Posts

protecting patient data in healthcare

How Doctors Can Transmit Patient Data Securely

protecting patient data in healthcare

Doctors must take precautions when sharing patient data. Learn more about how doctors should protect your PHI in this guest post from Heather Lomax. (Photo courtesy of MaxPixel)

The following guest post on protecting patient data was submitted by Heather Lomax.

Communication efforts in the last few years have greatly advanced between doctor and patient. Instead of having patients drive out for a visit or make drawn-out phone calls every time something needs to be discussed, some doctors’ offices have started to use online portals and email correspondence with patients. These options are extremely efficient, but they also place patients at a higher risk of medical identity theft. Therefore, special measurements need to be taken in safely transmitting patient data.

PHI Data and Email Encryption

First and foremost, patients need to make sure their devices are encrypted when they access medical data. Not operating on such a system places data at risk for theft with ease. Therefore, portals offering medical data need to be encrypted as well. Patients should be made aware that if their computers at home are not secure, then they place their data at risk there as well. Sending patients emails also requires another degree of encryption.

Different Types of Email

Several types of emails exist when it comes to safely transmitting data information with patients. For web-based email applications, doctors’ offices and patients alike need to use accounts with HTTPS encryption. This method is the only means by which web-based email is secure. The email is sent to a patient should also be encrypted using either PGP encryption methods or Symantec Digital IDs. In both of these aspects, each email comes with its encryption.

Use Cloud Services for Fax and Email

HIPAA regulations make specific claims about how data should be transmitted between office and patient. One of the methods to use for this communication relies on cloud services for both faxes and emails. These cloud services have their own firewalls and encryption procedures, and they make certain that data only goes to a specific location. More often than not, a specific receiver has to acknowledge that they accept a fax. A VPN access code can be used for this process.

Biometric Identification

As passwords become obsolete and even unsafe for healthcare data security, biometric identification is steadily rising in practice when it comes to accessing sensitive information. With passwords comes the potential of breaches in security, even with the most carefully crafted codes. However, with the use of fingerprint analysis, retina scans, and facial recognition software, it’s nearly impossible for identity fraud to take place since these characteristics cannot simply be imitated. And not only does it reduce the risk of billing fraud – it also prevents deadly medication errors, improves response rates to medical emergencies, and expedites health information exchange services (which will be discussed in the next section).

Use Three Different Forms of Health Info Exchange

When in doubt, doctors’ offices should use three, distinct methods of Health Information Exchange (HIE) with patients and other medical offices. The first type is directed change, where data can be sent and received securely through an electronic medium between providers and coordinated support care. The second option is a query-based exchange, which offers providers the opportunity to find and request information from patients and other providers when unplanned care takes place. Finally, doctors’ offices can use consumer mediated exchanges, a method which allows patients to have control over data and how it is used among different providers.

Conclusion

A great deal of options is available when it comes to transmitting electronic patient data. Rather than rely on flimsy means of protection, alternative options with tighter security like encrypted care, biometric identification, and HIE paths should be implemented instead. If your practice or hospital can introduce even one of these methods as part of their data transfer strategies, you’ll notice a great improvement in workplace efficiency as well as security for your patients.

Author bio:

Heather Lomax is a contributing writer and media relations specialist for Blaze Systems. She writes articles for a variety of medtech blogs, discussing solutions for optimizing healthcare data protection and clinical technology.

medical record safety

Peace of Mind: A Short Guide To Who Handles Your Private Medical Information

protecting protected health medical information in healthcare

Many patients are unaware of how many people have access to their sensitive medical information.

The following guest post on who handles Protected Health Information (PHI) was submitted by Brooke Chaplan.

From basic information such as your height and weight to the types of medications you are taking, your health history, diagnoses, billing information and more, your healthcare providers have access to an incredible amount of very personal information about you and others in your family. This is information that you do not want to fall into the wrong hands. This begs the question of who actually has access to all of the information in your medical file.

Well-Trained and Screened Candidates

In most healthcare offices, hospitals and other settings, the administrative or medical team that has access to your records is usually well-trained and thoroughly screened. These individuals typically must pass a thorough background check before being permitted to work in the office, and the office often has safeguards and high-tech protocols to prevent employees from mishandling or abusing the information that they gain access to. Some of the professionals with the most access are healthcare administrators that hold a degree in their field. Click here to see more about healthcare administration programs.

