Online patient portals are transforming the relationship between healthcare providers and patients, but some patients are wary of adopting this technology due to security and privacy concerns. How do you ensure your patient’s data is safe and communicate your efforts to your patients?
HIPAA and the HITECH Act provide standards in patient communication and technology, including improved privacy and security measures for healthcare organizations, but these guidelines are not always enough. Secure patient portals are just one way providers communicate with patients; this method has stirred up controversy in the past few years due to security concerns. Keep in mind the responsibility of securing patient portals, protecting electronic protected health information (ePHI), and maintaining compliance falls on your organization. The security of your patient portal requires a multi-layer approach involving your team, technology, policies, and processes.
Let’s review best practices in securing your patient portals, including how your portal hosting provider and your patients play a part.
Part 1: Physical Security of your Data Center
(Responsible Party: Your Hosting or Colocation Provider)
Physical security prevents malicious and unwanted intruders from entering a building using tactics such as electronic access control, camera surveillance, and security alarms. Just as paper records need to be kept under lock and key, the facilities that host your patient portal—and stored electronic health records (ePHI)—need to be protected, too. The HIPAA Security Rule requires specific safeguards for buildings and equipment that store ePHI.
Hosting providers often provide better physical security for data servers than individual providers. Video surveillance, facility and equipment access controls, and security personnel all available 24/7/365 mean that your hosting provider offers physical security at a level that would be both cost and logistically prohibitive for many to implement.
Part 2: Logical Security of Your Sensitive Data
(Responsible Party: You and Your Hosting Provider)
Logical security protects your assets and critical systems by limiting access to only those individuals who truly need it using electronic measures, permissions, and access rules, and network layers. Work with your portal’s hosting provider to determine what configurations allow for high availability, without compromising on security.
Use Limited User Access, Two-Factor Authentication, and Log Management
One way to enhance security and decrease the chances of data theft is to limit administrative access and implement two-factor authentication. The goal for access control is to align a person’s access to information with his or her role within the company—and their permissions should be based on their responsibilities. Two or multi-factor authentication (MFA) adds one or more additional levels of authentication in addition to a password to gain access. If you accept credit card information from patients through your portal, your MFA must meet PCI compliance, too. Log management is required by HIPAA, as is invaluable to monitoring user access to stop malicious activities. Review the logs on a regular basis to ensure compliance with your policies.
Implement Anti-Virus and Malware Protection
A devastating 78% of providers reported facing ransomware and malware attacks in 2017, according to HIMSS Analytics. Data security threats are constantly changing. Running the latest anti-virus and anti-malware programs mitigates and identifies any potential threats that may arise.
Use Proper Data Encryption
The use of 256-bit encryption is not explicitly required within HIPAA guidelines (addressable vs required), but is an important step in avoiding breaches and any fines that go along with it. When an encrypted message is sent, it is readable by authorized persons only by converting the original message or information into encoded text. Look for encryption that protects data both in transit and at rest.
Part 3: Policies and Procedures
(Responsible Party: You, Your Provider, and Your Patients)
It’s a common misconception that technology alone will protect your network and partner portal. There are many of moving parts and people that affect the way your data is managed and transferred. Your staff, your customers, and portal platform providers all play a role in maintaining the confidentiality of the sensitive data on your portal. Developing the proper policies and procedures standardize interactions with sensitive data and mitigate vulnerabilities.
Example Policies Include:
- Patient access policies
- Guest access policies
- Network security policy
- System users and management
- Software security policy
- Remote access policy
- Personal use policies
- Security training
- Medical device policies
- Workflow policies
- Endpoint security policies
- Information logging policies
- Password Policies
The Importance of Training and Education
When it comes to passwords, patients can make or break portal security. “Who better for patient safety than the patients themselves to own that data to help to keep themselves safe? There’s so many things that I have to do during a visit, it’s like a juggling act. And I want the patients involved in that juggling act to help keep them safe,” says Susan Wolver, MD for Patient Engagement HIT.
Similar to online banking, the trick is to educate users on how to protect their login information and create requirements that result in stronger passwords—i.e. through a forced reset every 60 days and the inclusion of special characters. Communicate best practices to patients on the portal entry page, your portal FAQs, or another prevalent location.
All the security measures we’ve discussed thus far are useless if employees don’t follow guidelines and procedures. Accountability and oversight comes from the top down to create a culture of security. All staff members should be trained and consistently updated on security procedures and best practices. Something as simple as clicking on a link in a well-disguised phishing email can compromise your patient portals’ and entire IT system security.
Ease the Burden of Compliance and Security for your Patient Portal
Patient portals offer clear benefits to you and your patients, but if you don’t have the resources or knowledge to effectively protect your patient’s sensitive information, you can be putting your business and your patients at risk. Partner with a hosting provider that specializes in HIPAA compliant hosting layered with managed security solutions to host your portal and help you develop procedures for best in class security. OnRamp offers solutions certified by the Health Information Trust Alliance (HITRUST), which means we’ve been audited to demonstrate our efforts in safeguarding patients’ EHR and ePHI. Contact us to discuss your goals, including how to keep your patient data secure.
Additional Resources on This Topic:
Experts Say Secure Healthcare Communication Should Function Like Email
Patient Portals: Expanding Healthcare Data Access Without Compromising Security
How to Maintain a Secure EHR System