Not every healthcare organization embraced electronic medical records (EMRs) at first. But the incentives and regulations put in place by Meaningful Use and the Affordable Care Act have made it necessary to implement them.
Now, organizations are not only embracing EMRs, but also making it easier for their patients to access and manage them through remote portals. According to the Office of the National Coordinator for Health IT, approximately 63 percent of patients who used portals did so at their doctors’ recommendation.
Despite the growing popularity of patient portals, there are still more than 25 percent of patients who refuse to use them for fear of jeopardizing their data. Considering the sensitive nature of their protected health information (PHI), along with the nearly 5.6 million health records that were compromised last year, those fears are more than reasonable.
What can providers do?
Hackers have honed in on the healthcare industry for two main reasons: the treasure trove of valuable information in medical records and a sometimes dated approach to cybersecurity. In fact, between 2009 and 2016, more than 30 percent of all big data breaches occurred within healthcare systems.
Without proper encryption methods, login redundancies, and detection tools, portals are almost as easily accessible to hackers as they are to authorized users. As their usage grows, that lack of security will become an exponentially greater threat to patients’ PHI and identities.
“Many of us are accustomed to keeping the same name and password with our accounts, and as we know, that information is very lucrative to the right individuals,” says Victoria Dames, Director of Identity Management for Experian Health. “While it’s our due diligence to constantly change them, there are certain scenarios where maybe we forgot to change them or we don’t regularly login and that password may sit idle. When that happens, you want to make sure that you have the right technology in place to be able to catch somebody potentially logging in, trying to impersonate a patient.”
Providers can’t lower the value of PHI to make it less attractive to hackers, but they can protect it more effectively with up-to-date cybersecurity measures. These four tips can help organizations bring their patient portal security up-to-date and keep their networks safe from unauthorized access:
1. Automate the portal sign-up process.
Automating the initial sign-up process can stop false enrollments into the portal at the source. When implemented correctly, the automation will only require the patient to enter a few pieces of information, and then the software can confirm the user’s identity on the back end.
2. Leverage multilayer verification.
After patients have signed up to access the portal, using multilayer verification can ensure all future sessions are equally secure. For example, two-factor authentication adds additional protection on top of conventional login credentials.
In addition to a password or PIN, users also have to provide something personal such as a cell phone number, ZIP code, fingerprint, iris scan, or more. If the user’s device, account ID, and/or password are compromised, two-factor authentication can ensure the organization’s network remains safe.
3. Keep anti-virus and malware software up-to-date.
Multilayer verification protects users’ direct access to portals, but there are other, more frequent vulnerabilities that also need attention. For instance, HIMSS Analytics recently found that 78 percent of providers experienced ransomware and malware attacks last year.
Email is the avenue of choice for malware, and these attacks constantly evolve to slip past conventional security measures. If anti-virus software is outdated, it remains vulnerable to every new iteration of malware that attacks the network. Most solutions allow for automatic opt-ins so updates are downloaded and installed as soon as they’re made available.
4. Promote interoperability standards.
When primary care physicians, specialists, and healthcare payers talk to one another throughout the course of a patient’s care, it isn’t always through email. When their systems aren’t compatible, they can’t communicate as clearly and securely as they need to.
Interoperability makes it possible for disparate systems to share medical histories and patient data while making that data easily understandable on either system. Because interoperability is essential for improving the continuum of care, the Centers for Medicare and Medicaid Services provide standards for healthcare organizations to promote it.
More patients and providers are optimistic about using technology to improve the healthcare experience. However, one in five patients remain so suspicious of healthcare data security that they refuse to even divulge some information to their physicians. Fortunately, with the right tools, organizations can effectively strengthen portal security and boost the confidence their patients have in them.