Best Practice Cybersecurity Methods for Remote Care, Patient Portals
Experian Health’s Jason Considine shares best practice cybersecurity methods, as providers potentially expose themselves to greater risk with the use of mobile and patient portals.
A recent study from Kantar shows that privacy and security concerns are hindering patients’ willingness to use health technology, such as patient portals to improve their care. And while many in healthcare are embracing new technologies and mobile care, cybersecurity is not always prioritized.
The increased use of remote work and telehealth in light of the Coronavirus is also adding to the challenge of securing the healthcare threat landscape. And in the time of a pandemic, ensuring there are no service disruptions will be critical to patient safety.
Jason Considine, senior vice president and general manager of Experian Health’s Patient Experience Solutions recently shared sound tech and policy insights with HealthITSecurity.com that can address some of these challenges, from necessary tools to ensuring employees are properly trained.
What are some ways providers can both ensure the security of patient-facing platforms and communicate those strengths to patients to ease those concerns?
Hackers have zeroed in on the healthcare industry for two main reasons: the treasure trove of valuable information in medical records and dated cybersecurity. In fact, between 2009 and 2016, more than 30 percent of all big data breaches occurred within healthcare systems, according to a study by the American Journal of Managed Care.
Without proper encryption methods, login redundancies and detection tools, portals are almost as easily accessible to hackers as they are to authorized users. As their usage grows, that lack of security will become an exponentially greater threat to patients’ PHI and identities.
Providers can’t lower the value of PHI to make it less attractive to hackers, but they can protect it more effectively with up-to-date cybersecurity measures. Here are five ways organizations can bring their patient portal security up-to-date and keep their networks safe from unauthorized access:
1. Portal sign-up process should be automated
Automating the initial sign-up process can stop false enrollments into the portal at the source. When implemented correctly, the automation will only require the patient to enter a few pieces of information, and then the software can confirm the user’s identity on the back end.
2. Keep anti-virus and malware software up to date
Multilayer verification protects users’ direct access to portals, but there are other, more frequent vulnerabilities that also need attention. For instance, HIMSS Analytics found that 78 percent of providers experienced ransomware and malware attacks in 2017.
Email is the avenue of choice for deploying malware, and these attacks constantly evolve to slip past conventional security measures. If anti-virus software is outdated, it remains vulnerable to every new iteration of malware that attacks the network. Most solutions allow for automatic opt-ins so updates are downloaded and installed as soon as they’re made available.
"Given the sensitivity and richness of medical data, an attack on the portal can be devastating for patients and costly for providers."
3. Multifactor verification is a must
After patients have signed up to access the portal, using multifactor verification can ensure all future sessions are equally secure. For example, two-factor authentication adds additional protection on top of conventional login credentials.
In addition to a password or PIN, users also have to provide something personal such as a cell phone number, fingerprint, iris scan, or more. If the user’s device, account ID, and/or password are compromised, multi-factor authentication can ensure the organization’s network remains safe. Most organizations are using this method and consumers are expecting it.
4. Protect patient identities with identity solutions
To avoid HIPAA violations, it’s critical to ensure you’re giving access to the right patient. Secure log-in monitoring and device intelligence can help you confirm that the person trying to log in is who they say they are. When something doesn’t add up, identity proofing questions can be triggered to provide an extra check.
In an exciting new development, the healthcare industry is also starting to see the use of biometrics to supplement existing identity-proofing solutions. Just as you might use facial recognition to unlock your smartphone, there are now ways to authenticate your healthcare consumers’ identity using the same technology.
Lastly, patient trust is at the heart of a successful patient-provider relationship. Share the steps your organization is taking to secure patient information, so patients feel reassured and confident in using their portal. Data security should be a key strand in your patient engagement messaging.
5. Promote interoperability standards
When primary care physicians, specialists, and healthcare payers talk to one another throughout the course of a patient’s care, it isn’t always through email. When their systems aren’t compatible, they can’t communicate as clearly and securely as desired.
