As telehealth usage has skyrocketed during the COVID-19 pandemic, cyberattacks, fraud and abuse have emerged as threats to its future growth.
The U.S. Department of Health and Human Services temporarily relaxed regulations in March so that providers could reach out to patients more easily through services such as Apple Inc.'s FaceTime or Skype Inc.'s video conferencing platform.
Nilesh Chandra, healthcare expert at PA Consulting
This change helped accelerate telehealth's growth during the pandemic, according to Nilesh Chandra, a healthcare expert at PA Consulting Group Ltd. However, the relaxed regulations should prompt doctors and patients to be more careful in consultations since it is possible that bad actors could interrupt sessions and gain access to private patient information.
A Sept. 10 report released by cybersecurity firm SecurityScorecard Inc. and darknet content monitor DarkOwl LLC showed that between the second and third weeks of March, when the pandemic was accelerating in the U.S., searches on the dark web for telehealth company names and key words — like Teladoc Health Inc., Doctor on Demand Inc., Amwell and PlushCare Inc. — climbed 144%.
Telehealth companies saw a 117% surge in IP reputation security alerts caused by malware infections from phishing attempts or other cyberattacks, according to the report. Meanwhile, the healthcare industry overall saw a 77% decrease in these same incidents, suggesting steps have been taken to reduce risk.
A more likely and more dangerous cybersecurity risk, however, is a ransomware attack or system breach within healthcare systems, according to Chandra.
"In those sorts of situations, a lot more data is exposed and a lot more patients are impacted versus in a one-on-one setting between one doctor and patient," Chandra said.
Universal Health Services Inc., one of the largest healthcare providers in the U.S., was forced to shut down its IT applications in the country after a cybersecurity incident Sept. 27. In June, a representative from Providence St. Joseph Health told S&P Global Market Intelligence that external attacks and phishing attempts on its system had risen 50% since the pandemic started.
Data breaches and cyberattacks can result in stolen patient information and compromised internal IT systems, but companies can also be on the hook for steep penalties if they act negligently or do not appropriately protect their systems.
Health insurance provider Premera Blue Cross agreed to pay HHS' Office for Civil Rights $6.85 million due to a 2014 data breach, which is the second-largest settlement the office has agreed to, according to a Sept. 25 press release. Just in September, the office also announced settlement agreements of $2.3 million and $1.5 million for potential violations of the Health Insurance Portability and Accountability Act, a 1996 law that established protections for patients' health information.
Healthcare companies are particularly at risk due to the pandemic because providers are more distracted, said Trish Carreiro, a cybersecurity and privacy litigator at law firm Carlton Fields.
"The healthcare providers are busy, and so they really can't afford to have all of their systems go down, so they're more likely to pay your ransom," Carreiro told S&P Global Market Intelligence. "In essence, you have this perfect storm, combined with people receiving this care who are less experienced and more likely to fall for your scheme."
Telehealth boom leading to more fraud
Telehealth fraud and abuse can stem from over-treating patients or improper billing for virtual care.
Along with cyber risk concerns, experts are also watching for increased instances of fraud and abuse as more patients and providers turn to telehealth and virtual care.
Telehealth services are vulnerable to fraudulent practices that have existed for decades, such as over-treating patients, billing for two visits when one visit is necessary, or a behavior called upcoding, when providers bill for services that bring in higher reimbursements even though the services provided do not meet the billing description, Maria Turner, managing director at the consulting firm AArete LLC, said in an interview.
For example, some providers of virtual check-ins are billing for more costly evaluation and management visits, according to Turner. Virtual check-ins are equivalent to a physician calling a patient later in the day, whereas an evaluation and management service is more of a traditional visit to a doctor's office, she said.
While Turner explained that telehealth services can be manipulated in ways that the healthcare system has seen before, some experts with the Brookings Institution view telehealth services as creating new opportunities to commit fraud.
"Given that telehealth is a new medium for delivering health care, the areas more susceptible to fraud may be unique and unknown to the federal agencies, making it more difficult to detect and stop," Nicol Turner Lee, director of Brookings' Center for Technology Innovation, and Niam Yaraghi, a nonresident fellow of Brookings' Center for Technology Innovation, wrote in a September report.
Telehealth services have been at the center of some of the largest healthcare fraud cases in the U.S. In September, the HHS Office of Inspector General and other federal agencies participated in a healthcare fraud takedown of schemes that led to over $6 billion in losses, with false telehealth claims making up $4.5 billion of the total, according to the office.
Expanding what types of telehealth services are being covered, where those services can be provided, and which types of providers can be paid for the services — all of which has been done temporarily as part of the Trump administration's pandemic response — could open the door for more fraud and abuse, according to Turner.
"The idea [is] to not create special rules or programs to address telehealth fraud, waste and abuse, but integrate telehealth into existing efforts." — Ann Mond Johnson, CEO of the American Telemedicine Association
Ann Mond Johnson, CEO of the American Telemedicine Association, pushed back against the idea that fraud was more likely because of telehealth.
"You can have bad actors virtually, and you can have bad actors in person," Johnson told S&P Global Market Intelligence. "The idea [is] to not create special rules or programs to address telehealth fraud, waste and abuse, but integrate telehealth into existing efforts."
Data on billing behavior during the pandemic, including practices that began because of the relaxed regulations, have only recently come in, which should help organizations pinpoint what types of fraud and abuse, if any, have been occurring, Turner said.
"You have to be able to identify where the anomalies are, who are the outliers, and to get after that," she said. "And as long as claims are just being paid, fraud, waste and abuse is going to continue because it's easy."