"We Have No Security Concerns": Understanding the Privacy-Security Nexus in Telehealth for Audiologists and Speech-Language Pathologists: Understanding the Privacy-Security Nexus in Telehealth

The advent of telehealth revolutionizes healthcare by enabling remote consultations, yet poses complex security and privacy challenges. These are often acutely felt by lower-resourced, allied-healthcare practices. To address this, our study focuses on audiologists and speech-language pathologists (SLPs) in private practice settings, often characterized by limited information technology resources. Over the course of six months, we conducted semi-structured interviews with ten audiologists and ten SLPs to understand their telehealth experiences and concerns. Key findings reveal a diversity of opinions on technology trustworthiness, data security concerns, implemented security protocols, and patient behaviors. Given the nature of the medical practitioners’ primary work, participants expressed varied concerns about data breaches and platform vulnerabilities, yet trusted third-party services like Zoom due to inadequate expertise and time to evaluate security protocols. This work underscores the imperative of bridging the technology-healthcare gap to foster secure, patient/provider-centered telehealth as the prevailing practice. It also emphasizes the need to synergize security, privacy, and usability to securely deliver care through telehealth.


INTRODUCTION
Telehealth has garnered widespread acceptance among people who need healthcare and those who provide it [85,98].This digital transformation of healthcare, however, introduces substantial risks to patients' privacy and security [47].While both telehealth and traditional in-person visits often utilize cloud-based services for managing patient data, telehealth introduces unique nuances to existing vulnerabilities and challenges.These include challenges related to authentication, identity verifcation, consent, screen sharing and recording, and regulatory compliance [36].These may stem from specialized hardware and software needed for video communication or data collection from remote patient medical devices.Therefore, telehealth systems not only have to comply with existing legal and regulatory frameworks which may vary across jurisdictions, but they also need to account for these risks [37].
In the United States where our study was conducted, the Health Insurance Portability and Accountability Act (HIPAA) applies to all protected health information (PHI) no matter where or how it is stored [83].HIPAA requires various "reasonable safeguards" to accommodate the varied needs and circumstances of healthcare entities and professionals [20].A large hospital may have a substantial budget and full-time staf that manages a mature telehealth and cybersecurity program that is HIPAA compliant [5,42], while independent providers and small private clinics may need more economical solutions due to fewer overall resources and limited expertise [27].Allied healthcare clinics that provide speech and audiology services are one such healthcare setting that faces challenges arising from both resource limitations and technical expertise constraints [39].Similar to other healthcare practices, speech and audiology clinics must contend with infrastructure, personnel, and technology costs.However unlike many other areas of healthcare, audiology and speech services encounter a unique set of challenges, including limited reimbursement options and declining reimbursement rates from private and Medicaid insurances [40,94].Insurance reimbursements constitute the primary and often the only source of revenue for these clinics.So, many private clinics may have to rely on general-purpose video conferencing technologies such as Zoom and Google Meet to conduct telehealth sessions.Moreover, speech and audiology services involve ongoing patient engagement, as the same individuals often require regular therapy, evaluation, and coaching.The recurring nature of their services makes telehealth an attractive option, and therefore, there is an increasing demand from patients for fexible speech and audiology services [63].Therefore, it is critical to understand the challenges, including the security and privacy challenges, that private clinics experience with telehealth technologies.Yet, resource-constrained healthcare settings remain severely understudied.
Ensuring privacy and security in telehealth is not solely a technological challenge.Humans interacting with telehealth platforms play an important role, especially the primary users of the technology -healthcare providers.It has been suggested that the behaviors and preferences of both patients and healthcare professionals must be considered in the design and implementation of telehealth platforms [92] but there is a lack of studies that discuss medical providers perspectives on telehealth security and privacy.For instance, several studies found that patients who express satisfaction with telehealth encounters are more inclined to keep utilizing telehealth services [28,57,66].Furthermore, Wilowska et al. found that females and healthy adults have the most stringent security and privacy requirements for telehealth compared to males and the ailing elderly [97].This study aims to address this research gap by investigating how audiologists and SLPs in private practice settings currently utilize telehealth services.We specifcally focus on these two allied health specialties as a preliminary exploration for understanding broader concerns of data privacy and security in telehealth in low-resource medical settings.Through interviewing 20 audiologists and SLPs who actively engage in telehealth, this research provides invaluable insights into real-world practices, professional perceptions, and attitudes concerning privacy and security risks.Finally, we identify opportunities for both technological enhancements and behavior-driven solutions that can bridge the existing gaps.Our contributions are three-fold, ofering a holistic understanding of privacy and security behavior in telehealth.
• Firstly, this study furnishes a comprehensive overview of the prevailing understanding and attitudes toward privacy and security among audiologists and SLPs operating in private healthcare practices.This highlights not just the level of awareness among healthcare professionals, but also reveals the nuanced complexities and considerations that inform their daily interactions with telehealth technologies.• Secondly, we identify specifc privacy and security challenges that are unique to these specialists.These challenges encompass difculties in securely transmitting sensitive auditory and verbal patient data and assisting particularly vulnerable populations in the secure use of telehealth software.
These issues aren't solely technological; they intertwine with complex HCI problems related to usability, trust, and accessibility.• Lastly, based on our fndings, we propose a set of actionable strategies for mitigating identifed challenges, thereby improving the privacy and security posture of telehealth services.These recommendations aim to facilitate a more harmonious integration of technology with healthcare delivery, making it easier for healthcare professionals to comply with security protocols without sacrifcing usability or patient care.The strategies touch upon the development of intuitive user interfaces and the creation of targeted training modules for healthcare providers informed by our research, thereby forming a synergistic approach that straddles the intersecting domains of security, privacy, and healthcare delivery.

RELATED WORKS 2.1 Telehealth Privacy and Security Concerns
The feld of healthcare has observed a signifcant rise in privacy and security threats, particularly within the telehealth domain [32,74,85].This mirrors telehealth's increasing importance in contemporary healthcare delivery [76].Many researchers stress the essential role of protecting patient data and ensuring confdentiality within telehealth services [74,96].Furthermore, data breaches remain a signifcant concern in telehealth [15], mirroring trends seen across various industries [9].Several factors contribute to these breaches, including employees' lack of awareness, inadequate security protocols, and a limited allocation of resources for technological solutions [19,38].This underscores the importance of understanding users' perspectives beyond just the patients'.
Establishing secure communication channels between healthcare practitioners and patients stands paramount in telehealth security [86].Alarmingly, some providers use messaging software that falls short of regulatory standards for patient information exchange [1,22,93].This non-compliance jeopardizes both the HIPAA requirements and patients' privacy [75].As telehealth adoption accelerates, we must bridge knowledge gaps-especially in private and specialty practices-to ensure the safe operation of telehealth platforms [24].Drilling deeper into specialties, felds like speech-language pathology and audiology have seen growing telehealth integration, sparking concerns over security and privacy.While much research in these areas has delved into implementation barriers and tech solutions, they often overlook the privacy and security facets [82].Prior studies have highlighted the necessity of earmarking resources and delivering training for robust patient data protection [36].This involves adopting data encryption techniques, rolling out rigorous privacy and security training modules, and investing in technology that protects patient data, while simultaneously elevating practice efciency [12,95] which may not be aligned with the resource limitations of allied healthcare practices such as that of audiologists or SLPs.Studies squarely focused on audiologists and SLPs have concentrated predominantly on telehealth implementation barriers [13,80], increasing adoption of telehealth [16,33] or policy considerations [43].Nevertheless, there is a notable gap in the literature concerning the privacy perceptions and behaviors of these professionals in relation to telehealth.A study conducted by Dykstra et al. investigated the cybersecurity behaviors of audiologists in private practices.The study revealed that audiologist possess a limited understanding of cybersecurity and do not allocate sufcient resources to protect against potential cyber threats [27].However, it is important to note that this study did not consider the telehealth practices of the participants.