Your Health Insurance Company

If you are one of the many millions of Americans who have access to health insurance, your health insurance company may keep track of your medications, treatments, diagnoses and more. Health insurance professionals are often required to uphold strict standards of confidentiality in the same way your healthcare providers are. In addition, as is the case with hospitals and medical offices, health insurance companies usually go to great lengths to prevent employees from misusing or abusing the data that they come across over the course of their regular work day.

Potential Hackers

In 2015, as many as a third of all Americans were impacted by a security breach that involved their healthcare data or records. Information such as their address and Social Security information may have been passed on to hackers. Some hackers sell the data they obtain through their attacks, and others use it personally with malicious intent. For example, with your name, address, Social Security number and birth date, they can commit identity theft. Many medical offices and hospitals are aware of this and other potential risks to their patients, and they regularly take steps to continuously update and improve technology in an effort to reduce this risk for their patients.

Your private data should remain private at all times, but the unfortunate reality is that the system in place in the healthcare industry right now is not perfect. Patients should make inquiries to their healthcare providers to learn more about the steps a particular office or hospital is taking to keep their data from falling into the wrong hands.

Author bio:

Brooke Chaplan is a freelance writer and blogger. She lives and works out of her home in Los Lunas, New Mexico. She loves the outdoors and spends most her time hiking, biking, and gardening. For more information contact Brooke via Twitter @BrookeChaplan.

 

protecting healthcare data

Healthcare Data Security: How Doctors and Nurses Access, Utilize, and Protect Your Information

protecting healthcare data

Docs and nurses need access to your protected health information (PHI) to provide you optimal care. What steps are they taking to protect that healthcare data? (Photo courtesy of pixabay)

The following guest post on healthcare data security was submitted by Brooke Chaplan.

Anyone who has been to a doctor’s office, hospital or other healthcare institution knows that these can be busy places with patients waiting to be seen and professionals bustling about to perform their duties. With all of this activity going on and various personnel involved in your care, you may wonder about the security of your medical records. Sensitive information lies within the paper and electronic files used by your medical providers. Let’s take a look at how doctors and nurses access, utilize and safeguard your healthcare data.

Confidentiality, Privacy, and Security

First, it’s important to identify the difference between three different terms that are often used interchangeably within healthcare. The concepts of confidentiality, privacy and security are related, but each has its own significant meaning with regard to balancing the needs of patients, providers, the public and other relevant parties such as insurance personnel. When discussing confidentiality in the medical field, the term refers to the duty of personnel to hold any patient healthcare data to which they have access in the strictest of confidence.

Privacy is a separate concept that has to do with an individual patient’s right to decide how personal medical information is shared and with whom. You may be familiar with HIPAA, the Health Insurance Portability and Accountability Act. This statute by the federal government states that, while a patient’s right to privacy and control of their healthcare data still exists, there are some parties to whom such data can be shared without prior patient approval. These include public health officials, health organization administration and payment providers. Finally, there is security, which is all about the protection of confidentiality and privacy of patients. It refers to the ways in which healthcare data is stored and accessed.

Medical Records and Their Use

Your medical records contain a wide range of information. Your full name and unique patient number within that particular healthcare network is stored in your records, along with demographic data like your date of birth, gender and race. Your allergies, medical conditions, lifestyle habits in addition to detailed accounts of every provider visit, lab result, prescription and referrals. Your payment, billing and insurance information are also kept in your medical records, as is your family medical history.

Organizational Policies and Procedures

As you can see, there is a great deal of sensitive and personal healthcare data kept within your individual medical records. In order to ensure the privacy and confidentiality of patient data, healthcare and medical organizations pay special attention to create structured policies and procedures regarding the way such information is handled, stored and accessed. Each network will have its own unique set of guidelines, but the matter is taken very seriously among medical providers. In fact, an entire profession known as healthcare or nursing informatics is dedicated to the management of healthcare data. Many universities also offer a masters in nursing informatics program. An informatics expert is usually employed to help organizations protect patient health information and to ensure only necessary professionals can gain access.

Healthcare providers work hard to care for your medical needs. They are also concerned with the proper care of your personal data. You can rest assured that procedures are in place to ensure the security of your private and confidential information.

Author Bio:

Brooke Chaplan is a freelance writer and blogger. She lives and works out of her home in Los Lunas, New Mexico. She loves the outdoors and spends most her time hiking, biking and gardening. For more information contact Brooke via Twitter @BrookeChaplan.

