Providers place inordinate trust in patient identity practices
Providers may be placing too much trust in cybersecurity practices that are not sophisticated enough to deter high-level attacks by hackers.
That’s the result of a survey of 100 participants from healthcare organizations, which found discrepancies in cybersecurity preparations and actual marketplace reality.
The research, by vendor LexisNexis Risk Solutions, found that providers have high levels of confidence in their cybersecurity preparedness despite using only basic user authentication methods in the face of an increasing number of patient identity thefts and fraud.
For example, nearly 60 percent of respondents believe security of their portal is above average or superior, compared with protections used on other portals. Further, 93 percent of organizations are using a simple user name and password approach to authenticate those accessing the patient portal.
Only 65 percent use multifactor authentication, and 13 percent use device identification software. More than two-thirds expect their budget for patient identify management won’t increase this year.
Erin Benson, director of market planning at the company is surprised at the security confidence many provider respondents display about their portal and telemedicine platforms, particularly because so many of them are not using authentication software.
“Multifactor authentication is considered a baseline recommendation for cybersecurity guidelines,” she notes. “Every access point should have several layers of defense in case one of them doesn’t catch an instance of fraud. At the same time, the security framework should have low-friction options upfront to maintain ease of access by legitimate users.”
In a report, available here, LexisNexis emphasizes three core cybersecurity cautions:
- Traditional authentication methods are insufficient. The result of so many healthcare data breaches means hackers already have access to legitimate credentials and users are easily phished to get more. That means traditional username and password verifications are considered an entry point, not a barrier.
- Multifactor authentication should be considered a baseline best practice supplemented with a variety of controls that include knowledge-based questions and verified one-time passwords, to device analytics and biometrics to authenticate users based on the risk of the transaction. The more risk the access request is, the more stringent the authentication technique should be.
- Providers must find a balance between optimizing the user experience and protecting the data to support an effective cybersecurity strategy. The strategy should layer low- to no-friction identity checks upfront, making it easier for the right users to get through and layer more friction-producing identity checks on the back end that only users noted as suspicious would complete.