Perspectives of Allied Healthcare Professionals on Telehealth
The exponential expansion of telehealth has spurred substantial investigation into its implementation and ramifcations [74,85,92].Moreover, current research on telehealth security and privacy largely focuses on creating new technological solutions [82], while technology is pivotal, addressing human and organizational aspects that might lead to security risks is equally crucial [71].Yet, perspectives from audiologists, SLPs, and similar allied healthcare professionals in private practices remain notably understudied [38,82].
Building on the security and privacy challenges previously discussed, healthcare practitioners and patients continue to employ telehealth technologies, highlighting their indispensable value [30].However, breaches in security can signifcantly erode trust in these systems, underscoring the importance of improving our understanding of healthcare security and privacy within telehealth, especially from the lens of healthcare professionals [46].Hall and McGraw highlight that breaches in patient privacy and security lapses can both compromise care quality and weaken patients' trust in telehealth technologies [36].Such a decline in trust might deter patients [72,92], especially those in remote or under-served regions, from using telehealth services they heavily rely upon [89].While we gather comprehensive insights into the general perceptions of these professionals regarding telehealth, a gap remains in research addressing their specifc privacy and security apprehensions.Our study aims to bridge this, focusing on the allied healthcare practices which are severely understudied.Among healthcare providers, attitudes and apprehensions regarding telehealth security substantially impact its acceptance and adoption [36,48].In their systematic study, Watzlaf et al. analyzed the existing practices regarding privacy and security in the utilization of telehealth technology by healthcare practitioners.Nevertheless, the authors failed to document any studies that take into account the viewpoints of allied health professionals such as audiologists or speech-language pathologists [96].Similarly, Houser et al. performed a comprehensive analysis to uncover the obstacles and contributing variables concerning privacy and security in telehealth visits during the COVID-19 pandemic.They conducted a systematic evaluation of scholarly articles that examined the utilization of telehealth in the healthcare industry, encompassing both providers and consumers of healthcare using telehealth.The selected articles were published between January 2020 and February 2022.Nevertheless, the authors did not report on any papers that consider the allied health perspectives [38].Building on the vulnerabilities associated with healthcare providers' authentication and access control techniques often raise concerns in telehealth security [27], even though experts frequently suggest them as security solutions.
Previous studies have shown that providers sometimes bypass authentication steps or share login credentials [29], often driven by burdensome access control measures [79].Research on this topic tends to focus on larger healthcare institutions, potentially overlooking challenges unique to smaller private practices with limited tech resources [96].A related challenge lies in patient education about telehealth security [45,78].Patients' limited understanding can lead to unintentional breaches, like revealing personal health details in unsecured environments [35,91].Providers often underestimate this knowledge gap, highlighting the need to gain a deeper understanding of these issues from their perspective.
Although there is an increasing number of studies on telehealth, there are still gaps in healthcare professionals' readiness to adequately handle important privacy and security concerns in telehealth [24,36].Dubose-Morris et al. conducted a study on telehealth education and training during the COVID-19 pandemic.They discovered that prior to the pandemic, telehealth training, which encompassed privacy and regulatory frameworks, was not consistently provided.Approximately 30% of programs reported a lack of formal training [26].In addition, healthcare personnel often have insufcient training and awareness of cybersecurity and data protection best practices for telehealth [99].As such, it is essential to have a more profound understanding of perspectives surrounding healthcare security and privacy in telehealth, particularly from healthcare experts.

Cybersecurity Concerns in
Under-Resourced Healthcare Practices As telehealth extends beyond traditional healthcare environments, the need to protect sensitive patient information grows even more crucial.Nevertheless, privacy and security remain insufciently studied, especially in low-resource healthcare environments such as allied healthcare practices [90].This gap persists despite audiologists, SLPs, and similar allied healthcare professionals in private practices facing unique challenges, particularly those contending with limited technical resources [27,59,62].Because of these challenges, healthcare practitioners often struggle to implement cybersecurity measures, resorting to self-taught approaches [44,69,96].Practice size and IT capabilities introduce further complexity in the telehealth landscape.As Pickering et al. 's study highlighted, small and medium enterprises in general with fewer technical resources markedly struggle to consistently uphold security protocols [64].
Prior research conducted in Indonesia [69] and Malawis [62] underscored defciencies in cybersecurity awareness among medical professionals in lower-resourced community health clinics.However, minimal research has examined audiology and speech-language pathology practices in the US contending with similar resource limitations.Our work signifcantly builds on fndings from these previous studies through robust sampling focused exclusively on small-scale practices within the two felds of audiology and SLP.Several studies have also underscored the role of patient demographics and accessibility barriers in shaping telehealth experiences.Wang et al. stressed the importance of optimizing telehealth platforms to serve diverse populations equitably [92].Complementarily, Almalki et al. called attention to pronounced service access barriers frequently encountered by elderly patients in telehealth [6].Other works emphasized potential telehealth benefts for rural areas as well as homebound individuals facing mobility constraints [31,89].Such demographic considerations may disproportionately afect audiologists and SLPs, since they routinely serve patients from vulnerable or marginalized groups.Thus, our study provides crucial frsthand qualitative insights into this complex landscape from the direct lens of such healthcare professionals.

METHOD
This study aims to focus on the relationship between the adoption of telehealth services and the awareness of healthcare professionalsspecifcally audiologists and SLPs-concerning issues of privacy and security.We concentrate our investigation on professionals working in private practice settings within the allied healthcare disciplines of audiology and speech-language pathology in the United States where they have limited IT resources to support their privacy and security needs.By focusing on these specialized felds, we aim to shed light on the setting-specifc implications of telehealth technologies.The overarching objective of this research is to systematically investigate the privacy and security practices, attitudes, and measures that are perceived by audiologists and SLPs to be connected with the integration and application of telehealth services in their respective felds.We seek to explore how these professionals balance challenges and risks while embracing the advantages of telehealth technology, especially with resource constraints.

Research Questions
This study aims to reveal how various factors centered on privacy and security afect the use of telehealth technologies among audiologists and SLPs in private and allied healthcare settings.To understand this multi-faceted issue, we formulate the following research questions: • How much do audiologists and speech-language pathologists practicing in private healthcare facilities understand privacy and security issues related to telehealth? • What strategies and practices do audiologists and speechlanguage pathologists employ in the realm of privacy and security when integrating telehealth technologies into their clinical workfows challenged by resource constraints?What emergent challenges related to privacy and security are perceived by these professionals?• How do audiologists and SLPs in private healthcare settings actively institute measures to protect the privacy and security of sensitive patient data when utilizing telehealth technologies?

Recruitment Strategy
The research team adhered to institutional ethical guidelines and obtained approvals from relevant ethics review boards prior to participant recruitment.The target population comprised professionals from two allied healthcare disciplines: audiology and speechlanguage pathology.Utilizing a stratifed purposive sampling approach [68], we aimed to recruit an equal number of audiologists and SLPs-10 from each feld-to allow for a balanced exploration of professional viewpoints.Initial outreach was conducted via professional networks, academic forums, and special interest groups.
To augment the study's visibility, we leveraged specialist social media groups focusing on audiology and speech-language pathology, along with other digital platforms, to disseminate information about the study's aims and participation criteria.Two authors of the manuscript had personal connections with individuals working in the feld of speech and audiology services.The insights and perspectives gained from these personal connections served as the initial source of motivation for undertaking this study.These personal connections also played a pivotal role in facilitating the recruitment process.
We also enlisted the partnership of relevant professional societies to help distribute the invitation, namely the American Speech-Language-Hearing Association (ASHA) [7] and the Academy of Doctors of Audiology (ADA) [60].Recruitment emails were disseminated to members of these organizations using their expansive membership databases.As an auxiliary strategy, we also employed snowball sampling methods to broaden the participant base.However, these inclusive recruitment methods also led to a considerable infux of 83 ineligible or false queries.Subsequently, we implemented a rigorous screening procedure involving manual evaluation to identify and exclude spam responses.

Participant Demographics
Upon concluding the recruitment phase, the study assembled a participant pool exhibiting considerable demographic and professional diversity.Participants were drawn from various geographical locations across the United States through online participation, thereby capturing perspectives infuenced by diferent regional healthcare policies and practices.The participant composition was deliberately diverse, representing a spectrum of professional roles within the felds of audiology and speech-language pathology.Participants difered not only in their specifc job responsibilities but also in their years of practice and familiarity with telehealth technologies.
The incorporation of participants with varying levels of experience and expertise in telehealth provided multifaceted insights into the challenges and opportunities linked with the adoption of telehealth services in private healthcare settings.For a detailed breakdown of the participant demographics, please refer to Table 1.This table provides a comprehensive profle, encapsulating elements such as professional designation, gender, years of experience, and platforms used for telehealth consultations.While, our sample exhibited some skewness in gender distribution ( 100% female SLPs and 70% female audiologists).This disproportionate gender is reasonably representative given that over 80% of audiologists 1 and over 90% of speech-language pathologists2 are female.