Interoperability makes it possible for disparate systems to share medical histories and patient data while making that data easily understandable on either system. Because interoperability is essential for improving the continuum of care, the Centers for Medicare and Medicaid Services provide standards for healthcare organizations to promote it.
More patients and providers are optimistic about using technology to improve the healthcare experience. However, a 2015 study by Software Advice revealed one in five patients remain so suspicious of healthcare data security that they refuse to even divulge some information to their physicians. Fortunately, with the right tools, organizations can effectively strengthen portal security and boost the confidence their patients have in them.
What are the key tools needed to bolster healthcare security programs?
Often, organizations get too focused on the external portion of a security defense program. However, once a cybercriminal gets inside the system, the rest of the fences are too soft so it’s easy for the thieves to wreak havoc from that point. Thus, there are two recommendations we have for organizations:
- Have a strong monitoring capability on the inside that provides alerts to intrusion. If a cybercriminal got past the perimeter defenses, there are still more hurdles for them to overcome to actually steal the data or cause disruptions.
Develop a strong security training program for employees. They continue to be the weakest link in a company’s security posture. They should be trained on topics such as phishing scams.
"Data security should be a key strand in your patient engagement messaging."
In addition, a relatively new approach but very beneficial is to set up “deception grids,” which are tools that set up fake systems. If a criminal got past the perimeter defenses and is inside, he/she has multiple systems to navigate without knowing which are real or fake. If a company is alerted to intrusion in the fake system, they can gain a better handle on how to manage the incident and are safeguarded from real data being exposed or stolen.
Lastly, a few cornerstone approaches every organization – no matter how large or small – can deploy is to segregate their data, have monitoring tools in place, and encrypt the data, server, database, and application-levels. The key is a true layered defense strategy.
How can healthcare organizations better prepare employees to reduce the risk they pose to the enterprise?
Unfortunately, many reports show that employees are the weakest link in an organization’s security defense. Thus, an organization must make security a priority and conduct frequent employee trainings. Often, the lion’s share of security budgets tends to be focused on technology-centric solutions. But companies should devote more attention to the human aspect of security.
Trainings can be conducted at key intervals such as during new hire onboarding, and annually. Some of the key risks employees should be educated about are spear phishing scams and malware infiltration, which can easily expose a company’s data with just a click.
Many companies may be reluctant to limit access to certain websites or the devices that employees are able to use at work because of the potential for employee blow back. It can even become a retention issue for millennial employees who expect to have access to their work and personal life anytime and anywhere. However, organizations should be mindful of the risk and consider using mobile device management software that will let them have some control or visibility into personal devices. Employee training about both the risks and consequences of using an unsecured device at work is also an important step.
Any advice for securing online portals?
One of the touchpoints with an organization that patients most likely will encounter as the healthcare industry evolves is using online and mobile patient portals to conduct transactions such as registration and appointment scheduling.
As consumers embrace online portals to view their medical records and lab results, renew prescriptions, schedule appointments, and in some cases pay bills, they expect and assume their provider will keep that data secure. Providers must balance convenience and security.
As mentioned above, a multi-layered solution is recommended, and a few other approaches are the following:
- Log-in monitoring
Device intelligence will help you confirm the patient is using a cell phone or tablet your system recognizes, to minimize the risk of someone else accessing their account. This technology will tell you if the device is associated with previous fraudulent activities or potentially impersonating multiple patients. If a device fails to meet the risk threshold, identity proofing questions can be used to verify the user’s right to access the account.
- Additional checks on risky requests
Some patient portal activities, like downloading medical records and editing a patient’s profile, increase the risk. You’d want to add an extra layer of control here, such as additional out-of-wallet questions, to safeguard your patient’s data.
- Rapid response and damage containment
Given the sensitivity and richness of medical data, an attack on the portal can be devastating for patients and costly for providers. In the event of an attack, providers can put in place early warning systems to flag up which patients have been compromised and trigger rapid response measures to shut down the attack and prevent the damage from spreading.