Not every healthcare organization embraced electronic medical records (EMRs) at first. But the incentives and regulations put in place by the Meaningful Use and the Affordable Care Act have made it both financially beneficial and necessary to implement them.
Now, organizations are not only embracing EMRs, but making it easier for their patients to access and manage them through remote portals. According to the Office of the National Coordinator for Health IT, approximately 63% of patients who used portals did so at their doctors’ recommendation.
Despite the growing popularity of patient portals, there are still more than 25% of patients who refuse to use them because of privacy and security concerns, according to a 2018 National Coordinator for Health Information Technology (ONC) study. Considering the sensitive nature of their protected health information (PHI), along with the nearly 5.6 million health records that were compromised last year, those fears are understandable.
What can providers do?
Hackers have zeroed in on the healthcare industry for two main reasons: the treasure trove of valuable information in medical records and dated cybersecurity. In fact, between 2009 and 2016, more than 30% of all big data breaches occurred within healthcare systems, according to a study by the American Journal of Managed Care.
Without proper encryption methods, login redundancies and detection tools, portals are almost as easily accessible to hackers as they are to authorized users. As their usage grows, that lack of security will become an exponentially greater threat to patients’ PHI and identities.
Unfortunately, many people are accustomed to keeping the same name and password for all of their accounts, and that information is very lucrative to hackers.
While it’s up to the patients’ due diligence to constantly change passwords, there are certain scenarios where maybe they forgot to change them or they don’t regularly login and that password sits idle. When that happens, healthcare organizations want to be proactive and make sure they have the right technology in place to catch somebody potentially logging in, trying to impersonate a patient.
Providers can’t lower the value of PHI to make it less attractive to hackers, but they can protect it more effectively with up-to-date cybersecurity measures. These 8 tips can help organizations bring their patient portal security up-to-date and keep their networks safe from unauthorized access:
1. Automate the portal sign-up process.
Automating the initial sign-up process can stop false enrollments into the portal at the source. When implemented correctly, the automation will only require the patient to enter a few pieces of information, and then the software can confirm the user’s identity on the back end.
2. Leverage multilayer verification.
After patients have signed up to access the portal, using multilayer verification can ensure all future sessions are equally secure. For example, two-factor authentication adds additional protection on top of conventional login credentials.
In addition to a password or PIN, users also have to provide something personal such as a cell phone number, ZIP code, fingerprint, iris scan, or more. If the user’s device, account ID, and/or password are compromised, multi-factor authentication can ensure the organization’s network remains safe.
3. Keep anti-virus and malware software up-to-date.
Multilayer verification protects users’ direct access to portals, but there are other, more frequent vulnerabilities that also need attention. For instance, HIMSS Analytics found that 78% of providers experienced ransomware and malware attacks in 2017.
Email is the avenue of choice for deploying malware, and these attacks constantly evolve to slip past conventional security measures. If anti-virus software is outdated, it remains vulnerable to every new iteration of malware that attacks the network. Most solutions allow for automatic opt-ins so updates are downloaded and installed as soon as they’re made available.
4. Promote interoperability standards.
When primary care physicians, specialists, and healthcare payers talk to one another throughout the course of a patient’s care, it isn’t always through email. When their systems aren’t compatible, they can’t communicate as clearly and securely as desired.
Interoperability makes it possible for disparate systems to share medical histories and patient data while making that data easily understandable on either system. Because interoperability is essential for improving the continuum of care, the Centers for Medicare and Medicaid Services provide standards for healthcare organizations to promote it.
More patients and providers are optimistic about using technology to improve the healthcare experience. However, a study in 2015 by Software Advice revealed one in five patients remain so suspicious of healthcare data security that they refuse to even divulge some information to their physicians. Fortunately, with the right tools, organizations can effectively strengthen portal security and boost the confidence their patients have in them.
5. Verify patient identities to protect access to medical records
To avoid HIPAA violations, it’s critical to ensure you’re giving access to the right patient. Secure log-in monitoring and device intelligence can help you confirm that the person trying to log in is who they say they are. When something doesn’t add up, identity proofing questions can be triggered to provide an extra check.
In an exciting new development, the healthcare industry is also starting to see the use of biometrics to supplement existing identity-proofing solutions. Just as you might use facial recognition to unlock your smartphone, there are now ways to authenticate your healthcare consumers’ identity using the same technology.
6. Educate staff on security threats and warning signs
Data breaches aren’t all malicious – human error is often the cause, from mailing personal data to the wrong patients, to accidentally publishing data on public websites or leaving a laptop behind after getting off the subway. Training staff on the potential pitfalls will help them help you in protecting confidential patient information.
7. Develop a robust device strategy
‘Bring Your Own Device’ arrangements (BYOD) are convenient for staff and patients, but personal devices need to be secured when accessing patient information across the network. Make sure your teams, patients and visitors are aware of how to log-on securely to WiFi and follow best practice to keep data safe.
8. Make security a priority and tell your patients how you’re keeping their data safe
An importance on security must be a part of the organization’s culture. Employees are the best defense to security breaches. Remember: patient trust is at the heart of a successful patient-provider relationship. Share the steps your organization is taking to secure patient information, so patients feel reassured and confident in using their portal. Data security should be a key strand in your patient engagement messaging.
Let’s flourish in the digital world
Giving patients the power to access their medical information through portal technology has been one of the past decade’s biggest steps forward in improving patient-provider relationships. But with that reward comes responsibility: Providers must protect portals from unauthorized access and theft of medical records.
The good news is that the tools exist to help you protect your patient data. Banking and financial services have pioneered identity protection over the last 20 years, and healthcare can learn a lot by looking at what’s worked in those industries.
Drawing on two decades of innovations in other fields, fast-paced technological developments mean many of the early challenges around implementing safe and secure patient portals no longer exist. While EMRs took time to implement and gain acceptance, we see the same evolution with patient portals and it too will become commonplace.
In a climate of ‘doing more with less,’ healthcare leaders are turning to other industries to find ways to boost quality of care and streamline operational efficiency. Automation, digitization and consumer-centric approaches make good business sense across the board, but they’re sensible investments for your data security strategy too. Investing in secure patient identities is a way to prevent painful and unnecessary losses – and it’s what patients expect.