Interview Process
We initiated the interview process by actively disseminating recruitment materials to our targeted audience.When potential participants contacted our research team using the provided email, we conducted preliminary screenings to determine their suitability.From 104 inquiries, we vetted and identifed 21 participants who met the study's criteria, ensuring a pertinent participant pool.We then arranged virtual interviews for these 21 candidates on Zoom, a we briefed participants about the study's objectives, methodologies, and ethical considerations.We obtained verbal informed consent from each participant, which included permission to record the session on Zoom Furthermore, we gave participants the option to disable their video if they felt uneasy about visual recording.However, due to unforeseen circumstances, one interview had to be canceled, leading to a fnal count of 20 participants.We adopted a semi-structured interview format, crafting openended questions to elicit detailed responses from participants.This design fostered honest conversations, letting each session naturally adjust based on the participant's insights.The full questionnaire is provided in Appendix A. We refned these questions through 13 pilot interviews involving our research team, lab members, and external contributors from October 2021 to July 2022.To show our appreciation for the participants' input and time, we rewarded each participant with a $50 USD electronic gift card upon interview completion.
Subsequently, we permanently deleted the original audio recordings for confdentiality.
For our analysis, we used a thematic approach, as described by Mildner [53].The frst author generated a codebook using an inductive review of the interviews.To verify the coding's consistency, the second author recoded two random transcripts.Their inter-rater reliability (IRR) revealed a Cohen's kappa of = 0.76, denoting strong coder agreement.Both authors then discussed discrepancies, clarifying code defnitions and merging insights to refne the codebook.With the updated codebook, Two researchers analyzed the remaining 17 transcripts and one manually noted interview through an iterative process, meeting regularly with the other authors to discuss emerging themes.We employed NVivo [49] and MAXQDA [51] for data coding and analysis.We added, merged, and split codes as new patterns emerged over three coding iterations.The frst iteration focused on open coding to identify frst-pass themes.The second iteration involved refning, consolidating, and organizing codes under higher-level categories.The fnal iteration aimed at distilling themes into a structured narrative focusing on the nuances of implementing telehealth solutions, especially regarding privacy and security.This narrative ofers a deeper grasp of the practical and ethical dynamics within the audiology and speech-language pathology sectors.

Data Analysis 4 RESULTS AND DISCUSSION
After each interview, we auto-transcribed the audio recordings and verifed them against the original audio to ensure accuracy.
For the participant who opted out of recording, we captured their input through real-time manual notes.We then anonymized all transcripts and notes to remove identifable details.Both the frst and last authors reviewed the content to eliminate any identifers.
Ensuring the confdentiality and security of patient data during telehealth is crucial in audiology and speech-language pathology, as our participants have recognized.During the interviews, the healthcare providers discussed various topics related to their use of telehealth, including data collection, authentication, and security awareness in telehealth.Participants also discussed patient attitudes towards telehealth from their perspectives.Our analysis examines participants' views on data privacy and also variations in their knowledge of telehealth security and privacy.Lastly, we highlight the distinct perceptions of audiologists and SLPs, emphasizing challenges, particularly in patients' technical profciency, including children and older adults.

Patient Data Collection and Identity Verifcation Processes
In the context of audiology and SLP services, healthcare providers employ a variety of strategies to collect and protect patient data during telehealth sessions.This data includes personal information, health records, insurance data, and pertinent symptoms and concerns of patients.The primary objective of this data is to ascertain that the healthcare practitioner possesses a comprehensive understanding of the medical history of their patients and to provide them with personalized care.

Data Collection Strategies and Procedures.
Our participants follow a variety of privacy and security strategies to collect patient data.Some of our participants (A1, A9, S2, S8) mentioned that telehealth is introduced only after the initial visit and exclusively to established patients, aligning with organizational policy compliance.This approach minimizes personal information collection during telehealth sessions, as the bulk of personal data is submitted in person.Another way of data access control our participants mentioned is avoiding use of third-party web services and instead collecting information through phone calls, preferred by their patients.For example, as A1 emphasizes that: "Any personal information is really limited as far as what is verbally addressed through the call." (A1) Consequently, during telehealth sessions, limited personal information is disclosed, such as patient name and the particular health issue under discussion.The limited data interchange arises from the provider's possession of extensive medical histories and patient information, from previous encounters.Providers who accept new patients for telehealth services adhere to diferent protocols.Some healthcare providers utilize electronic communication to send forms to gather personal information, health records, insurance particulars, and pertinent symptoms or concerns.The primary objective of this data collection endeavor is to ascertain that the healthcare practitioner possesses a comprehensive and precise understanding of the medical history of the recently admitted patient.As A3 explains: "The new patient has already initiated an appointment so we then send online forms." (A3) In a similar vein, S10 delineates their intake protocol for new patients, which entails the involvement of administrative personnel who contact these patients in order to collect the necessary information, patient concerns and the initial appointment is scheduled.
"The admin will reach out to the client, gather basic information concerns and they will schedule the initial appointment." (S10) This process involves the collection of sensitive personal information, necessitating secure data handling and communication channels.Collecting patient data prior to the consultation is crucial because it helps the providers prepare for the telehealth consultation.It also prevents the need for spending valuable consultation time in trying to obtain the necessary information.

Patient Identity Verification
Processes.The process of verifying the identity of patients participating in telehealth is critical in order to uphold ethical and legal standards, comply with healthcare regulations, and secure sensitive health information.To prevent medical errors, improve the precision of prescriptions and treatments, and foster confdence between patients and healthcare providers, precise identifcation is vital.Additionally, it is instrumental in secure against fraudulent activities, ensuring precise invoicing, and establishing a secure chain of accountability within the feld of digital healthcare.As such identity verifcation measures are indispensable for ensuring the security and efcacy of telehealth services.
We asked our participants to explain their patient identity verifcation processes, there is variation between respondents in their procedures pertaining to the verifcation of patient identity prior to the start of telehealth sessions.For example, A9 fnds formal validation unnecessary as they indicated their ability to recognize their patients: "Most of the people that I'm doing telehealth with on the audiology side. . .I know these patients. . .I know their face." (A9) In the interview, A9 highlights their familiarity with the majority of patients in telehealth sessions, emphasizing recognition of their faces.This suggests an established relationship, from prior in-person consultations.While this familiarity can enhance the patient-provider connection and reduce the need for extensive data exchange, it raises considerations for formal identity verifcation and ensuring informed consent.Conversely, A2 delineated a procedure in which they authenticate the identifcation of patients: "I confrm their identity because that's always kind of a question mark when you're meeting people online, you never know who's actually signing in." (A2) Our participant responses underline the signifcance of identity verifcation within the telehealth domain.Ensuring the authenticity of participants' identities is of utmost importance, particularly in the digital domain where it may not be feasible to authenticate using physical evidence.As such, A2 highlights the critical need for confrming patient identity in telehealth, given the inherent uncertainty of online interactions.The potential for anonymity aforded by the internet gives rise to apprehensions over the true identity of those situated behind the screen.The verifcation process serves the dual purpose of protecting the privacy and security of telehealth sessions and promoting trust and confdence between healthcare providers and patients.This process ensures that confdential medical information is only shared with the intended recipient, thereby improving the overall quality of care provided via telehealth.
Furthermore, telehealth provides a secure platform for confdential health consultations, protecting people' sensitive health information from public exposure.This is particularly vital for those in delicate professions.The need of this discretion is emphasized by A2, who, when questioned about their patients' apprehensions, stated that certain patients are deeply concerned about the confdentiality of the information they provide, fearing potential repercussions on their professional careers: "I'm working with a patient who's a singer . . .and [they] tell me I'm having trouble perceiving pitch now because of my ear injury and I don't know if I can keep singing at the level that I used to but they don't want that information getting out because that could impact their employability and their ability to continue their career."

Provider Awareness of Security and Privacy
Our participants exhibited a diverse array of perspectives coming from varied background and discuss in detail about security and privacy in telehealth, demonstrating a combination of awareness and confusion.
4.2.1 Limited Awareness and Understanding.Eight participants (A2, A4-A6, A8, A10, S1, and S8) expressed a relative lack of awareness of potential security concerns associated with telehealth.For instance, A2 displayed a sense of assurance by asserting that their actions were as safe as a confdential conversation held face-to-face in a private setting.As they state: "What we're doing is as secure as a phone or as a conversation in a room behind closed doors." (A2) This attitude might stem from a generally positive experience with telehealth.This statement also conveys a high level of confdence in the security of telehealth sessions, indicating that any sensitive information exchanged during these exchanges is efectively protected.This perception that telehealth is inherently secure is due to the lack of our participants' expertise in cybersecurity which has been emphasized by multiple participants (A8-A10, S5, S7-S10), and as A10 notes when asked about the ways security and privacy of healthcare data factor into their telehealth appointments: "This is outside of my area of expertise." (A10) "I don't have like a tech background." (S5) "I would not consider myself an expert in computer privacy and security by any means" (S7) Furthermore, three participants (A4, A6, A9) admitted to having a restricted understanding of privacy and security matters, which might be attributed, in certain instances, to their limited exploration of the security dimensions associated with telehealth.In fact, A4 acknowledged a lack of comprehensive examination of privacy statements from the viewpoints of both patients and providers, hence indicating a defciency in comprehension pertaining to the implemented security measures: "I'm actually not sure I. . .you know. . .I'd have to go in and read their privacy statement from the patient side and from my side, which I'll be honest I have not done." (A4) This raises apprehensions regarding our participants understanding of the data privacy and security protocols implemented during telehealth sessions.The lack of understanding regarding the platform's privacy policies may jeopardize the privacy of patient data and impede the efective communication of privacy measures to patients, which would afect trust and informed consent.However, this limited inquiry might be ascribed to the underlying premise that others bear the responsibility for guaranteeing security and privacy.