 

 

5 Reasons Why Health Care Needs Better Cybersecurity

5 Reasons Why Health Care Needs Better Cybersecurity

healthcare cybersecurity to improve patient safety

The rapid digitization of healthcare has pushed many providers to improve cybersecurity. (Photo courtesy of Shutterstock).

The following is a guest post submitted to RightPatient on improving cybersecurity in healthcare.

When healthcare first started to go digital, the problems were largely related to mechanical reliability. Computers weren’t so reliable, and there was no internet to really bring them together. Keeping hard backups was really the biggest concern.

Yet that’s changed considerably in the past decade. Nearly all healthcare providers store at least some of their records online. As a result, there are fewer opportunities to completely lose a patient’s records and collusion among practitioners is becoming considerably easier. Conversely, the chance of having records stolen is dramatically increased.

According to the US Department of Health and Human Services, there were over 300 data breaches in 2016 (with over 500 victims), and that’s just in the United States. The question so many are asking is why.

As it turns out, there are many reasons.

Healthcare is Going Paperless

Both for space and for purposes of preservation, healthcare practitioners are doing what they can to cut down on the rooms filled to the brim with patient files. Instead, that information is stored on servers, both onsite and offsite. There’s less room for losing physical files, patient information can be located and sent faster, and providers can more easily see a complete history.

This centralization is certain to improve patient outcomes but it comes with the risk of creating major “honey pots” for hackers and thieves. Rather than stealing file folders, these cybercriminals only need to breach a single database to acquire hundreds, if not thousands of patient records.

The only recourse is to improve cybersecurity measures to help reduce or avoid breaches entirely. Otherwise, patients (and we’re all patients, including providers) face the risk of identity theft or worse.

Fraudulent care is a major problem because per the law, all treatment must be recorded. Care rendered to the wrong person can prove very difficult to remove from records, which could prove problematic or even dangerous for the victim, although the FDA contends that thus far no one has been injured or died as a result of data breaches.

It’s the Law

5 Reasons Why Health Care Needs Better Cybersecurity

(Photo courtesy of Shutterstock)

Not everyone realizes that maintaining cybersecurity that meets current procedural standards is actually the law. HIPAA compliance doesn’t just extend to patient confidentiality in person, but also applies to information stored digitally.

Those in practice that do get hacked face stiff legal penalties, particularly if they are shown to be taking inadequate care in preserving their patient records safely. Although state requirements vary, there are a few basic requirements both for minimizing liability and for complying with the law:

• At least two hard copies of records need to be maintained, one of which is stored offline
• Digital records must have copies stored online
• Health care providers must perform risk assessments and provide security measures that are adequate* to minimize risks to patient information and privacy

*Note that what constitutes “adequate” seems to vary and the requirement is generally vague at best.

Breaches are Increasingly Common

Earlier we discussed that 2016 was a year that featured over 300 major cybersecurity breaches in the healthcare industry. What’s important about that value is that it represents an over 20 percent increase in the number of hacks as compared to the year before, which numbered in the mid-200s.

Far from becoming less frequent and more controlled, data theft is actually on the rise. And the cost of theft isn’t getting any cheaper either. Research done by the Ponemon Institute continues to show yearly increases in costs to providers as a result of cybersecurity woes.

At present, there doesn’t seem to be any indication that the number of breaches or the cost per incident is likely to decrease through 2017 or beyond.

Most predict a continued increase in cost.

Private Practices Are Favorite Targets

The victims of data theft aren’t just major hospitals or data centers. In fact, private practices face just as many, if not more risks than do large institutions. Small practices tend to have a considerably lower budget for cybersecurity and thus are actually more vulnerable because it’s just that much easier for hackers to force their way in.

Government entities have been concerned for years that the problem isn’t limited just to large institutions. In 2012, the FBI director actually stated that “only two types of companies” exist: “those that have been hacked and those that will be.

Private practitioners and their patients would be wise to heed this warning and take steps to minimize the inevitable fallout that comes with data theft. Not taking the risk seriously could prove devastating particularly for offices with just a single doctor on staff.

BYOD Also Means BYOP

One last addition both to healthcare and standard businesses that presents a major risk to patient records is the so-called “Bring Your Own Device” (BYOD for short) policy. This procedure has grown in popularity because many employees own devices that are far more capable than those being provided by offices.

