Table 6.
Telehealth Privacy and Security Vulnerabilities Examined by the Telehealth Privacy and Security Self-assessment Questionnaire
| Domain | Vulnerabilities |
|---|---|
| Storage | Lack of monitoring if transmitted data during a telehealth session is stored on the patient’s computer or other device’s hard drive. |
| Transmission / Accessibility | Unsure of whether or not PHI generated during the telehealth sessions is accessible to others outside of the organization who have proper authorization. |
| Secure networks | Did not always utilize a VPN to access important websites. |
| Lacked mobile application security research before downloading and were unsure about having a disaster recovery plan and security evaluation. | |
| Encryption | Did not always know if their telehealth system vendor included details about encryption algorithms. |
| Did not always know if encryption keys are periodically updated to meet their privacy and security protocol. | |
| Consent | The patient informed consent did not always include that telehealth sessions may be recorded and pictures may be taken and stored; the privacy and security features of the telehealth system; and did not address environment and surrounding security recommendations. |
| Did not always know whether or not the organization provided the patients with information pertaining to the security risks of information transfer between the organization and the telehealth system vendor. | |
| Data backup plans | Lack of knowledge on whether the data backup plan was reviewed and updated on a regular basis (at least yearly) with a technology breakdown for the telehealth program. |
| Lack of knowledge on whether appropriate redundant systems are in place for their telehealth system. | |
| Authorization | Not always certain if there were certified privacy and security professionals to evaluate requests for PHI from the telehealth sessions. |
| Not always certain if patients receive an accounting of disclosures upon written request. | |
| Not always aware if a patient’s request for a restriction of users and disclosures of PHI that is generated from the telehealth system is honored. |