Recognition of Inherent Limitations. Four participants (A5, A8-A9, S1
) demonstrated some level of skepticism towards the concept of information security, recognizing the signifcant difculty in attaining complete security within any digital framework.A5 expressed this sentiment by observing: "Nothing is perfect, nothing is impenetrable if somebody really wants in, they're going to get in it." (A5) By citing real-life instances, such as the multitude of security breaches encountered by prominent corporations such as the 2013 Target data breach, participants emphasized the alarming fact that even the most heavily fortifed systems can be susceptible to persistent hackers.This acknowledgment of the inherent limitations of security measures refects a pragmatic understanding of the complex landscape surrounding information security.

Variation in Security
Knowledge and Implementation.The signifcance of security measures and the level of awareness among telehealth practitioners cannot be overstated, given the highly sensitive and confdential nature of healthcare data.During telehealth sessions, healthcare providers are entrusted with the private medical information of patients, and it is incumbent upon practitioners to fulfll their ethical and legal obligations in ensuring the security and privacy of this data.Insufcient security protocols may result in the occurrence of data breaches, thereby jeopardizing the confdentiality of patient information and potentially inficting irreversible damage.As such, we try to understand the levels of awareness of our participants as well as the security measures they implement.Seven of our participants (A4, A6, A9, S5, S7-S9) expressed a restricted comprehension of security and privacy, as indicated by S7: "Maybe I should preface this by saying I would not consider myself an expert in computer privacy and security by any means so my feelings on it I guess are impacted by my lack of knowledge in the area." (S7) The acknowledgment of a lack of expertise in computer privacy and security implies that their perceptions or attitudes regarding privacy and security in telehealth are shaped by their restricted understanding in this domain.This suggests possible difculties in navigating the intricate feld of digital security in telehealth, resulting in an increased susceptibility to overlooking crucial security measures.Nevertheless, the majority of participants (A1-A4, A6, A9, S1, S2, S4, S8-S10) recognized the signifcance of privacy and security.As such, many participants (A7, S7-S8, S10) reported that they rely on assistance in addressing matters pertaining to security and privacy.Both A7 and S10 indicated receiving support and guidance from their respective spouses.Nevertheless, A7 reports depending on the aid of non-experts, to navigate issues related to information technology and cybersecurity: "Right now, it is my husband who can help me, and he's not an IT person.He knows enough to fx things and get things done, but he's not an IT professional by trade." (A7) This reliance on non-IT professional raises concerns regarding possible oversights in ensuring the security of the telehealth environment.underscores the prevalent issue of healthcare professionals lacking IT expertise and resources and depending on personal connections for technical assistance, emphasizing the necessity of guaranteeing sufcient IT resources to adequately handle privacy and security concerns.Furthermore, three participants (A5, S1, S6) have placed signifcant emphasis on their dedication to ensuring privacy and security, noting that they have implemented extensive measures to protect the confdentiality of their telehealth sessions, demonstrating a proactive stance towards ensuring security.As A5 notes: "We do the best and we carry policies and insurances to protect us in the event that [a cyber attack] happens. . .everything is protected. . .we do the best that we can in a way that should minimize our risks of hacking we don't open links from emails the whole team knows that, we review it every year, if I have software updates we do them physically through our software we don't do them through links so we do the best that we can." (A5) Participants such as A5 highlighted their proactive stance towards ensuring data privacy and security in telehealth.They discuss the implementation of policies and insurance coverage as a measure to mitigate the possible impact of cyber attacks, showcasing a strategic approach to risk management.Furthermore, some of our participants emphasized the implementation of precautionary measures, such as refraining from clicking on email links and doing software upgrades manually.It also promotes the cultivation of a collective understanding of these practices across the whole team through periodic evaluations.However, not all telehealth practitioners have the same level of expertise or awareness when it comes to cybersecurity.While some take proactive measures, such as implementing two-factor authentication, access control, auto-logout features, and virtual waiting rooms, others may be less informed due to their professional background, or the resources available to them, or time constraints to acquire knowledge and expertise pertaining to privacy and security: "I don't have like a tech background to know like every single thing about Zoom security" (S5) "A lot of it in the beginning was just trying to fnd any resources" (S9) "I have to depend on other people to do this because guess what I don't have time and my job is not to do cybersecurity, my job is to take care of patients." (A9) Our participants highlight the importance of efcient and userfriendly security solutions to overcome gaps in knowledge and time constraints as well as limited resources, in order to ensure efective protection of data in the changing feld of digital healthcare.Furthermore, the observed disparity in security awareness and implementation underscores the necessity for continuous education and support in order to improve the security and privacy of telehealth services.

Data Security and Privacy Concerns
Our participants expressed varying concerns regarding the security and privacy aspects of telehealth.Certain individuals voiced substantial concerns, but others appeared to be less apprehensive or held misunderstandings regarding potential hazards.

Apprehension
Over Data Security.Seven out of 20 participants (A9, A10, S4, S5, S7, S9-S10) expressed apprehensions over the security of patient data.Concerns were raised over the poor understanding among vulnerable populations, especially older adults and the younger population, regarding the data usage of their smartphones and the possible vulnerability of sensitive health information to penetration by malicious third parties.These healthcare practitioners have an understanding that hackers might readily exploit weaknesses.As A10 notes: "I often work with older adults and sometimes they just have no idea on how much data their phone has and so I try to avoid it as much as possible because all it takes is for them to download the wrong app and then all of this health information is potentially going somewhere." (A10) This demonstrates the cognizance of our participants about the security and privacy risks linked to using smartphones, particularly for older individuals who may have little comprehension concerning the data kept on their devices.This also demonstrates that certain participants in our study are actively striving to decrease reliance on personal devices and prefer secure platforms to ensure the confdentiality of health information during telehealth sessions.
However, in contrast, eleven respondents (A1, A4-A7, S2-S4, S8-S10) had a lesser degree of concern over security issues.Some participants exhibited a certain level of naivety and indicated a lack of prior experience with any challenges.The seeming nonchalance expressed by individuals may be attributed to a perception that their telehealth platforms have robust security measures, as A6 states: "We have not had any security concerns with any aspects of telehealth.The third-parties we use are all healthcare entities and know the importance of security and consequences if there are issues." (A6) This statement shows the confdence some of our participants in the security of their telehealth practices, as well as their confdence in the third-party software providers they use highlighting their apprehension towards security and the potential consequences in case of issues.It also indicates a dependence on reliable third-party services in the healthcare industry, with the anticipation that they prioritize strict security measures to protect patient data.On the other hand, this seeming nonchalance can also be due to underestimating the possible threats involved.In fact, when asked about whether they had any privacy or security concerns, S9 answers: "I don't, and part of that's being naive but we haven't had any issues ever." (S9) Through this declaration, S9 acknowledges that they do not have any privacy or security concerns in telehealth.It suggests that this lack of worry may be due to a combination of inexperience and a lack of observed problems.This remark implies a possible lack of knowledge or aggressive actions regarding the protection and confdentiality of data in their telehealth services.Although the lack of detected faws is acknowledged, the possible consequences of ignorance are worrisome as they may lead to the oversight of vulnerabilities, hence leaving patient data susceptible to unauthorized access or breaches.
Furthermore, two participants (S1 and S7) displayed a conspicuous absence of concern over privacy and security in the context of telehealth.For example, the lack of concern exhibited by S1 towards parents allowing their children to conduct sessions from unsecured settings demonstrates a level of acceptance towards patient activities that might potentially jeopardize security.Moreover, this nonchalant attitude gives rise to apprehensions over possible breaches in data security and privacy.Allowing sessions in less secure contexts might potentially expose sensitive information to undesired individuals, hence increasing the risks of eavesdropping or unlawful access.
"Parents choosing to sign on with their phone in the middle of a parking lot. . .if they want to do that that's fne. . .I don't care." (S1) Allowing sessions in less secure contexts might potentially expose sensitive information to undesired individuals, hence increasing the risks of eavesdropping or unauthorized access.Which emphasizes the necessity for explicit protocols and instruction on secure telehealth practices to protect the privacy of healthcare interactions.Similarly, S7 minimizes the signifcance of eavesdropping by drawing a comparison to a group therapy session within the occupational therapy realm.
"We also have a shared like computer space where multiple people are working at the same time and sometimes we will do a telehealth session from there, so there are times when I might be walking by and see someone else's telehealth session happening which in my mind is pretty similar to walking by a therapy room and hearing a session happen or in the occupational therapy world.A lot of times there's just a shared gym space and lots of kids are having therapy in the same space so it's all within the clinic building so I see it as confned in the same way as those other situations." (S7) This analogy implies that the perceived level of security in telehealth is on par with that of in-person sessions conducted within the controlled environment of a clinic facility.However, this analogy is fawed as it neglects to recognize a crucial contrast between traditional treatment sessions done in person and telehealth sessions carried out via digital platforms.In the context of in-person treatment, all participants possess a broad awareness of their physical environment and the presence of others within the shared therapy space.Conversely, in the context of telehealth sessions, individuals could lack awareness of the absence of a private environment.Telehealth relies on the assumption of a private and secure digital environment, and patients expect that their conversations and sensitive information are protected from eavesdropping or unauthorized access, when in fact these conditions are not always met.

