Erin Benson

How healthcare executives can balance access and protection for critical patient data management

May 05, 2020
By Erin Benson

When it comes to cybersecurity culture, many healthcare organizations are overconfident about their defenses and underprepared for potential attacks. With a significant increase in digital use occurring as a result of the COVID-19 crisis leading healthcare providers to deliver more virtual care and staff to work remotely, establishing and maintaining secure data access can certainly be daunting. While the need for data security has never been greater—thanks to innovative hacking schemes—the simultaneous demand for a frictionless user experience has reached new heights.

How can a health system executive successfully balance an increasing desire for easy access to data for their patients with the need for protection against breaches to critical systems? Both can be sufficiently maintained with upfront and behind-the-scenes security strategies that include comprehensive patient identity management and multifactor authentication (MFA) tools.

Accessing information
Granting patients access to their protected health information (PHI) is critical for patient engagement and care delivery. Equally critical is ensuring that only correct and legitimate users gain access to medical records. The business of creating fake identities and filing fraudulent claims is lucrative for fraudsters. Amid the constantly evolving digital landscape, data breaches persist as hackers exploit vulnerabilities in systems, fraud management, operations, and people.

The online retail business has taught customers to expect quicker, more convenient ways to access services – and customers are expecting that same convenience from healthcare organizations now too. Anywhere, anytime access to information is essential as patients seek to gain more control over their health. Through portal technology, patients can schedule appointments, request medication refills, pay bills, view test results, and communicate with their providers via secure messaging. They can also request mobile text and email communications about appointments. On the provider side, telemedicine services, remote monitoring, and medical device data are adding to access demands and requirements for security.

While patients are understandably concerned about the privacy of their online medical records, they deserve comprehensive, integrated access to them throughout their healthcare journeys. Hospitals and practices can adapt health information technology strategies to increase access while protecting privacy. The goal is to enhance engagement with a positive user experience while impeding fraudulent activity. Today’s cybersecurity decision-makers can achieve the goal with a multilayered, comprehensive protection approach.

Ensuring patient record integrity
The first layer of defense against cybersecurity threats is patient identity management to ensure integrity of patient records. Mistakenly, some hospital executives fail to acknowledge the link between disparate and mismatched patient records and security breaches. As various healthcare organizations share medical records and mergers and acquisitions bring data together, uncertainty around the accuracy and completeness of patient data increases substantially. It’s difficult to protect the data when the data itself is questionable. Partial records also compromise treatment decisions, and threaten patient trust in the system.

By cleansing the data and organizing it so each patient has a single, comprehensive record, healthcare organizations are better able to match that record to the right patient. This, alone, alleviates certain fraud risks as fraudsters have become adept at creating full and convincing identities to bypass many existing verification methods. To further secure true patient identity, organizations can use an MFA framework that considers digital identity assessment, identity verification, and analysis of fraud risk.

Implementing multifactor authentication
Utilizing available industry frameworks—such as NIST—healthcare providers can establish a comprehensive defense system with layered controls and planned defenses against various attacks. MFA options include a combination of one-time passwords, email verification, facial recognition, device analytics, phone verification and more – used in the appropriate combinations and at the appropriate access points into a system -- to authenticate users based on the criticality of transactions.

Security strategies seek to accurately differentiate legitimate users from bad actors without introducing unnecessary friction for those with a right to gain access. It’s key to consider the criticality so the tools implemented match the risk level of the data: the more sensitive the request, the more stringent the authentication technique. To encourage patient engagement, step-up authentication should be used so that low- friction authentication tools can be placed at the beginning of a workflow, and higher friction options can be layered in if any of the earlier options uncover suspicious results. This type of MFA solution enables providers to see beyond who a user claims to be to accurately detect and block fraudulent actions like account takeover attacks and fraudulent HSA payments or transfers.

Furthermore, by integrating behind-the-scenes tools using data analytics, security experts can understand genuine user behavior on devices. Comprehensive solutions that identify complex patterns and detect anomalies between current and historical device behavior will alert organizations to potential “red flags” to prevent fraudulent access, payments or transfers.

Building an effective MFA solution framework requires a thorough analysis of health system data needs and insights. With an understanding of risk levels for each data transaction, decision makers can balance safety and engagement for physicians and patients alike. A proactive, multi-layered approach to health system cybersecurity addresses vulnerabilities to ensure a safe and compliant delivery of care environment without deterring its patients.

It’s important to remember that the responsibility of healthcare cybersecurity does not fall solely on the shoulders of the IT department. To maintain the safety and privacy of data, managers need to look beyond the information systems that support operations. An organization that creates a culture of security across all department does so with practicality and vision, aligning it with its mission of providing safe, high-quality care to all patients.

About the author: Erin Benson is the senior director of market planning for LexisNexis Risk Solutions, Health Care.