How to Avoid Telehealth Security and Privacy Risks

Editor’s note: Alena describes the most effective measures to ensure security for a telehealth application. And if you consider creating a secure telehealth solution, you are welcome to explore ScienceSoft’s telehealth app development offering.

As statistics show, the telehealth market is growing rapidly, which means that the amount of personal data transmitted through telemedicine solutions is growing, too. This makes telehealth platforms attractive targets for cyberattacks like SQL injections into patient forms or man-in-the-middle (MITM) attacks on unsecured video calls. Thus, the issue of telehealth cybersecurity is getting more important as the leakage of PHI (protected health information) results in serious financial and reputational losses for care providers. Healthcare data breaches become more and more pressing every year. In 2024, a mere lack of multi-factor authentication in a patient portal led to the largest healthcare data breach in history, which impacted the health records of 190 million individuals and forced Change Healthcare to pay a $22 million ransom. Relying on ScienceSoft’s experience in protecting healthcare networks, I would like to outline essential security measures that should be taken during telehealth app development and after the application’s roll-out.

Data encryption

In the healthcare industry, data encryption refers to translating the patient data into a form that cannot be decrypted by unauthorized users or users who do not have the encryption key. Even if a data leakage occurs, thieves receive encrypted health information. For example, we used data encryption to ensure the security of peer-to-peer video connections between patients and medical staff when developing an Android app for a telehealth platform.

Encryption is applied to both stored and transmitted patient data in the network:

• Data encryption at rest protects PHI when it is stored in the cloud or on-premises. As it can slow down the work of a telemedicine solution, I always advise using file-level or block-level encryption to prevent a decrease in the application speed.
• Data encryption in transit secures PHI when it’s transmitted, using in-transit encryption standards such as SSL/TLS certificates.

In response to the growing need to protect sensitive data well into the future, new security frameworks continue to emerge. In August 2024, NIST released the finalized version of the first key-encapsulation standard for quantum-safe encryption (FIPS 203), based on the CRYSTALS-Kyber algorithm. Its lattice-based mechanism addresses the vulnerabilities of current public-key encryption when faced with quantum computing capabilities. While renowned players in the healthcare industry are already preparing for the quantum era, we can expect quantum-resistant encryption to gradually become the new baseline for protecting patient records.

Data access control

To regulate who and to what extent can access the patient data in a telehealth solution, I recommend employing such measures as setting up user roles, user authentication, access rights, action permissions, automatic logoff, etc. Thus, patients and medical staff are assigned different roles that enable them to acquire particular information only and perform a limited set of actions. For example, we at ScienceSoft carried out similar measures to ensure telehealth privacy during the development of a mobile solution for remote care.

Along with FIPS 203, NIST released two new post-quantum digital signature standards — FIPS 204 (CRYSTALS-Dilithium) and FIPS 205 (SPHINCS+) — to help secure identity verification and data integrity in the quantum era. These algorithms are designed to remain secure even if adversaries eventually gain access to large-scale quantum computers, which would be capable of breaking today’s widely used public-key cryptography.

Dilithium, the main digital signature standard, relies on lattice-based cryptography — a mathematical structure known for its resistance to quantum attacks. It produces relatively small signatures with fast verification, making it suitable for high-frequency user authentication in applications like patient portals or clinician dashboards. SPHINCS+, based on hash functions rather than number-theoretic problems, takes a different approach: it avoids relying on any hard mathematical assumptions besides those used in cryptographic hash functions. While its signatures are larger and its operations slower, it offers a stateless and highly conservative alternative, which can be beneficial in systems that prioritize auditability and long-term robustness over speed.

Security audit

Securing medical software isn’t a one-time effort — it’s an ongoing process that requires constant attention and regular practices to stay ahead of new threats. In my work with telemedicine projects, I’ve found that long-term protection is best achieved through a mix of regular security audits and modern monitoring technologies.

Regular vulnerability assessment and penetration testing procedures can help assess how well a telemedicine app handles potential attacks. You can use recommendations issued following the audit results to increase and maintain the quality of telehealth security.

I’ve also seen many teams starting to use AI-driven threat detection to improve security. These systems rely on machine learning to monitor user behavior, data traffic, and system activities in real time. If something unusual happens (e.g., a user account accesses large amounts of data at odd hours), AI can detect it as suspicious and either alert administrators or take quick action, such as triggering a temporary lockdown. This is especially helpful in large telehealth systems where manual reviews might miss subtle or unexpected risks.

Create your app with telehealth security measures in mind

To avoid privacy and security concerns in telehealth, I strongly recommend providing for security measures such as data encryption and data access control, carrying out regular security audits, and ensuring continuous telemedicine system monitoring. If you wonder how security can be enhanced in a cloud environment specifically, this topic is covered in detail in this article. And if you need a qualified vendor to perform these procedures, feel free to turn to ScienceSoft’s healthcare IT team.