Securing ePHI in the Age of Digital Health Tools is a three-part blog series that explores how healthcare providers can protect PHI and mitigate healthcare data security risks associated with patient engagement technologies by implementing the right security protocols. Read parts one and two now.
Patient engagement technology is in high demand in the post-pandemic healthcare landscape. While patient engagement solutions are enormously beneficial, it’s important to recognize that public-facing technology comes with significant risks.
Patient engagement solutions serve as an intermediary between the patient and the healthcare organization and therefore require access to source systems containing huge amounts of electronic protected health information (ePHI). But if security protocols are weak, instead of providing a secure mode of interaction between patients and providers, these technologies can act as potential entry-points for hackers that are on the hunt for valuable patient data.
Here, we’ll look more deeply at how to ensure that your patient engagement software is keeping PHI safe.
Common Pitfalls in Patient Engagement Technology Security
When choosing a patient engagement software provider, it’s important to keep an eye out for potential weaknesses in the third-party vendor’s security measures that may expose a healthcare organization to unnecessary risk. Here are a few of the most common pitfalls to look out for.
Issues in Development
During the development process, basic flaws such as not screening for weaknesses during and after development can place healthcare organizations at risk. Lack of attention to detail, “buggy” software releases, HIPAA compliance issues, etc. can be a sign that the developer is either inexperienced or does not understand the intricacies of developing software for the US healthcare market. The reality is that most vendors outsource some aspect of software development to nearshore and offshore developers, and gaining visibility into a vendor’s development team can be challenging.
Over-Generous Data Access
With ePHI as the end target, organizations should also be alert to patient-facing technologies that require particularly liberal access to sensitive patient data. The bare minimum data access should be provided and controls placed on the access the vendor does have, as well.
Unfortunately, it’s incredibly common to see poor authentication practices in patient-facing technologies. It’s very common, for example, for patient intake solutions to not require authentication with a username and password but simply to authenticate with last name, date of birth, and ZIP code – information that can easily be found online by bad actors with relative ease. While this weak authentication might not be a risk point for a bad actor to gain access to all patient data, unauthorized access in any form, even a single patient record, can cause a lot of problems for a healthcare organization.
An Inexperienced Team
Patient engagement technology vendors should have an experienced and knowledgeable team that understands security risks and the requirements of the Health Insurance Portability and Accountability Act (HIPAA). Development teams who don’t have a grounding in HIPAA or understand the complex requirements of healthcare cybersecurity can expose their organization to unnecessary risk and may be unable to offer sound advice on compliance and staff training for the safe use of portals and other technologies. This applies to development teams in both the healthcare organization as well as the health IT vendor.
How to Secure Patient Engagement Software
Train Staff on Cybersecurity
Good cybersecurity practices aren’t just for developers. They’re also for the staff that will be making use of this technology on a daily basis. For this reason, staff should be educated on how phishing attempts may work and be issued with clear instructions not to share their login credentials. They should also be made aware of common cybersecurity threats, the latest security tips, and best practices.
A mistake that’s often made with cybersecurity training is that organizations assume that staff training is a one-off event, rather than a continuous process. An experienced patient engagement vendor will advise organizations to go beyond the bare minimum required by HIPAA by keeping their staff informed with regular training and continuous testing of their cybersecurity knowledge. One example of this is to conduct regular test phishing attempts with staff members to see if they’ll give up logins via email or in a web form.
Require Secure Logins and Authentication
In an ideal world, login credentials would never be compromised. But in the event that they are, it’s important that portals and other patient engagement technologies have strong security measures in place. The most important of these is multi-factor authentication (MFA), which involves confirming an attempted login on a trusted device or through biometric authentication, such as face and fingerprint ID.
In addition, tools like CAPTCHA can also be implemented to ensure that a human is attempting to log in to an account, rather than a bot.
Organizations should also be on the lookout for red flags in their patient-facing technology security, such as authentication without a login. It’s quite common for patient engagement tool providers to “authenticate” users who have just signed up via an email link or by asking them to input details, such as their name or date of birth, that can be easily found by browsing their public social network profiles, for example. These insecure methods of authentication should be avoided at all costs.
Implement Source-Data API Controls
Since bad actors who compromise third-party technologies are often attempting to access valuable data from source systems, it’s vital to keep an eye on who’s trying to access this data. Good healthcare app security and patient portal security involve continuous monitoring for suspicious activity. Ideally, this means that patient-facing technology should incorporate login monitoring, device intelligence, and flagging suspicious activity when it arises. Access should then be shut down after several failed login attempts or out-of-the-ordinary behavior.
Only Communicate through HIPAA-Compliant Mediums
Since sensitive patient data is often shared in communications between patients and healthcare professionals, any secure patient engagement tools should use HIPAA-compliant communication mediums. Email is not a secure medium, which means that any HIPAA compliant patient portal or app should use secure instant messaging behind a login instead. Exceptions can be made for SMS-based communication, though it’s still advisable to put all communication behind a login.
Since the COVID-19 pandemic, rules around using video conferencing technology for healthcare have been relaxed slightly. Nevertheless, it’s still vital that all these tools use end-to-end encryption to ensure that PHI is not compromised and that sessions are secured to ensure that unauthorized attendees can’t join a session, also known as “Zoombombing.”
Evaluate Vendors’ Quality Assurance and Development Processes
As a recent investigation by cybersecurity expert, Alissa Knight, revealed, data aggregating APIs are a common weak point in healthcare security that can be easily exploited by cybercriminals. When working with a third-party provider, it’s important to consider their development and quality assurance process.
In healthcare, data aggregators often pull data from a patient’s medical record to be repackaged and shown to the patient within an app or portal. For this reason, it’s important that medical record verification – ensuring that the right record is being shown to the right patient – is a feature of any such aggregator.
Opt for a Vetted, Modern, and Up-to-Date Technology
Vulnerabilities can be found even in the best-designed technology. It’s therefore important to use a technology that is vetted by a big community and has a good security process that releases updates regularly.
At Bridge, we have an unwavering commitment to the strongest compliance and security standards in the industry. Our certified patient engagement software leverages the most up-to-date cybersecurity features – from secure cloud-hosting and HIPAA-compliant messaging to login monitoring and MFA – to give you and your patients peace of mind. As a single patient engagement platform, we help healthcare organizations better manage and secure patient data while mitigating risk. Contact us today to learn more.