies to protect their end-users; if they do not, the new consumer -- the patient -- will take their business elsewhere.
What does the Babylon breach say about the future of telehealth that privacy and security vulnerabilities seem to be growing?
Ted Wagner: I believe this an implementation problem local to this incident. The maturity of video collaboration technology enables secure communications, but it does require the combination of people, technology, and procedure to effectively mitigate security risks. There is the problem of extending this technology to the general public, which may come from different platforms. The use of multifactor authentication, encryption, and strict access control can mitigate these risk factors, but some of these steps may make telehealth less accessible. Users accessing the service from a less secure endpoint or platform may open the door for other attack vectors.
What's the argument for a federal regulatory framework for telehealth?
Sebastian Seiguer: There are multiple security frameworks in place to protect the consumer and patient. A breach will be punished by existing frameworks. We do not need another layer of bureaucracy.
Ted Wagner: Given the existing NIST security controls and HIPAA regulations, I believe there is sufficient guidance on how to secure collaboration platforms. The vulnerabilities exhibited by Zoom earlier this year highlight the fact that software vulnerabilities will occur over time and timely software updates are key to mitigating risks. Good security is an ongoing, rigorous process, and the job is never done. It's not enough to have the security controls in place—organizations must also routinely monitor, measure, and update.