But BYOD can quickly become a BYOP (bring your own problems) policy if not handled appropriately. Employees rarely maintain security on their personal devices in a way that sufficiently protects the businesses they work with.

Employers would be wise to implement security requirements for their workers in the form of locked devices and security software. That means both anti-malware apps—for preventing infected software from being installed—and internet security apps, with Virtual Private Networks (VPNs) increasingly the most important due to the amount of hacks that involve direct invasion of unsafe connections.

Solving the Problems

Putting a stop to security breaches isn’t likely something that will happen overnight. But it is something we should all be cognizant of enough to begin minimizing risks. Nothing replaces vigilance and there may not ever be a catchall solution to cybercrime.

The cost of negligence may be more than we can imagine. And with insurance premiums up and healthcare costs continuing to rise, this is one bill we can’t afford to pay.

How will you help healthcare improve its cybersecurity? Do you have any concerns? Tell us in the comments.

About the Author: Faith is a cybersecurity expert and technology specialist. As a professional and patient, she is interested in helping businesses maintain more secure environments for the safety of themselves and those they serve. With medical hacks on the rise, Faith finds herself speaking out on the topic of patient records often.

patient data integrity and patient safety in healthcare

The Importance of Maintaining Patient Data Integrity

patient data integrity and patient safety in healthcare

Patient data integrity is important to maintain in healthcare. Learn more about how to protect it in the evolving world of digital healthcare. (photo courtesy of Chris Evans on Flickr: http://bit.ly/2iUls86

The following guest post on patient data integrity in healthcare was submitted by Gabriel Tedde Cabot.

While all physicians, care providers and practices understand the importance of keeping accurate files and records for maintaining patient data integrity, the unique challenges and concerns of a digital file system may pose a greater risk than many practitioners might realize. From the struggle to keep patient records coherent and to maintain unified files across multiple applications and programs to the issues that may be caused by a data breach, today’s practices would be wise to assess the effectiveness of their records and data processes. Loss of data integrity may result in any number of potentially serious consequences, ranging from HIPPA violations to compromised patient care.

Creating and Maintaining the Right Digital Infrastructure

The first step towards ensuring digital information can be created, stored and accessed with greater accuracy is also one of the most important. Creating and maintaining the right digital infrastructure can streamline all processes that may involve patient records and ensure that inconsistencies within a file system are less likely to occur. Applications that can be linked more easily and databases that provide cross-platform support are often crucial assets for reducing errors, oversights and optimizing the efficiency of staff and associates.

The Importance of Staff and Employee Training

Having the right digital working environment is only one step in the process for ensuring more effective and accurate record-keeping, one that may be of little practical benefit when employees are not properly trained. Properly training all employees who access or use database systems, patient records and similar applications can help to minimize problems caused by user error. Assessing the current skill level, understanding and overall computer literacy of existing staff can also be quite helpful in identifying any areas that may require attention or improvement.

Failing to provide ongoing training for their staff is a mistake common to both small practices and larger facilities. Updated software, the addition of new applications and changes to the daily operational process of a clinic, practice or healthcare facility often entails the need to train and educate employees who may not yet be comfortable or even familiar with new systems or tasks. Ongoing training also provides a chance for associates to brush up on any skills or concepts that may have gone unused for too long.

Performing Periodic Assessments or Audits to Ensure Accuracy

Quality assurance can go a long way, both towards ensuring that established resources and operational processes are being utilized correctly and for identifying smaller issues before they have a chance to grow into larger and more serious problems. Assessing the accuracy of past records and ensuring that patient data integrity is being maintained effectively is not a concern that should be left to chance. Further assessments should also be performed whenever new operational policies go into effect or when changes are made to the software, systems and applications used by employees.
 
Protecting Patient Information in the Digital Age

From instituting a more effective password policy to utilizing secure virtual data rooms, there are numerous ways for organisations to ensure all patient data and information is able to be kept safe and secure. Damage caused by unauthorized access to data, files and electronic information may be considerable and practitioners who fail to make online security a priority may be placing themselves and their patients at greater risk of breach or other security issue. Malware or unauthorized users who are able to gain access to electronic records may result in the loss of vital data or files and records that no longer be considered secure.

