Protecting Patient Information in Outsourced Telehealth Services: Bolting on Security When it Cannot be Baked in

Abstract

Hospitals have increasingly employed outsourcing to lower the cost of healthcare delivery and improve efficiency and quality, thereby, enabling more focus on core competencies of patient care, teaching, and research. Outsourcing presents a challenge for protecting patient information when new services are implemented or integrated into an existing healthcare information system. Enabling new outsourced telehealth services often requires “bolting on” security to legacy systems rather than “baking” it into the system. This chapter addresses security practices necessary for healthcare organizations implementing new telehealth services as part of an outsourced relationship. While a number of recommendations are available for security readiness assessments pursuant to HIPAA compliance, none directly addresses the challenge of implementing security for outsourced clinical services. A case study is presented for a recent implementation of teleradiology services within a large regional hospital. Using the case, system vulnerabilities are demonstrated and relevant best practices to mitigate exposing patient information are discussed.