Why providers must do a better job protecting patient identities
Swift technological advancements often force healthcare decision makers to evaluate competing solutions to determine which is the smartest investment with the strongest potential to maximize return on investment. A key criteria for healthcare technology investment evaluation is careful analysis of a technology platform’s ability to not only address current problems, but it’s flexibility to adapt.
Take the issue of patient identification in healthcare, for example. Most people believe this is limited to a hospital or doctor’s office registration desk, with patients providing their demographic information and filling out forms.
However, a quick look across the modern healthcare ecosystem indicates that patient identification along the care continuum has quickly evolved into playing an essential role in safeguarding patient data, providing safe and accurate care delivery, and ensuring high levels of data integrity.
So, what’s changed? Accurate patient identification has become complicated and difficult because of the plethora of new touchpoints now available to patients that enable them to slip in and out of the care continuum without ever setting foot in a physical healthcare facility. Healthcare providers can no longer afford to ignore these new touchpoints by continuing to use antiquated, single user identification security protocols, such as user names and passwords.
For example, the patient portal login process has become an area of opportunity for hackers and a serious medical identity theft risk for providers and patients. Comprehensive data contained in patient portals is particularly lucrative to hackers because health records command a high price on the black market. Keep in mind that the level of data available via patient portals can often include unmasked insurance IDs, unencrypted images of patients’ insurance cards, and prescription histories.
Most patient portals use simple password protection, which is easily captured by hackers often via key-logging malware, a type of malware that lies dormant on a PC waiting for a patient to log into a patient portal. Relying on this type of single user authentication leaves patient portals vulnerable to breaches and other cyberattacks.
Instead, security experts recommend implementing multi-factor authentication by adding another layer of identity verification, such as biometrics to help limit access to authorized users. Two-factor authentication is one of the risk management strategies outlined by HHS within the HIPAA Security Rule recommendations.
U.S. states are taking notice too. In her 2016 Data Breach Report, California Department of Justice Attorney General Kamala Harris recommends:
“Organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. This stronger procedure would provide greater protection than just the username-and-password combination for personal accounts such as online shopping accounts, health care websites and patient portals, and web-based email accounts.”
Implementing stricter identification security protocols for patient portal logins makes sense. A Stage 2 Meaningful Use core objective stated that at least 50 percent of patients must have access to an electronic copy of their health record, and 5 percent of patients must have used the capability to access and download their information.
Thus, the patient portal table has been set, but are providers rising to the challenge of adopting stricter patient identification measures? If healthcare providers don’t take patient portal identification security seriously, the risks are greater than an in-person visit. Remember, in-person is human-to-human interaction.
An additional factor at play when considering why to implement stricter patient ID security can be defined by studying the behavior of present and future generations. Patients are rapidly evolving into multi-platform healthcare consumers, accessing patient portals and healthcare services via smartphones, laptops, tablets and other smart devices. Consider these statistics:
- Some 77 percent of healthcare consumers now have access to smartphones, and 92 percent of those who are 18 to 29 years old own one.
- Nearly three-quarters of all doctors in the U.S. use their smartphones at work.
- Some 88 percent of nurses use smartphone apps in their daily nursing work.
With the explosion in remote care and the push for patients to consume services outside of brick-and-mortar environments, it becomes evident that any patient identification risk management strategy has to include the ability to authenticate patients beyond physical trips to the hospital or doctor’s office.
Adding to the narrative of establishing accurate patient identification at any point along the care continuum is the push for more widespread interoperability and health information exchange (HIE) among providers.
Consider the impact of one adverse event when a criminal gains access to a patient’s health data. How does that mistake and potential information attributed to the wrong medical record affect all of the actors involved when that record is shared externally through an HIE or network? Multiply that by the number of people who use that information or have access to it, and you start to understand the magnitude of this problem.
I recently asked a C-level executive at a hospital whether establishing accurate patient identification at any point along the care continuum provides her with the confidence that her patient data is clean as they prepare to participate in health information exchanges, and she replied:
“Absolutely. I’ll feel very confident because I know my records are the cleanest. However, I become concerned when I think about the other members of the HIE who haven’t established a secure patient ID protocol to cover accurate authentication anywhere along the care continuum would jump in and muddy the waters with duplicate records and overlays.”
Healthcare providers can no longer afford to view accurate patient identification in the context of in-person visits only, and must consider adopting versatile technology that can protect patient identities no matter where they attempt to gain access to services or data.
Understanding the new reality of establishing accurate patient identification is much more than ensuring a patient portal is protected with two-factor authentication technology. What we must understand is that generational evolution is pushing healthcare services outside of traditional venues and into mainstream digital environments. It’s no longer sufficient or responsible to only ensure authentication accuracy during in-person visits.
Patient identification now must be viewed as critical during each and every touchpoint along the care continuum, including emerging ones such as connected health apps, telemedicine, home health, patient portals and more. Provider organizations now must ensure that patient ID and patient data integrity must be guaranteed at all touchpoints in the care continuum.