While even basic measures to enhance digital security can make a considerable difference, more effective may be achieved by organisations who elect to make use of the right resources. Contracting with third-party IT department or security specialist may provide a more cost effective solution for smaller practices that lack the financial resources needed to expand their staff. Investing in secure virtual data rooms used to store and distribute information in a safer manner can also ensure that medical organisations are not placing patient data or information at greater risk. Finding and selecting the services, resources and solutions that make it possible to reduce or even eliminate many of the most common and costly digital security risks is always a worthwhile undertaking.

Staying Up to Date With Changing Technology and Emerging Trends

With new applications, digital services and innovations continuing to shape and change the industry, practitioners and medical organizations can no longer afford to fall behind the times. Failing to learn more about new potential security risks or electing to overlook the latest security resources and solutions could prove to be nothing short of a disaster. When it comes to maintaining patient data integrity, staying up to date with the latest technology or learning more about the most recent threats and security concerns is of paramount importance.

Gabriel Cabot is a digital marketing strategist from London who enjoys reading, writing and learning about new technologies, programming, health and the Internet.

the use of biometrics to secure PHI access

Improving Patient Engagement with Secure PHI Access

the use of biometrics to secure PHI access

The explosion of mHealth apps and patient portals for PHI access demands more modern patient and clinician identification technologies than user names and passwords.

The following guest post was submitted by Michael Trader, President and Co-Founder of RightPatient®

The rise of digital health tools for PHI access

Encouraging patients to take a more active and engaged role in their healthcare has been a key focus of healthcare providers in the wake of Meaningful Use requirements. What began as an industry mission with specific benchmarks and goals has since manifested into the actual use of myriad digital tools and platforms that are educating, engaging, and working to empower patients to increase accountability and responsibility for their own health and, when applicable, the health of their families. In fact, a recent HIMSS survey on how mobile apps and portals improve patient engagement indicated that on the provider side:

  • 73% of organizations used app-enabled patient portals to increase consumer participation in their overall health and wellness goals as well as meet relevant Stage 2 and Stage 3 Meaningful Use requirements under the Medicare and Medicaid EHR Incentive Programs.
  • Nearly half of those polled stated that “implementation of mobile services for access to information is a high priority at their organization.” Additionally, more than half – 57 percent – indicated that their facility implements a mobile technology policy, which often has a focus on mobile health security capabilities.
  • About one-third of polled healthcare organizations stated that they provide “organizational-specific apps” to the patient community.

(source: http://mhealthintelligence.com/news/how-mobile-health-apps-portals-improve-patient-engagement) 

One important facet in the goal to improve patient engagement is providing easier and faster access to personal health information (PHI). Manifested through Meaningful Use Stage 2, the benchmark is stated as:

Provide patients the ability to view online, download and transmit their health information within four business days of the information being available to the EP. (source: http://www.healthit.gov/providers-professionals/achieve-meaningful-use/core-measures-2/patient-ability-electronically-view-download-transmit-vdt-health-information

The idea is for healthcare providers to reach beyond traditional means of accessing PHI (think in person visits) and adopt digital health tools for easier, faster, and more convenient ways of accessing this data (think patient portals and provider mHealth apps). In concept, increasing the availability of tools and platforms to access PHI is a good thing — it caters to increasing patient demand to offer greater PHI accessibility through resources that offer more convenience and are in lockstep with the rise of the digital health movement. However, the explosion of digital tools for PHI access carries an inherent risk that patient identities will be compromised, stolen, or shared leading to a sharp increase in fraud and medical ID theft that poses a direct threat to not only patient safety and provider medical error liability, but also to the rising cost of healthcare. Not to mention the fact that the rising use of digital tools to access PHI compromises patient data integrity which is critical to maintain because of the ripple effect it has on the ability to provide accurate care along the continuum and the confidence it represents to successfully participate in health information exchanges (HIEs).  

Keep in mind that each time a perpetrator commits healthcare fraud or medical ID theft, the fallout of legal fees, settlement costs, and expenses to restore an identity are passed down to ALL patients in the form of higher fees for medical services. Therefore, collectively there is a pressing need to ensure that adoption of stricter and more secure methods of patient identification must run parallel to the rise in digital tools and platforms for safe access to PHI. Otherwise, patients may not be as willing to use these tools for fear of medical ID theft or unlawful access to their PHI data which directly compromises their safety, security, and privacy. 