Concerns
Over Platform Security.Two participants (A2 and S6) voiced an alternative viewpoint that centers on apprehensions over their own privacy as well as the privacy of persons unintentionally captured on camera during telehealth meetings.The participants placed signifcant emphasis on the possibility of patients or their parents recording or assuming control of a session, showing greater concern over these situations compared to external hackers.As S6 states, "A concern that the client or the parent was going to record the session or take over the session.I think I was more concerned about those people than [a] cyber hacker." (S6) Our participants responses depict the difculties that professionals encounter in guaranteeing the privacy of telehealth conversations.Considering data privacy and security, concern emphasizes the necessity of implementing steps to avoid unintentional disclosure of sensitive information by participants during the session.
A2 additionally brought attention to the frequently disregarded matter of privacy concerning those inadvertently present in the backdrop of telehealth meetings, encompassing both family members and unfamiliar individuals.These circumstances have the potential to cause unease for all those involved, including the service providers, since they may unintentionally bear witness to intimate moments or confdential information that was not intended for disclosure.A2 explained that: "Privacy is not just about the person who's on camera but also the people who are inadvertently on camera in the background.I'm sure everybody has experiences like this, but I've had siblings, spouses, children, strangers who show up in the background without knowing that they're on camera and that can lead to uncomfortable situations for them and for the providers sometimes." (A2) The remarks made by this participant highlight the intricate aspects of privacy within the realm of telehealth, wherein the delineation of personal boundaries and inadvertent exposure emerge as noteworthy considerations, particularly in the context of utilizing video conferencing technology.
Six participants (S1-S2, S5-S6, S9-S10) conveyed apprehensions regarding security breaches, specifcally citing instances such as Zoom bombing that occurred during the peak of the COVID-19 outbreak.Despite lacking personal experience with such attacks, the sheer awareness of their existence heightened their perception of vulnerability and underscored the necessity for implementing comprehensive security measures.As S6 notes, "I heard about [Zoom bombing] happening during our transition to telehealth, students being able to kind of take control of the screen, and then present their screen or inappropriate material to other people . . .that's obviously a concern and that I did hear about situations like that happening to providers and teachers during the very beginning of the pandemic." (S6)

Trust and Confdence in Telehealth Security
The study's participants demonstrated a range of trust levels about the security and privacy features of telehealth technology.At one extreme of the continuum were those who publicly articulated a profound sense of skepticism towards many entities, encompassing software suppliers among others (A3, A10, S6, and S8).The mistrust exhibited by individuals was mostly based on apprehensions over the protection of personal data, as S8 states when asked whether they trust their software provider: "No, I don't really trust anybody with anything to be honest.The fact that you could say something and suddenly on Facebook there's all these ads for is scary." (S8) This participant had an increased sense of unease over the wider security environment.This statement also demonstrates a dearth of confdence in diverse institutions, emphasizing apprehensions around internet spying and data monitoring.

Trust in
Organizational Decision-Makers.Several participants (A4, A6, A10, S7, S10) shared a perspective infuenced by their professional positions within their respective organizations.These participants hadn't been in decision-making positions and held the belief that it was not incumbent upon them to evaluate or execute security protocols.Conversely, the individuals or teams responsible for these tasks were entrusted with the responsibility, as it was believed that the encryption levels and security measures were in accordance with the requirements outlined by HIPAA.From these participants' perspective, their main responsibility was to ofer therapeutic services, while they entrusted the complexities of security to individuals whom they perceived as being more capable of making well-informed judgments.S7 states that: "I haven't been in a decision making position in the jobs that I've had have.I'm just a therapist working at a private practice so in that way from my perspective I am putting a lot of trust in the people making the decisions. . .and then I just kind of do what I'm told because in my eyes it's not my job to make sure those things are done so I'm just trusting that they are done." (S7) We notice a dependence on the decisions taken by others and view it as outside their responsibility to ensure the implementation of security and privacy measures.This position may present potential vulnerabilities, since it implies a passive attitude to privacy and security.In contrast, nine participants (A3, A5-A9, S4, S6-S8) expressed comparatively diminished apprehensions pertaining to the security and privacy aspects of telehealth technology.The rationales for this exhibited notable disparities.A certain cohort displayed a sense of assurance in the individuals responsible for decision-making within their respective organizations, who diligently scrutinized the software employed.The individuals held the belief that the provision of their tools by these entities engendered a sense of security.As S8 explains: "What I use is through the district so I feel like it's pretty safe it's not just like open to the public." (S8) The demonstrated trust in decision-makers highlights the infuence of diferent roles and organizational structures on perceptions of security in telehealth.From a perspective of data privacy, using a platform sponsored by the district indicates compliance with institutional security procedures.Nevertheless, it is crucial to acknowledge that institutional backing does not provide complete security, underscoring the continuous requirement for alertness and best practices to ensure patient data confdentiality during telehealth sessions.4.4.2Trust in Sofware Providers.Several participants expressed concerns, especially regarding the security and privacy of certain technological platforms.S6 expressed their lack of faith in the Zoom platform, particularly with regard to concerns about password encryption and stability issues, which ultimately resulted in their decision to cease using it: "I think I didn't trust Zoom to work with the password encryption version because it wasn't working so I stopped using it." (S6) Similarly, A10 expressed apprehensions over the insufciency of comprehensive details pertaining to the security protocols employed by third-party applications utilized in telehealth, even in cases when they are supported by the makers of the devices.
"What I didn't feel comfortable with and where I had concerns is I didn't have a lot of information about the specifc training companies and their apps for remote programming. . .[Manufacturers] have been telling that their system is secure however I just didn't have any information other than the manufacturer's word on that." (A10) A subset of participants exhibited a signifcant level of trust in their software providers (A4, S1, S3-S5, S7, S9-S10).Several participants noted that they had not encountered any signifcant usability issues with the software provider they had adopted.Over the course of time, these participants' confdence in the technology grew stronger, especially as they encountered seamless and problem-free engagements with the platform.For these interviewees, the absence of technical malfunctions and usability issues was a testament to the software's overall reliability.This is corroborated by S5's response: "I really haven't had a ton of concerns especially as time has gone on.Maybe these things have just been going pretty smoothly." (S5) S4 notes: "I do just trust the platform is maintaining security on their end." (S4) The trust in the system and technology is sometimes ascribed to the company's established reputation and credibility.The platform was perceived by users as a reputable organization that placed a high emphasis on security, thereby mitigating apprehensions regarding the security and reliability of data.As A3 states: "You get what you pay for so we feel comfortable that Blueprint has our best interest at heart and they provide a quality service as well." (A3) This trust our participant showed their software providers demonstrates a frm belief in their capacity to prioritize data privacy and security.The consequence is an assumption that the software providers' high-quality service includes robust measures for protecting sensitive patient information during telehealth sessions.The existence of diferent degrees of trust and the various circumstances that have impacted them highlight the intricate nature of security and privacy views among the telehealth practitioner community.

