by John Deutsch - Bridge Patient Portal
Healthcare services are meeting patient demand by becoming increasingly digitized. These digital healthcare services are often developed by third parties and access electronic health records (EHR), revenue cycle management (RCM) systems, and other databases that include sensitive and legally protected information. While these electronic services are beneficial to both patients and providers, they create an increasingly complex software supply chain, with more potential vulnerabilities that are being targeted by hackers[¹]. Healthcare providers can find it difficult to manage effective oversight of these supply chains - including the relationships between different software tools, who has access to what data, and where there might be potential weaknesses.
The U.S. Department of Health and Human Services (HHS) reported a 100% increase in healthcare data breaches[²] from January to May of 2022 compared to last year. To combat this rising trend in cyberattacks, federal authorities rolled out new laws[³] that facilitate interoperability within medical orgs and mandate greater patient control over their PHI (personal health information). These updated rules require stricter patient portal security measures on the part of software vendors and healthcare companies.
Security Risks of Patient-Facing Software
Patient-facing software includes patient portals and mobile apps that allow for communication between patients, providers, and caregivers, including the transmission of electronic personal health information (ePHI). Vulnerabilities in these software tools often occur when the healthcare organization does not sufficiently secure access permissions to patients’ personal health data. This can occur due to technical errors, where the appropriate authorizations were not coded properly into the app, or by simple human error, in which unauthorized parties have access to a wider range of information than their position entitles them to.
Aside from errors, organizations must also regularly monitor for suspicious activity to identify any potential risks for cyberattacks.
These considerations demand the development of more secure patient portals and mobile apps from providers and their software vendors. These patient portals must comply with current patient portal privacy and security legislation such as ADA, HIPAA, and CCPA, with the healthcare organization being liable for any breaches of security or privacy. PCI compliance[⁴] is also mandatory for HIPAA-compliant bill pay.
7 Steps for Patient Portal Security
To secure ePHI and monitor potential risks, it’s essential for healthcare organizations to organize their IT systems in such a way that provides them with as much oversight as possible. Controls should be implemented to limit access to ePHI and sensitive information of any kind.
1. Opt-in Consent
On the patient-facing side, your secure patient portal should integrate patient consent forms, the most important of which is an opt-in agreement that outlines the patient portal privacy and security risks and measures for the user. The patient should have to read and provide their consent to use the portal or app.
2. Role-Based Access Control
When integrating software systems with patient portals or apps, the provider should take care to design the authorization of users according to the principle of “least privilege.” This means that users should have access to the bare minimum of information they need to do their job, and no more. This can be done by auditing and verifying all parties regularly, as well as by standardizing authorization between them, using single sign-on (SSO) technology to verify user profiles across all the connected systems. A plan for role-based access control (RBAC), including proxy patient access for responsible caregivers, is essential in designing a healthcare IT system.
3. Zero-Trust Framework
“Zero trust” is a security paradigm mandated by the White House’s recent executive order to improve the nation’s cybersecurity[⁵]. Rather than trusting a regular user authentication process, the Zero Trust security framework instead requires repeated verification of user activity from multiple sources. In practical terms, a healthcare organization should require authentication for every action taken by a profile that might access ePHI, and actively monitor for suspicious behavior.
4. Ecosystem Oversight
As previously mentioned, a key security challenge for healthcare orgs is the difficulty of overseeing the complex web of third-party relationships that form their IT system. That’s why it is important to map out these relationships and conduct audits to make sure all profiles are accounted for. Because software is always being updated, this map can change often, and updates represent an opportunity for cyberattacks to infiltrate the system, as happened with the infamous SolarWinds attack[⁶]. To prevent this, regular audits and monitoring protocols must be implemented.
5. Multi-Factor Authentication and Password Protection
A HIPAA-compliant patient portal should require a password for initial login and also after each 30-minute period of inactivity. Accounts should be locked if an incorrect password is entered multiple times, and all employee passwords should be automatically reset every 60 to 90 days. Multi-factor authentication is also recommended for additional security. Bridge Patient Portal, for example, enables timed, two-factor authentication via SMS. Biometric authentication can also be implemented to use fingerprint and facial recognition to authenticate a user.
6. Encrypted Backups
It is essential to keep patient data backed up, ideally in multiple off-site locations that are isolated from the organization’s main IT infrastructure. This protects the information even if the main system is compromised by hackers. Multiple HIPAA-compliant cloud hosting providers can be used to distribute this data and make it harder to attack. The data should also be encrypted, both in storage and in transit, so that only authorized persons can read it.
7. Staff Training
Even the most robust security systems can be accidentally compromised by simple human error, which is why staff must be made aware of security risks and understand how to mitigate them. One Kaspersky report found that 40% of healthcare staff[⁷] surveyed had no knowledge of the cybersecurity measures at their healthcare organization. Training staff in cybersecurity and their responsibilities is an ongoing process, but absolutely vital in our age of telemedicine and mhealth apps.
Partner with Security-Conscious Software Vendors
To properly secure sensitive data, cybersecurity must be an absolute priority when it comes to healthcare IT infrastructure. One way to do this is by partnering with a patient engagement software vendor that has a proven track record in building HIPAA-compliant software tools with advanced security protocols.
About the Author
John Deutsch
John is CEO of Bridge Patient Portal with 20 years of healthcare IT business ownership experience specializing in patient engagement, marketing, and software development.
Check out Bridge's recent webinar with FQHC Connect where they talked about Taking Patient Engagement to the Next Level with Telehealth, Mobile, & Other Patient Engagement Initiatives..
About Bridge Patient Portal
Bridge is an enterprise patient portal and patient engagement solution for healthcare organizations. The platform is ideal for health centers seeking to replace their existing EHR’s patient portal, connect disparate EHR environments, consolidate costly patient engagement tools, offer telemedicine services, and/or publish a mobile app.
Bridge is a community sponsor of FQHC Connect and has a number of FQHCs using their platform. They are constantly seeking to improve their technology and collaborate with FQHCs to find new and creative ways to advance patient engagement in FQHCs.
Learn more at www.bridgepatientportal.com.
Article Sources:
Barlow, C. (2021).Hackers are leveling up and catching healthcare off-guard. [online] Help Net Security. Available at: https://www.helpnetsecurity.com/2021/05/18/hackers-attacking-healthcare/
U.S. Department of Health & Human Services (2019). U.S. Department of Health & Human Services - Office for Civil Rights. [online] Hhs.gov. Available at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
www.cms.gov. (2022). 2022 Medicare Promoting Interoperability Program Requirements | CMS. [online] Available at: https://www.cms.gov/regulations-guidance/promoting-interoperability/2022-medicare-promoting-interoperability-program-requirements
Security Standards Council (PCI) . (2022).Security Standards Council (PCI). [online] Available at: https://www.pcisecuritystandards.org/standards/
The White House (2021). Executive order on improving the nation’s cybersecurity. [online] The White House. Available at: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Newman, L.H. (2020). How to Understand the Russia Hack Fallout. [online] WIRED. Available at: https://www.wired.com/story/russia-solarwinds-hack-targets-fallout/
Kaspersky. (2019). Cyber Pulse: The State of Cybersecurity in Healthcare -Part Two. [online] Kaspersky. Available at: https://media.kasperskydaily.com/wp-content/uploads/sites/85/2019/08/16121510/Kaspersky-Cyber-Pulse-Report-2019_FINAL.pdf