Telehealth Needs Secure Patient Identification Practices

Michael Magrath,

Telehealth can become a game changer as it pertains to how care is delivered. And a very welcomed one at that. Telehealth, designed to help people living with long-term health conditions at home, allows the individual to monitor their own health and send the readings to a health professional who checks results and monitors changing needs. There is danger, however, that the exchange of data between a patient at home and the remote clinician is lacking even the very basic security mechanisms put in place by other heavy lifters in the digital services community such as banking and personal finance. I have attempted to find out why that is and if telehealth may put us, as patients, at risk for cybercrime and ID theft.

Electronic Signatures for Healthcare

Electronic Signatures for Healthcare

Your definitive guide to e-signatures for the healthcare industry


Get your copy

Telehealth defined

The U.S. Department of Health and Human Services (HHS) defines telehealth as "as the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications."


As wonderful as telehealth is, it comes with risks, particularly around trust and security. If we use the States as an example, I am well aware that telehealth service providers are HIPAA – the Health Insurance Portability and Accountability Act – compliant, but that is really just the floor in terms of security. With our healthcare system in the cross hairs of cyber criminals, "the floor" is no longer acceptable in the States and equally the security bar would need to be raised by the NHS (National Healthcare System UK).

Indeed, in America, some states require that the healthcare provider and the patient meet in person before engaging in telehealth, while others have no such requirement. Applying equally in the UK, there would need to be a solid chain of trust throughout the system. That starts with knowing that the parties involved are who they claim to be. Is the patient really who they say they are? Perhaps it is the patient’s brother, an identical twin. Most important, is the healthcare provider who they claim they are? Telehealth could expose patients to this 21st century technology approach to fraud, identity theft, medical record errors and potential lawsuits.

Patient Authentication

As with all areas of healthcare, telehealth requires accurately identifying the patient. HHS cautions on its website, "Processes related to patient identification are complex and require careful planning and attention to avoid errors." The fact is, physicians and other providers are trained in medicine and are typically not trained to identity proof patients, nor should they have to be bothered.

Idntity proofing should be performed by a third party, certified by a Government approved provider.

Moreover, patients have a right to know that the person on the other end of a videoconference call is really a doctor. Imposters posing as physicians and practicing medicine is not only illegal, but it runs the risk of undermining trust in the entire telehealth movement.

Beyond identity proofing, authenticating into telehealth systems needs to provide higher confidence and trust. Issuing a static password for parties to access telehealth is not acceptable and could lead to hacking of and the compromising of protected health information.

I look forward to utilising telehealth in the future, but I will feel more reassured knowing that the NHS has taken the proper steps to know that I am who I am and also have elevated security and authentication beyond the floor to protect my privacy and security.

Read more on VASCO’s security solutions for healthcare

This article first appeared in


Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).