Patient Attitudes Toward Security and Privacy
Participants in the interviews provided a range of perspectives on their patients' views regarding the security and privacy aspects of telehealth.Four participants (A3-A4, A8, S6) observed that the patients they encountered placed a higher emphasis on the convenience and user-friendliness of telehealth services compared to any concerns regarding security.Indeed, A8 implies an emphasis on technological disruptions above proactive eforts for data privacy and security.The potential outcome is the possibility of disruptions in telehealth sessions, which might afect the smooth provision of healthcare services.
"As far as security, no not at all, just a couple of times where the internet has been a problem that's been a frustration on both ends." (A8) In the case of these individuals, prioritizing the accessibility and efcacy of telehealth in meeting their healthcare requirements superseded concerns regarding security.In fact, when asked whether their patients have ever voiced any concerns over the security and privacy of telehealth, A9 answered: "No, they don't feel good they don't hear well that's all they care about." (A9) This concession that patients do not voice concerns regarding the security and privacy of telehealth indicates a potential lack of patient awareness or engagement with the security aspect of telehealth, emphasizing their primary focus on health issues.Concerns regarding data logging and the collection of information during telehealth sessions were expressed by some patients, as reported by A10.According to A10, some patients worry about the potential recording of sensitive conversations, despite the primary focus of data logging being on non-verbal information, such as usage patterns in various contexts.This concern emphasizes the delicate nature of patient anxieties regarding confdentiality.In fact, A10 reveals: "Patients are concerned about [data logging] on occasion.To them, it might be concerning like 'oh are you recording this information?'I mean how can you record conversations?There might be private conversation I can say with confdence that it's not recording any actual conversation but those are concerns that the patients have and so the data logging can be a super helpful tool but that's the one that patients are often concerned about." (A10) Conversely, two participants (A2 and S4) reported cases in which patients demonstrated a pronounced inclination towards telehealth as a result of their concerns regarding privacy.S4 provided an example of a particular patient who made the decision to utilize telehealth services to obtain therapy discreetly, thereby circumventing the need for in-person appointments that might inadvertently disclose their condition to individuals within a close-knit community.Telehealth thus allowed this patient to make progress, stressing the signifcance of service accessibility in infuencing patient decisions, stressing the necessity for more extensive telehealth options to tackle privacy apprehensions and accommodate varied healthcare requirements.
"[A patient] came in for the evals for [physical therapy (PT)] and [occupational therapy (OT)] and speech, but would not come back for treatment and I had suggested that we try telehealth and he was open to it.He was there twice a week did amazing. . .but would not come into the clinic for PT and OT and I think it was because he maybe knew it was a small community and he didn't want anyone to see him receiving therapy.Our PT and OT didn't ofer telehealth at the time, so he just went without those services." (S4) In a similar vein, A2 observed that telehealth proved to be a viable option for individuals occupying sensitive roles within their professions, as they harbored heightened apprehensions regarding their privacy and confdentiality.These individuals opted for telehealth services to protect the confdentiality of their personal and medical information.They highlighted that telehealth may be particularly suitable for specifc patient demographics that place a greater emphasis on privacy sensitivity.As A2 states: "It's really only for specifc patients who are very worried about the information that they're sharing being sensitive for their career." (A2)

Comparative Discussions for Audiologists and Speech Language Pathologists
Within our study, a signifcant demographic contrast arose between audiologists and SLPs regarding the patients they serve.Forty percent of the questioned audiologists (A3-A4, A6, A10) specifcally said that a substantial proportion of their patients were "older adults."Conversely, a lesser percentage of SLPs indicated dealing with older adult patients, with 8 of them (S1, S3-S9) stating that they primarily focus on treating younger patients.This diferentiation is essential as this patient demographic frequently face difculties with technology, a characteristic that signifcantly impeded their adoption of the shift to telehealth.Several audiologists have seen a dearth of approval or enthusiasm among their primarily older patient demographic about telehealth as A3 states: "A lot of our population is elderly and we didn't see a real acceptance or excitement to try it [telehealth]" (A3) Audiologists highlighted the challenges their patients had while adjusting to digital platforms, revealing a signifcant obstacle to the mainstream acceptance of telehealth among this particular group even during the peak of the COVID-19 outbreak, as A4 explains: "For most of our patient population which is older adults over the age of 65 typically they just would rather come in person to talk to someone. . .when we ofered the telehealth appointments most of them say I'll just come in. . .I think our patients feel comfortable coming in despite all the precautions and the risk there was before we had  vaccines" (A4) This also correlates to the overall quantity of telehealth services provided by each group.During 2021, audiologists, on average, provided less than 20% of their sessions through telehealth.Among them, only A2 conducted more telehealth sessions than in-person sessions.In contrast, 4 out of 10 SLPs almost exclusively delivered care through telehealth sessions.Furthermore, audiologists emphasized the technological literacy difculties faced by their elderly patient demographic on many occasions as well as lack of technology in other cases, as A6 confrms: "Our patients really don't have the technology to actually do it [Telehealth] unless they have like a daughter or a family member that's there" (A6) These patients who lack the necessary devices or digital skills for telehealth, may depend on technologically savvy family members for help, this dependence brings about certain security weaknesses, since family members may interact with the technological elements, putting sensitive health information at risk of unintended disclosure.
On the other end of the spectrum, SLPs emphasized the difculties encountered in telehealth sessions, particularly with younger children.These children's parents have expressed discontent with the efcacy of telehealth sessions in the early stages of the epidemic.Several participants observed that parents often voice dissatisfaction with the progress made during telehealth sessions and express a preference for in-person therapy, as A4 explains: "Parents of now three or four year olds will come in and say that . . .during the pandemic or the early pandemic they were in therapy that was all virtual and it was very challenging and didn't seem to help at all I hear that comment a lot and then they were eventually be able to fnd someone providing SLP in person and then usually their parents will report that they started seeing progress once the child was in person" (S7) This implies that the physical and interactive aspects of in-person therapy may be more advantageous for very young children.It also emphasizes the pragmatic challenges and limitations of telehealth for certain age groups.It implicitly emphasizes the signifcance of customizing telehealth methods to address the particular requirements and phases of growth of patients.
Our study revealed a nuanced spectrum of perceptions regarding security and privacy was observed among both SLPs and audiologists engaged in telehealth practices.While variations existed within each group, an interesting trend surfaced: a comparatively higher awareness of cybersecurity risks among audiologists.Notably, a greater number of audiologists displayed awareness of the complexities and possible dangers related to cybersecurity in the telehealth setting.The increased consciousness can be ascribed to the unique difculties audiologists encounter, especially when working with elderly adults who are less acquainted with digital tools.Nevertheless, it is essential to recognize that there were difering perspectives within both occupations.Remarkably, two SLPs (S8, S10) and one audiologist (A8) stated that they would have greater apprehensions regarding cybersecurity if they were involved in a diferent profession as we can see in the following quotes: "[For] most of the students I work with, it's mild to moderate articulation or stuttering. . .I'm not doing like psychotherapy." (S10) "If I were in a diferent kind of healthcare then I could see maybe some concerns but the kind of stuf I deal with is out in the open, it's not things that people are trying to be quiet about or concerned that anybody's gonna fnd out about. . .and I might be less inclined to do as much telehealth as I do just because it would be more sensitive information" (A8) This viewpoint implies that there may be a tendency to underestimate the security threats related to telehealth.It highlights the importance of being cautious in protecting even seemingly nonsensitive information in order to preserve patient privacy.Furthermore, these admission highlight the fact that cybersecurity issues are infuenced by the unique professional domains within the allied healthcare industry, and that individuals' perspectives are shaped by their unique environments, which is infuenced by the perceived sensitivity of the information being handled.

IMPLICATIONS
Telehealth, a rapidly emerging domain in the healthcare industry, ofers a promise of unprecedented fexibility as refected in its adoption trajectory.At its core, the telehealth paradigm facilitates remote health services for people in need, bridging the geographical divide, and making healthcare more accessible.Drawing from our earlier discussions, we fnd that audiologists and SLPs hold diverse opinions and experiences about telehealth security and privacy.Our interviews underscore a consensus that security and privacy considerations should harmoniously complement the main objective of healthcare delivery.The present insights from telehealth studies illuminate signifcant implications for healthcare professionals, researchers, service providers, software vendors, and policymakers.

Duality in Flexibility
As our participants discuss, the primary driver for this shift towards telehealth adoption often hinges on the fexibility it afords to both patients and practitioners.Our participants also acknowledge that unique communities, whether defned by geographical constraints or socio-cultural factors, particularly beneft from telehealth (see quote from S4 in Section 4.5).For professionals in high-profle or sensitive job roles, the beneft of telehealth lies in its promise of discretion, ensuring their health consultations remain confdential and free from public scrutiny [3] (see quote from A2 in Section 4.1.2).Similarly, for individuals who are reliant on external means of transportation-be it due to fnancial constraints, physical disabilities, or other reasons-telehealth provides a consistent and convenient avenue for access to healthcare without the hassles of travel [31].
However, the very fexibility that makes telehealth appealing also brings to the fore several challenges, especially in the realms of security and privacy.Our interactions with practitioners shed light on a spectrum of concerns.A recurrent theme was the potential for unauthorized recording of sessions, notably by parents or caregivers (see quotes from S6 and A2 in Section 4.3.2).Such recordings, besides infringing on patient-practitioner confdentiality, could pave the way for unauthorized dissemination of proprietary therapy and care techniques.This could have cascading efects, from privacy violations leading to trust issues between patients and providers, to potential legal and ethical ramifcations.Another emergent concern revolved around the unintended intrusion of caregivers or parents into telehealth sessions (see quote from A2 in Section 4.3.2).Such intrusions, whether inadvertent or deliberate, compromise the session's sanctity, potentially derailing the care trajectory and jeopardizing patient privacy.Adding another layer of complexity, practitioners also highlighted an emerging trend: patients attending sessions from unconventional or unsecured locations (see quote from S1 in Section 4.3.1).Such practices not only introduce additional variables into the care process but also lead to practitioners feeling undervalued or disrespected.Our fndings also underscore a signifcant concern that often remains in the backdrop: the vulnerability of specifc patient segments.
While some population groups gain accessibility with telehealth, others fall behind.For instance, elderly individuals, often not as technologically adept, may struggle with platform intricacies [6] (see quote from A10 in Section 4.3.1).Similarly, there is evidence that neurodiverse adults might fnd the transition to digital platforms overwhelming [88].As the telehealth industry evolves, addressing accessibility issues of people with additional needs should be at the forefront, especially when it comes to the protection of healthcare data.The majority of past research discusses the opportunities that telehealth ofers [74,85].This work extends this body of literature by highlighting the challenges that come with the fexibility that telehealth ofers, challenges associated with ensuring the privacy of patient information, preventing unauthorized use of therapy and clinical interventions, and inclusion of people with diferent abilities.