Monetary damages are only the tip of the iceberg for healthcare organizations when discussing the impact of fraud and medical ID theft. It was been well documented that reputation can be negatively effected when patients perceive or a data breach confirms that healthcare providers are not taking the necessary action to increase PHI access security.

How can we correlate an increase in quality patient engagement with secure PHI access? Patient engagement is, without a doubt, a key linchpin to the success of healthcare’s triple aim. Simply stated, it is not possible for the healthcare industry to achieve the goals of lower costs, an enhanced patient experience, and improving population health in the absence of strong and sustainable patient engagement.

Securing PHI access for higher levels of patient engagement

Scour the internet for articles that cover patient willingness to use digital health IT tools to access PHI and you will discover that despite the industry wide effort to adopt tools that provide more convenient and faster access to medical data, few patients are actually doing so. In fact, a recent survey revealed that just 21% of respondents said they use the Web to access their health data. Meanwhile, 10% said they use e-mail and 40% view the data in person

The reason behind patient unwillingness to use mHealth tools and portals for PHI access runs the gamut from dissatisfaction with mobile health applications to challenges in finding and using instructions, data inaccuracy, and device malfunctions or data syncing issues. Furthermore, issues related to poor mHealth app and portal security have hampered more widespread adoption of these tools and stoked patient fears that their privacy could be compromised by using them.

Setting aside those with opinions that privacy can never exist in the healthcare industry, the link between patient confidence and trust that their identities and PHI are protected when using mHealth apps or patient portals is palatable and has a direct effect on their willingness to use these tools as part of their overall care.

First, it’s important to distinguish the difference between “privacy” and “security” as it applies to healthcare data. HIMSS does an excellent job of breaking down the differences:

“Privacy” is the right of an individual to make choices with respect to the collection, use and disclosure of their data; “security” is the safeguards – physical, administrative and technological – used to protect the confidentiality, integrity and availability of the data. Because the challenges are many, there is a tendency to focus on “security” in mHealth. Patient privacy cannot be achieved without adequate data safeguards; however secure devices do not necessarily preserve patient privacy. (source: http://www.himss.org/ResourceLibrary/GenResourceDetail.aspx?ItemNumber=30406

One of the largest impediments to widespread adoption of mHealth tools, portals, and other digital health platforms is inadequate mobile security policies that fail to take into account the necessity of adopting more modern patient identification tools that are commensurate to the data they protect.  For example, most healthcare providers continue to use user name and passwords to protect patient identities when using mHealth tools and portals. While these may have once been permissible security protocols in the past, these identity verification methods are now considered antiquated and should be replaced. Even though user names and passwords have proven to no longer be secure enough to protect patient identities, almost all healthcare providers still rely on their use for mHealth apps and patient portals. 

Secure PHI access requires modern patient and clinician ID technology

If healthcare providers expect patients to adopt mHealth tools and patient portals as a more convenient way to access PHI, the implementation of stronger and more secure identification technology is critical. Most healthcare security experts agree that due to the large amount of PHI data moving across provider locations via mHealth apps and patient portals, stronger security is needed to prevent data breaches if a patient’s identity is compromised. Plus, the increasing complexity of mHealth apps and their distinct ability to sync PHI data across multiple devices raises important questions about how to properly protect patient privacy  to ensure HIPAA compliance for these new tools. 

Securing PHI access is not limited to patient interactions with mHealth tools or patient portals however. A sound strategy to secure mobile and remote access to this sensitive data is required not only for patients, but also for any clinician that has access to mobile technologies. A 2014 HIMSS Analytics Mobile device study reported that:

…approximately one-quarter of US hospitals (28 percent) reported that smartphones are in use at their organization. On average, 169 devices are deployed per hospital. In comparison, 24 percent of US hospitals reported that tablet computers are in use at their organization, with an average of 37 devices deployed per hospital. (source – https://capsite.himssanalytics.org/assets/Uploads/2014-Mobile-Essentials-Brief-TOC12914.pdf)

Healthcare organizations must plan to implement a technology that has the flexibility to be used for secure patient and clinician identification, usually through a strategic combination of a strong single sign-on (SSO) platform to establish strict identification checks and provide a concrete audit trail of data access history with an enterprise-wide patient ID solution to secure remote access to PHI from mHealth apps and patient portals. The modern identification technology of choice for many healthcare providers to meet the rising demand for tighter security to access PHI is biometrics.

