What Health Systems Need to Consider About At-Home Acute Care Security

The Security Risks Related to At-Home Acute Care

Also known as Hospital at Home, the program was developed in the U.S. by researchers at the Johns Hopkins University School of Medicine and Bloomberg School of Public Health in 1995. It allowed older adult patients with acute illnesses to remain in their homes and receive hospital-level care, including telehealth and home visits by nurses and physicians. The participating hospitals also provided remote monitoring devices such as thermometers, blood pressure cuffs and videoconferencing software so patients could receive round-the-clock care.

Patients who are eligible for at-home acute care can often avoid many common complications associated with in-person stays at traditional hospitals, such as delirium and functional decline. At-home acute care programs also assist patients in managing the use of multiple medications and avoiding harmful drug interactions.

But decentralized care delivery comes with risks as well as benefits. Consider the hospital end user: bedside clinicians, patients and caregivers. They present potential complexities and vulnerabilities in the security chain.

WATCH: Community Medical Centers powers operations with data.

At-home acute care is also a target-rich environment that can be exploited as easily as opening an unlocked door. All too often, open doors are exactly what malicious actors look for when they target Internet of Medical Things devices.

IoMT is a double-edged sword: It facilitates communication, flexibility and healthcare capabilities for providers and their patients, but can also be a vulnerability point for malicious actors who want to steal protected health information and other critical hospital data. Stolen medical records are considered by some to be more valuable than stolen credit card information.

In response to mounting concerns about the security of connected medical devices, the U.S. Food and Drug Administration announced earlier this year that it would turn up the pressure on new medical device submissions to meet stronger cybersecurity requirements. The U.S. Department of Health and Human Services has also increased coordinated efforts to improve cybersecurity across the healthcare industry.

Why Stronger Security Strategies Are Needed

For healthcare organizations looking to offer at-home acute care, end-to-end security with a zero-trust policy is imperative. It must encompass all relevant people (including IT and security administrators, staff and contract workers) and hospital governance policies, and include leading-edge technology that complies with HIPAA and other healthcare regulations.

Cybersecurity for at-home acute care must incorporate robust technology built into the hardware and application software, not as an add-on or afterthought. The security mechanisms should address current threats such as malware and ransomware.

Participating at-home acute care organizations must construct strong security policies and procedures governing the use of hospital-owned and staff-owned devices. Bring-your-own-device equipment is one of the chief culprits in healthcare data breaches. It’s difficult for hospitals to control the security of their employees’ personal mobile devices, which may contain patient information. The risks are even greater when at-home acute care patients are included.

LEARN MORE: What is digital health and how is it evolving? 

Therefore, healthcare organizations should enact specific rules and prescriptive guidance for security administrators, employees and patients. No one should be exempt. This means deploying the proper technology and keeping software and systems up to date. Implementing strong access controls are imperative to enable identity governance, manage workforce security and consumer identity and access, and control privileged accounts.

Healthcare organizations with at-home acute care programs should educate employees and patients on how to spot the latest malware, ransomware and phishing schemes. For their part, all end users must adhere to best practices. That means limiting access to at-home acute care employees’ devices and patient-owned devices on a need-to-know basis.

Consider tailored patient education: Older adult patients, for example, may need to include family members or other caregivers in their at-home acute care program, so they should be given security training as well. Perhaps a primary caregiver needs to assume responsibility for the security of (and access to) any connected medical devices.

EXPLORE: How the modern data platform fuels success.

Hospitals should also emphasize to patients the importance of maintaining records of passwords, prescriptions and important account information in a safe place and strictly limit access. At no time should at-home acute care staff or patients ignore, bypass or turn off security mechanisms such as multifactor authentication.

The healthcare cybersecurity landscape is continuously shifting. Malicious actors are relentless. They want to infiltrate healthcare networks and exfiltrate data. Cybercriminals have to be right only once to access confidential patient health data. As care delivery moves beyond hospital walls, security needs to be paramount.