Recommendations for Increasing Trust in Telehealth Technologies
Trust is fundamental to the adoption and continued use of telehealth as mentioned by our participants (see Section 4.4) and shown through prior works [84].A synthesis of our participant feedback suggests that trust towards telehealth is multifaceted, and bears signifcant consequences for platform developers and healthcare providers alike.Our fndings suggest that a comprehensive discussion about trust necessitates a thorough understanding of its many elements and drivers.Direct and indirect user experiences lay the foundation for trust.People often favor technologies that have strong reputation, garnered positive feedback, or have secured commendable reviews from both their peers and industry experts [21].This is a form of institutional trust: that learned towards a specifc brand and/or institution [2].Similarly, healthcare technology providers that have a strong reputation in a community were favored by the providers and more importantly, were trusted to prioritize security and privacy (see quote from A3 in Section 4.4).However, complete transparency regarding the collection, processing, and storage of data by telehealth providers is demanded [41] (see quote from A10 in Section 4.4).Platforms that champion this information transparency would position themselves favorably in the trust spectrum [56].An absence of understandable and readily available information could foster mistrust, particularly if users perceive they are wading through a quagmire of technical jargon.Despite the strong reputation and transparency, some providers may be apprehensive about adopting telehealth technologies due to dispositional trustindividuals' propensity to trust technologies [34].Participants in this work did not discuss dispositional trust as a factor but we posit that it may play a signifcant role in telehealth adoption.
Trust is also a dynamic construct that is established over time through individual interactions with technology [55].Error-free interactions with emerging technologies (automated process controls, adaptive cruise controls, autonomous driving) have been shown to consistently increase trust over time [58].Likewise, several providers in this work mentioned how error-free interactions with telehealth technologies have infuenced them to perceive the system to be reliable and trustworthy (see quote from S5 in Section 4.4).However, this doesn't necessarily suggest that providers are over-trusting, but the contrary: participants understood the telehealth technologies could be vulnerable to threats (see quote from A5 in Section 4.2.2).It is expected that technologies that fail should lead to a temporary reduction in trust [50].They typically stem from one's own frsthand experience of errors encountered while using the technology.However, providers in this study noted stories about security attacks (on healthcare systems or otherwise) as a cause for degraded trust.For example, Zoom which is one of the most prevalent videoconferencing platforms used by healthcare providers has experienced several data breaches which may contribute to trust degradation [67].Providers also noted personal experiences as causes for trust degradation.For example, authentication errors, while they might seem minor, can have grave implications such as privacy violations, data breaches, and operational inefciencies [54] (see quote from S6 in Section 4.4).Such issues don't just hamper the individual workfows but also cast doubts over the platform's overall reliability especially when it comes to healthcare data.
When providers aren't the main agents choosing the technology, trust is indirectly anchored on the credibility of the decisionmaker(s).This is a notable dimension of trust and decision-making that emerged from interviews with the providers in this work -a form of distributed trust and decision-making (see quote from S7 in Section 4.4.1).While it reduces the burden on providers by enabling experts in information and computing technology to adopt and manage telehealth technology, it also brings unique challenges and opportunities.We characterize this as distributed trust because individuals (IT experts) who are making the adoption decisions based on initial institutional and dispositional are distinct from individuals (providers) who are learning to trust based on their interactions with telehealth technology.Such a distributed trust relationship may introduce misaligned priorities and trust levels.For instance, the technology may be trustworthy from a deployment and management perspective but unreliable from a regular interaction perspective.Likewise, there may be instance of overtrust that emerges from such distributed trust relations (see quotes from S7 and S8 in Section 4.4).Also, in scenarios where a suggested platform underperforms, who is accountable for the patient data?Establishing well-defned lines of responsibility and involving users (providers) in early phases of decision-making may preempt potential future disputes.
Finally, healthcare providers should be leveraging business associate agreements (BAAs) with telehealth technology providers including Zoom or Google, as required under HIPAA.These legal documents can help ofset risk by requiring third party vendors to protect PHI.Although, all our participants emphasized their commitment to complying with HIPAA regulations in respect to the technology they use and their operational processes, only four participants mentioned having or relying upon BAAs with telehealth platform providers to protect PHI or manage security and privacy liability.

Recommendations for Training and Awareness of Security Hazards
Within the healthcare industry, it is broadly acknowledged that training is paramount for compliance eforts [4,81].All the participants practiced in the United States and are required by law to know and comply with HIPAA.While HIPAA provides fexibility in implementing obligatory security and compliance measures, participants often demonstrated limited awareness of these requirements (see Section 4.2).More concerning is the variation we observed in participants' awareness of threats and understanding of the necessary actions.Many were understandably anxious while few others reported to be taking actions (safe practices, investing in IT resources) to prevent a breach and buying insurance to cover losses in the event of a breach.This resulted in a defciency in their understanding of potential security and privacy threats.Every healthcare professional-not just business owners-is accountable for HIPAA compliance.This prevailing variation in awareness and responsibility about security threats amongst healthcare providers has the potential to compromise patient data, thereby undermining the efcacy of telehealth services.Comprehensive training tailored to telehealth could ameliorate these risks.Specialized telehealth awareness becomes pertinent given that the attack surface for telehealth distinctly deviates from traditional in-person information exchanges.This distinction was often misconstrued by participants (see quote from A2 in Section 4.2.1).Telehealth introduces an intermediary thirdparty communicator, a novel internet-based data transmission, and a unique patient connection environment.Although awareness of security and privacy threats is a prerequisite for compliance, current evidence doesn't conclusively establish that such awareness indeed minimizes data breaches or other similar incidents [10].
Current medical and state licensure processes should adopt mandates for specifc knowledge in cybersecurity and privacy.This would ft within state licensure that typically necessitates a set duration of continuing education.Incorporating telehealth cybersecurity training, either as an essential prerequisite for conducting telehealth or as an elective within continuing education, seems judicious.Most private clinics have the budgets to support continuing education.Given the ceaselessly evolving cyber threat landscape, instating telehealth security training as an imperative appears indispensable.Periodic continuing education will ensure healthcare providers stay updated on emerging challenges and their countermeasures [17].

Telehealth Service Providers and Software Vendor Recommendations
Telehealth hinges not only on technological innovation but also on a symbiotic balance between usability, security, and privacy.As pivotal stakeholders, telehealth service providers and software vendors wield the unique responsibility to ensure that software architecture and deployment strategies align with the best interests of both practitioners and patients.Given the sensitive nature of healthcare data, it is imperative for vendors to build applications from the ground up with security in mind.Ensure that data, both at rest [11] and in transit [70], undergoes end-to-end encryption [52].This diminishes the risk of unauthorized access or breaches during transmission between client and server or while stored.Undertake regular penetration testing and vulnerability assessments to identify [87] and rectify potential weak points in the system before malicious entities exploit them.Embedding privacy controls from the onset can mitigate potential risks in data handling and processing is critical.We recommend incorporating comprehensive consent management tools that enable patients to have granular control over who accesses their data, how it's used, and for what purpose [14,25].Adhering to the principle of data minimization [73], such a solution could ensure that only essential data is collected and stored.This reduces the potential attack surface and exposure.Additionally, engagement with industry experts and practitioners to develop specialized guidelines tailored to address the unique challenges such as difculties observing subtle communication cues that help SLPs assess articulation, fuency and overall communication efectiveness, or difculties with calibration and standardization faced by audiologist, as well as limited ability to assess sound perceptions and understanding speech in noisy environments faced by both audiologists and SLPs in telehealth will be helpful.This requires collaborations with regulatory bodies, institutions, and practitioners to continuously refne and update standards, ensuring they remain relevant in the face of evolving technological landscapes.Additionally, while intuitive interfaces play a pivotal role in encouraging telehealth adoption, it is crucial to strike a harmonious balance where ease of use doesn't jeopardize security protocols.We recommend integrating adaptive authentication mechanisms, which adjust authentication challenges based on contextual factors such as user behavior or device integrity.This aligns with the experiences of certain participants who have raised concerns about the usability of certain telehealth platforms, namely for patients who struggle with account creation and session login and authentication as S6 notes: "there were like multiple steps for the secured Zoom. . . it wasn't as easy as just click on this button and you can enter my teletherapy space.It was just too many steps for the population I was working with." (S6) Incorporate interactive training modules within the software to guide practitioners and patients on best practices to maximize security during telehealth interactions.The guidance provided by NIST 1800-30B -a US-centric standard-serves as a foundational starting point for constructing robust telehealth platforms [18].