Lack of a strong PHI access policy can also have a negative impact on provider reputation. In a recent report on medical identity theft by The Ponemon Institute, 79% of patients surveyed said it is “very important” for healthcare providers to ensure the privacy of health records and allow them to have direct control of their health records.  

Why biometrics?

The HIPAA Privacy Rule requires healthcare organizations to secure remote access to PHI data as a safeguard for patient privacy and to eliminate data breaches that can lead to fraud and medical identity theft. Once considered secure identification criteria, user names and passwords are now considered antiquated and unable to offer strong protection to secure PHI access largely due to the fact that:

  • Most patients don’t want to worry about memorizing a complex password and thus default to using a simplistic password that’s easily guessable.
  • Most patients use the same password for many accounts, resulting in one key that unlocks dozens (or hundreds) of doors.
  • Most patients don’t even keep their passwords in secret. Everything from Netflix accounts to bank accounts to web accounts to video game accounts are often shared between friends, family members, and even strangers.

The use of biometrics for individual identification poses a much more secure and flexible technology to address the pressing need for healthcare to adopt stricter PHI access security protocols. Why?

We have written extensively about the applicability of biometric patient identification to improve patient safety in healthcare. Biometrics relies on identifying patients and clinicians by who they are, rather than what they have (ID badges) or what they know (user names, passwords) which can be more easily stolen or shared. Biometric identification technology is a more secure method to identify patients in self-driven interactions by allowing them to use the camera or microphone on their smartphone or tablet and use facial or voice recognition biometrics for accurate authentication. Biometrics offers more flexibility and convenience because it has the ability to be implemented at patient touchpoints where user name and password entry would be cumbersome and inappropriate — home health settings for example.   

The use of biometrics for identification also offers a concrete PHI access audit trail, a more accurate tracking mechanism than user names or passwords which can easily be shared and often skew analytics because it’s impossible to determine the actual individual using the credentials. This is important because litigation often relies on these audit trails used in the defense of medical identity theft or healthcare fraud claims.

Conclusion

Participation in portals and the use of mHealth and other mobile apps to access PHI is a key catayst to increase patient engagement in healthcare. Patients must have the confidence in their healthcare provider that their PHI is easily accessible and protected with the strongest authentication security on the market that ensures their privacy and safety. User names and passwords are no longer sufficient authentication credentials to meet the expanding need to offer a more flexible, scalable, and more secure identification technology for mHealth apps and patient portals.

Equally important is protecting clinician access to sensitive PHI data. Protocols must be implemented that abandon user names and passwords in favor of technologies such as biometrics that are more secure, less susecptible to being stolen or shared, and leave a concrete PHI data access audit trail. 

Have questions about the use of biometrics for patient identification in healthcare? Feel free to leave a comment or question below. 

 

 

 

mhealth requires strict patient identificaiton

UCLA Breach Reinforces Importance to Protect Patient PHI

mhealth requires strict patient identificaiton

The recent UCLA data breach is a strong reminder that healthcare organizations should consider the use of biometrics such as facial or voice recognition to protect patient PHI on mobile devices and patient portals.

It’s probably unfair to say that the recent UCLA Medical Center data breach that potentially exposed the personal health information (PHI) of 4.5 million patients was a wake up call for the healthcare industry to implement tighter data security protocols. In fact, it wasn’t a wake up call at all.

Healthcare data breaches have proliferated over the last five plus years, and the Health and Human Services (HHS) public “wall of shame” list of healthcare data breaches involving 500 or more individuals is…well….let’s just say a tad crowded. Since HHS began the list in 2009, 1,265 breaches exposing the records of nearly 135 million people have made the list. Ouch. The UCLA data breach isn’t groundbreaking news, it is simply another chapter in the long novel of healthcare data breaches that have placed millions of patients at risk by exposing their PHI and in some cases, social security numbers and personal demographic information. 

The UCLA breach also foreshadows rising demand for tighter security protocols to protect PHI from unauthorized access on patient portals, mobile devices, and other new touchpoints. This rise of additional patient touchpoints to access PHI has vaulted establishing tighter security controls into the spotlight beyond traditional means of authentication. History has shown that username/password-based security is inadequate on mobile devices, yet healthcare organizations continue to adopt technology that uses this method to authenticate patients. Considering the high stakes to protect patient PHI, the UCLA data breach wasn’t a wake up call – it moved the needle to protect patient PHI to Defcon 1. 

