Telehealth is completely changing the way that people can get care, and recent emphasis has focused on convenience, speed and accessibility; doctors can now see patients, prescribe medication, and manage treatment completely online. However, in addition to the ease of using telehealth providers, there is potential for risk through customer support channels (call centers, ticketing, etc.), which are often used to support telehealth users but which also may be storing sensitive information about these users.

Most discussions about cybersecurity focus on protecting electronic medical databases or medical equipment. However, the majority of support channels such as call center / ticketing systems are not protected well. While these support systems serve the purpose of helping the user, they often will also retain the user's private information, history of communication, and other private information which can be compromised if the systems are not properly secured.

This has been seen recently with the Hims & Hers data breach incident in which access to the support channel was breached using a third-party support system and the users' medical information was accessed through the support tickets rather than a direct attack on the healthcare database by the hacker, this is typically something that users do not think about when using a telehealth provider.

Customers who contact support can share different kinds of sensitive data beyond what is expected; names, email addresses, external and internal account numbers, and other data that might pertain to user-specific health-related information. In addition, each time a customer contacts a support system creates a long-lasting history of records and thus creates a large amount of potential data for an attacker to access.

Traditionally, most support systems are being provided on third-party platforms which are outside the direct control of the organization. Using external providers creates a challenge for organizations looking to improve efficiency and grow their businesses but adds another layer of complexity to the securing of the data in those systems. The more integrations created between customers and a third-party support system, the greater the risk of a breach, if not securely controlled by the supporting organization.

The data breach that occurred with Hims & Hers is indicative of a broader trend that exists within the telehealth sector; many organizations are unaware of or don't believe that there is a security risk associated with accessing or storing electronic medical records (EMRs.) As telehealth platforms continue to develop and expand their digital footprint, the data generated by these activities are stored on multiple digital platforms such as communication systems, analytics systems, and customer support systems, thereby increasing the overall attack surface of the organization.

User perception is another key factor associated with telehealth services. Most people are confident enough to share sensitive information through telehealth because they recognise the medical nature of the interaction. However, few people identify that providing personal information through submitting a request for customer service (e.g., through email) represents a personal data exposure risk.

As an organisation, organisations have an obligation to treat the security of customer service systems the same way they treat securing their core medically related systems. This requires implementing robust technical security measures, such as access control, encryption of stored information, monitoring user activity, and regularly auditing third-party vendors.

Users also need to understand where and how their data is disclosed and shared. Careful attention to the contents of support service requests and the use of secure communications can mitigate some of the potential risks associated with exposing personal information.

Growth in telehealth means that cybersecurity practices will have to move beyond the traditional approach. The Hims & Hers data breach illustrates how even systems on the periphery can affect the data security landscape. Consequently, it is crucial for organizations to secure every touchpoint of interaction (e.g., telemedicine visits and phone interactions) in order to protect the confidence that consumers have in the use of digital healthcare services.