Telehealth is on the rise and so are telehealth cyber attacks

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Telehealth on the rise at Veterans Affairs and in the private sector has one thing in common with every other digital service. It’s a cybersecurity risk. Now the National Cybersecurity Center of Excellence, part of the National Institute of Standards and Technology, is planning a healthcare project to establish best practices for security and privacy in telehealth situations. Here with more on the project, senior cyber engineer Ron Pulivarti joined the Federal Drive with Tom Temin .

Interview transcript: 

Tom Temin: And tell us the scope of this project because telehealth is a cyber event in all ways. And so are you looking at simply the hacking cybersecurity classical aspects of this or what else constitutes security in the telehealth situation?

        Join us Apr. 25 at 1 p.m. EST for Federal News Network's StateRAMP Exchange where we'll explore how the StateRAMP program provides cyber assurances as state agencies continue their IT modernization journeys. | Register today!

Ron Pulivarti: So, our project, our Smart Home Integration Project,  we just published it out in August of 2022. As far as our project description goes, and what we’re looking really more so is to figure out the mechanics behind the audio sound like speakers to figure out how patients today use speakers to schedule doctor’s appointments, order medications, do follow up visits. So what we’re looking at, we have three frameworks at this where we always follow as far as our standard dose, risk management framework, our cybersecurity framework, and our privacy-based framework. And these frameworks really provide us a sound guidance for us to follow to develop a practical, usable guide, so that academia, industry and government, and also not for profit organizations could actually start adopting that and using that as a tool. One of the things we’re actually doing part of this project now is we’re going to be putting out a Federal Register notice so that we can start involving the public to come and participate in our lab at the NCCOE. So that we could start kind of playing around and really figuring out and building out example solutions, so that folks could actually learn from it and start using that as some type of architecture in their infrastructure.

Tom Temin: And what are the issues with telehealth as it stands now, I mean, we get on your, well, it could be just the telephone, or it could be a video conference type of situation on one of the platforms, a lot of medical practitioners have portals that they use and so on, what are the issues there?

Ron Pulivarti: So you have, especially with technology, you have beginner to advanced types of knowledge, right? So adopting a standard so that you could actually help someone that knows little to no basic forms of technology to someone that’s very advanced, to have a very neutral set. Because when you start thinking about the technology, and you start thinking about healthcare, there’s so many different ways to intercept. And there’s always bad actors every day. We watch the news we hear about on the radio, it’s a continuous flow of bad actors. So what we try to do based off of this specific project is really lean towards the experts to build and collaborate a strong team so that we can build these sample solutions to help the entire United States. I mean, that’s really our ultimate goal.

Tom Temin: And, and telehealth is there also the issue of the integrity of the situation that’s going on. And I’ll just give an example that was stated to me. Suppose someone is in a telehealth video situation, and there could have been domestic abuse that occurred injury of that nature. And the practitioner, the medical practitioner can see the person they can’t see the surroundings necessarily or could be a blurred background. You can’t tell if a abusive spouse is looming, three feet out of the camera range, this kind of thing. Therefore, the practitioner doesn’t know whether he or she is getting honest information here. Does project out of that scope?

Ron Pulivarti: It does not. But you do see that on a lot of channels when you start watching TV, and that’s one of the big things that has evolved,  are things such as what you gave us those examples, but our project on this specific project does not scope that to that level of degree.

Tom Temin: Okay, well, that’s it for another time, then we’re speaking with Ron Pulivarti, he’s a senior cyber engineer at the National Cybersecurity Center of Excellence. So besides hacking, what are some of the cybersecurity risks in telehealth that seem to be coming up commonly?

Ron Pulivarti: So a lot of it has to do with privacy, right? You’re using audio sounds to communicate personal health information, right? So PHI information is side by side with PII information, right. So being able to provide a safe landscape for individuals to communicate and understand exactly how their architecture is set up is going to be one of the core areas we’re going to be focusing on, especially when we talk about smart integration. But like any device with technology, you’re subject to penetration or hacking of some sort. So understanding the basic principles is going to be one of the key points we’re going to be really trying to put out too for the public to use as a guidance but we’re  really going to be focusing on it the audio capability using our Smart Home Integration Project speaker that we just recently published, as far as our project description goes.

