So how do cyber criminals exploit telehealth privacy and security to get at this data? According to the DBIR, human error is the most common attack vector. But web applications are a close second.
Web applications can be a direct route to patient data if attackers can steal user logins or exploit vulnerabilities in the code. The U.S. government lifted restrictions on the use of consumer-grade communication apps for telehealth, but those apps could be configured to unwittingly give third parties access to private information and communications, a Harvard Medical School team notes.
"For example, Zoom, currently one of the most popular video conferencing platforms, has had a tenfold increase in usage over just a few months including increased use in healthcare, leading to several important privacy considerations, such as intruders joining video conferences or inadequate encryption of communications, leading to the possibility of eavesdropping," the team wrote in the Journal of the American Medical Informatics Association.
Some of the key cyber threats behind telehealth privacy and security concerns include:
- Exploited vulnerabilities in web apps
- Stolen telehealth app credentials (e.g., by sending phishing emails or texts)
- Malware hidden in legitimate-looking telehealth apps
- Exploited misconfigurations or security issues in consumer-grade communications apps