The HIPAA Privacy Rule mandates that healthcare organizations secure remote access to PHI data as a safeguard for patient privacy and to eliminate data breaches that can lead to fraud and medical identity theft. The introduction of touchpoints such as patient portals and mobile devices changes the dynamic of protecting patient PHI because it demands adopting strategies that include using modern patient identification systems yet many healthcare organizations continue to rely on antiquated security solutions.  

Healthcare organizations must now consider patient identification systems that can address accurate authentication at each and every touchpoint along the care continuum, far beyond simply implementing technology that covers patient ID at office visits. 

Implementing accurate patient identification when accessing PHI from mobile devices and patient portals must balance strong security with convenience and speed, which is why technologies such as facial and voice biometrics are gaining popularity. The use of biometrics to protect patient PHI is a smart investment, especially if healthcare organizations deploy a solution that offers the flexibility to be used during hospital/office visits and on each and every touchpoint a patient now has the ability to utilize as a means to access health data. Biometric patient identification solutions offer stronger security than user names and passwords and have proven to be more efficient and convenient by eliminating the need and frustration to remember multiple login credentials.

As we experience a sharp rise in patient driven interactions within the healthcare system that offer more avenues for criminals and hackers to access PHI, it is critical that healthcare organizations implement modern identification solutions that have the ability to better protect this information. Biometrics to protect patient PHI is quickly gaining attention as a security solution that can serve this need. Although it’s impossible to determine whether or not biometrics could have helped prevent hackers from obtaining access to protected patient PHI in the UCLA data breach, the use of this technology can help to offer a secure layer of protection that can deter hackers from even attempting to try.

 

accurate biometric patient identification helps improve patient data integrity.

Uniting Accurate Patient Identification with Secure Single Sign-On (SSO) to Improve Data Integrity in Healthcare

accurate biometric patient identification helps improve patient data integrity.

Today we announced a new strategic alliance with Healthcast, Inc. to bring biometric patient ID and single sign-on (SSO) technology to healthcare.

One of the biggest obstacles facing the healthcare industry is ensuring high levels of patient data integrity. As computerization of health information continues and the scope of health information organizational exchange expands into health information exchanges (HIEs), and integrated delivery networks (IDNs), maintaining the integrity and completeness of health data is paramount yet much more complicated and challenging. The American Health Information Management Association (AHIMA) recently stated that:

“The overarching goal of HIEs is to allow authorized users to quickly and accurately exchange health information to enhance patient safety and improve efficiency. Achieving this goal is dependent on the ability to link (match) multiple, disparate records relating to a single individual.” (Insuring Data Integrity in Health Data Exchange, AHIMA Resources, 2012)

Achieving high levels of patient data integrity in healthcare is largely contingent upon establishing accurate patient identification — a complex process due to the absence of any standardized patient identification credentials and a lack of consistency on how patient identification information is collected. Implementing a secure patient identification system should be the precursor to any patient data integrity improvement strategy, one that has the ubiquity for use at ANY patient touchpoint (e.g. portals, mHealth, and kiosks) and has the power to prevent duplicate medical records and fraud which can quickly poison an electronic health record database and create a host of “dirty data.”

Coupled with the importance of deploying a modern patient identification system is the urgency to establish stricter single sign-on (SSO) security protocols for access to personal health information (PHI) from clinicians or any staff authorized to view this data. Healthcare data breaches continue to pose a tremendous strain on the industry, recently highlighted in The Ponemon Institute’s 2015 2nd Annual Data Breach forecast which states:

Healthcare organizations face the challenge of securing a significant amount of sensitive information stored on their network, which combined with the value of a medical identity string makes them an attractive target for cybercriminals.” (2015 Second Annual Data Breach Industry Forecast, The Ponemon Institute, 2015)

A logical first step for any healthcare provider is to implement stronger SSO technology to simplify and secure access to PHI that helps deter fraud, prevent duplicate medical records, and increase operational efficiencies.

In an effort to help introduce and increase adoption of arguably the two most important components that will improve patient data integrity for any healthcare organization, today we announced a new strategic alliance with Healthcast — joining forces to offer our best-of-breed biometric patient identification solution with their #1 ranked single sign-on solution (KLAS, 2014) to increase patient safety and secure access to patient data.

Read more about the news here