Tom Temin: Yes, because these speakers, these things that you use with voice activation in your home, are a third party, they’re neither you nor your medical practitioner, nor the network carrier, they’re really a fourth party that is trying to glean information about you. And I’m sure they’re smart enough to know the word, Tylenol or the word or statin, or whatever the case might be. And next thing, you know, you’re getting ads for these types of things, or whatever it is you’re talking to your doctor about. That’s something that we have to avoid.

        Read more: Cybersecurity

Ron Pulivarti: Absolutely. Even for my own personal world or my space, I’m surrounded by smart devices all around, I have a safety place that I go to in my house, that I deal with my financial discussions, my health discussions, and so forth. So I’m not surrounded by technology, that’s all around me. And those are basic things. I think, folks, especially when using devices should consider while we start evolving more and more dependent on these smart home devices in our homes.

Tom Temin: In that room, do you have a dryer full of ping pong balls that you start running to make sure that nobody can understand what’s going on? Kind of like the Sopranos.

Ron Pulivarti: I should or might just turn on the faucet, I don’t know, I don’t want to give it away. But just having background noise really makes a big difference, you may cause a little disruption to the party on the phone, you’re speaking to you, but it really provides some sort of distortion so that you can really talk sensitive information if you need to.

Tom Temin: And in the opener, I mentioned Veterans Affairs, which is a pioneer in telemedicine again, all of the channels just a simple phone call to the full bore video type of conference, are they a source of best practices here, or at least current practice that might be adopted into the NCCOE type of work.

Ron Pulivarti: So at the NCCOE, we have partnered with Veterans Affairs, individuals within HHS space, and so forth. And we definitely lean on a lot of government agencies like CISA, as we start creating our collaborative hub for, again, government, industry and academia, it gives the ability to hear about what is it that they’re actually working on, and bring those expertise and knowledge at the NCCOE. So that we can start drafting and create these practical, usable, repeatable guides.

Tom Temin: Because I think this would be of high interest to CMS because they are temporarily paying for telehealth services as a result of the pandemic. But the big question now is, is this going to be part of the mix forever? And so you don’t want to be paying for data that goes to Merck and Google?

Ron Pulivarti: Absolutely. And one of the things, especially this scope of this project isn’t really talking cloud, we’re looking at, specifically the actual devices that take in this audio. And one of the things that we’ve noticed, especially with telehealth evolving, is giving individuals the capability to use some form of guidance. We work closely with health delivery organizations, we really can’t tell the manufacturer how to develop their product but we can provide some form of guidance when you have health delivery organizations that are working with their patients at home, how it is that they could use our guidance to adopt a much more of a safer and practical networking infrastructure.

        Sign up for our daily newsletter so you never miss a beat on all things federal

Tom Temin: And just a final question, you mentioned this notice coming in the Federal Register for people to participate? What will they do? What kind of information what situation will they be going into?

Ron Pulivarti: So the Federal Register notice, we’ll talk about a project and what it is that we’re looking for. Following that there are times we’re going to be provided a letter of interest from individuals that have expressed their skills, they have a solid foundation or knowledge about what type of work we’re doing. And then they would submit a letter of interest over to NCCOE  in which then we would weigh and kind of then make the determination if this will be a qualified individual for them to join our project. We have over 20-plus labs at the NCCOE, we have over 35 active cybersecurity projects. So we’re just constantly on a ramp with a lot of the work that we’re doing over there, but the letter of interest really, which they call an LOI, it really provides us the background to see the skills and the knowledge that they can bring to the table once we can go into the labs.

Tom Temin: Ron Pulivarti is senior cyber engineer at the National Cybersecurity Center of Excellence.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.