Telehealth Needs Secure Patient Identification Practices

Michael Magrath, Director of Healthcare Business Development, VASCO
Michael Magrath

Telehealth can become a game changer as it pertains to how care is delivered. And a very welcomed one at that. However, there is a danger that it is lacking even the very basic security mechanisms put in place by other heavy lifters in the digital services community such as banking and personal finance. I have attempted to find out why that is and if telehealth may put us, as patients, at risk for cybercrime and ID theft.

In the case of The U.S. Department of Health and Human Services (HHS), it defines telehealth as “as the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications.”

As wonderful as telehealth is, it comes with risks, particularly around trust and security. If we use the States as an example, I am well aware that telehealth service providers are HIPAA – the Health Insurance Portability and Accountability Act – Compliant, but that is really just the floor in terms of security. With our healthcare system in the cross hairs of cyber criminals, “the floor” is no longer acceptable in the States and equally the security bar would need to be raised by the NHS.

Indeed, in America, some States require that the healthcare provider and the patient meet in-person before engaging in telehealth, while others have no such requirement. Applying equally in the UK, there would need to be a solid chain of trust throughout the system. That starts with knowing that the parties involved are who they claim to be. Is the patient really who they say they are? Perhaps it is the patient’s brother, an identical twin. Most important, is the healthcare provider who they claim they are? Telehealth could expose patients to this 21st century technology approach to fraud, identity theft, medical record errors and potential lawsuits.

As with all areas of healthcare, telehealth requires accurately identifying the patient. HHS cautions on its website, “Processes related to patient identification are complex and require careful planning and attention to avoid errors.” The fact is, physicians and other providers are trained in medicine and are typically not trained to identity proof patients, nor should they have to be bothered. Identity proofing should be performed by a third party, certified by a Government-approved Provider.

Moreover, patients have a right to know that the person on the other end of a videoconference call is really a doctor. Imposters posing as physicians and practicing medicine is not only illegal, but it runs the risk of undermining trust in the entire telehealth movement.

Beyond identity proofing, authenticating into telehealth systems needs to provide higher confidence and trust. Issuing a static password for parties to access telehealth is not acceptable and could lead to hacking of and the compromising of protected health information. I look forward to utilising telehealth in the future, but I will feel more reassured knowing that the NHS has taken the proper steps to know that I am who I am and also have elevated security and authentication beyond the floor to protect my privacy and security.

For more details about VASCO’s security solutions for healthcare visit

Michael Magrath, Director of Healthcare Business Development, VASCO