Policy Recommendations
As the adoption of telehealth services continues to burgeon, regulatory frameworks must concurrently evolve to adequately address the nuanced challenges introduced by this digital transformation.While HIPAA has traditionally acted as a cornerstone in healthcare data protection, with technology-agnostic requirements, the advent of telehealth demands specifc refnement [65,77].The integration of more explicit telehealth-centric clauses can elevate the overall efcacy of this regulation.Detailed guidelines are needed for delineating the recommended practices for virtual patient interaction.This can span aspects like maintaining visual privacy, ensuring session confdentiality, and utilizing secure communication channels.From our work, we see an over-reliance on systems, thus periodic security audits for telehealth platforms are needed.By ensuring they align with the stipulated security standards, it becomes possible to preemptively identify and rectify vulnerabilities.Addressing the constraints of the Ofce for Civil Rights (OCR) is equally paramount.As the entity tasked with overseeing compliance, fortifying its capabilities can signifcantly augment the enforcement landscape [61].
The initiatives such as the Audiology and Speech-Language Pathology Interstate Compact (ASLP-IC) are commendable as they foster a consistent standard of care across states [8].Amplifying this approach can involve the creation of a unifed cybersecurity and privacy standard that professionals must adhere to, regardless of the state they practice in.The development of a collaborative ecosystem could allow professionals to share their telehealth experiences, challenges, and insights.A peer review mechanism can help disseminate recommended practices and novel solutions across the community.

Patient-Related Concerns and Recommendations
As the telehealth landscape continues to evolve, a prominent issue emerges from people accessing services from unregulated or uncontrolled environments.Such scenarios inadvertently introduce a plethora of security vulnerabilities that remain challenging to circumvent.Even though consent documents can apprise them of these associated risks and furnish a legal safety mechanisms, relying solely on these documents doesn't inherently bolster security or privacy in real-world applications [23].Providing educational resources is pivotal to navigate this quandary.But it is not merely about creating materials; it's about crafting comprehensive guidance tailored for diverse patient profles.Let's delve deeper into the potential facets of this approach: Interactive, easy-to-follow online tutorials can be designed to guide patients through the steps of setting up a secure environment.This could range from securing their WiFi networks, such as enabling virtual private networks, to understanding the basics of end-to-end encryption.
A concise, printable checklist can ensure that people using telehealth follow a standardized protocol before initiating a telehealth session.This can include actions like fnding a private location, ensuring their device's software is updated, and checking the security settings of the telehealth application.After patients undergo a telehealth session, prompt them to provide feedback regarding their security experience.This could inform areas where the educational materials might need refnement.The realm of cybersecurity is constantly evolving.Thus, it is essential to provide patients with regular updates about new threats or security measures.An automated monthly newsletter or notifcations within the telehealth platform can serve this purpose efectively.Diferent patients may face diverse challenges based on their locations, tech-savviness, and the devices they use.Ofering guidance based on specifc scenarios can make the advice more actionable and relevant.By incorporating these facets, we can empower people using telehealth to take charge of their security and ensure that telehealth services remain both accessible and secure.

FUTURE WORK AND LIMITATIONS
Our work ofers invaluable insights into the privacy and security concerns and perceptions of allied healthcare practitioners regarding telehealth.It is important to note that all participants in our study were audiologists and speech-language pathologists actively engaged in private practice settings.This deliberate selection ensured a comprehensive grasp of the distinct experiences and challenges these professionals face.Moving forward, our research will expand to include a broader spectrum of healthcare experts.Additionally, the experiences of patients remain critical.Hence, in our future research we will incorporate patients' perspectives, recognizing their essential role in shaping telehealth interactions.
While our qualitative study provides rich insights, certain inherent limitations must be acknowledged.A primary limitation stems from generalizability concerns.Our sample consisted exclusively of audiologists and speech-language pathologists in private practice, which allowed an in-depth understanding of this group's perspectives.However, the fndings may not generalize to other allied healthcare professionals or those in non-private practice settings.Future studies should incorporate a wider range of participants across various allied healthcare disciplines and practice types to determine if the themes hold true more broadly.Additionally, our sample exhibited some skewness in gender distribution.This disproportionate gender distribution could introduce potential bias, although it is reasonably representative given.Still, incorporating a more balanced gender mix could reveal difering viewpoints.Furthermore, qualitative research relies heavily on participants' memories and willingness to share openly.Biases such as selective memory, recency efects, attribution errors, and social desirability biases may shape participant responses during interviews.Observations and surveys could complement interviews to mitigate some biases.Overall, our fndings establish an important foundation for future research to build upon through broader, more diverse samples, mixed methods, and longitudinal tracking of telehealth privacy and security perceptions among allied healthcare professionals.

CONCLUSION
The telehealth paradigm in allied healthcare, particularly exemplifed by audiologists and SLPs, poses intricate challenges concerning data privacy and security.We conducted an extensive qualitative analysis involving 20 healthcare professionals spanning audiologists and SLPs over six months.This study shows critical nuances in privacy and security, accentuating the exigency for bespoke solutions tailored to address its unique complexities particularly from the providers' perspectives.Our fndings shed light on a diverse spectrum of views regarding the robustness and credibility of existing technologies, trepidation surrounding privacy breaches and security, as well as the subsequent patient behaviors towards the providers.Notably, participants expressed that the pressures of their primary medical duties sometimes overshadow the imperative nature of patient data confdentiality.This often results in the inadvertent relegation of data security and patient privacy signifcance, constraining their ability to suitably address these issues.Based on our study, we advocate for the implementation of both secure and user-centric telehealth systems.Complementing these with rigorous training modules could potentially diminish the supplementary burdens borne by healthcare practitioners.as secure as in-person, data security on the internet, don't care if patient is not in private location, don't know how secure it is, don't trust anybody, don't trust tech provider, help from spouse, I do patient care not cybersecurity, I don't know whether it's two factor, I would think more about security if I were in a diferent feld, importance of privacy, insecure behaviour, keep up with security news, No problem with tech, No/limited information taken during telehealth, Not familiar with all features of tech, Not important for patient to be in private area, Not important to be hacked, Not my area of expertise, Not saying patient names, nothing is 100% secure, past practices vs now, patient doesn't worry about telehealth, patient in private setting for telehealth, patient security behavior, patient worries/patient security concerns, patient worries/privacy, patient care more about health than privacy, positive security and privacy feeling, privacy and security assumptions, privacy and security conscious, private setting, provider security concerns, reasons behind choosing tech: security/privacy, security implemented, trust people making the decisions, there's only so much we can do about security, uncertainty about security, unconcerned about privacy and security, vetted by some department, we do the best we can to safeguard data privacy and security, We don't really talk about private information, worries about personal privacy, Zoom attacks stories

Table 1 :
Demographic Profle of Study Participants with Telehealth Platform Transition Indicator.*: Denotes participants who transitioned to a new telehealth platform less than three months prior to the interview.

Table 2 :
A snapshot of the correlated open codes and themes generated for thematic analysis of the analyzed responsesThemeOpen Codes Importance of telehealth telehealth is needed, telehealth is better than patient abandonment, telehealth is better for some patients, telehealth is better for some services, telehealth in rural communities, prefer telehealth over in-person, patient choice telehealth or in-person, get caregiver to help with telehealth sessions, reasons for choosing telehealth: fulflling a need, reasons for choosing telehealth: don't need to see patients in-person, reasons for choosing telehealth: patients' aggressiveness towards providers, reasons for choosing telehealth: prevent illness, reasons for choosing telehealth: providers personal safety, reasons for choosing telehealth: limiting the commute, reasons for choosing telehealth: cost savings, reasons for choosing telehealth: no distraction, reasons for choosing telehealth: necessity, reasons for choosing telehealth: efcient time management, reasons for choosing telehealth: convenience Training telehealth training, HIPAA training, educate/support patients Limitations of telehealth payment diferences in telehealth, admin help, older adults prefer in-person, patient worries: efectiveness of telehealth, payment diferences in telehealth, usability issues in telehealth, adapting in-person care to telehealth, change attitude of providers against telehealth, concerns about connectivity, difculties of setting up telehealth, keeping attention of patients, lack of resources, patient worries: patient usability concerns, populations who had a hard time transferring to telehealth, provider concerns about telehealth, telehealth not suitable for all patients, telehealth on its own is difcult or impossible, time constraints to learn tech, vulnerable populations HIPAA and Legal Implications BAA, HIPAA compliance, eavesdropping in-person Privacy and Security Considerations