Guarding the Portal: Data Security Needs Rise With Patient Access

From:  iHealthBeat

by John Moore

Health care providers, already grappling with information security, could see  their responsibilities expand as demand grows for patient data access.

Federal policies require physicians and hospitals to make health care data  available to patients. And with the increasing use of electronic health records,  that handoff increasingly will take place online. A certain degree of electronic  access already is required under Stage 1 of the federal government’s  meaningful use EHR incentive program; that impetus will expand under Stage  2.

Industry executives expect that much of the patient data dissemination will  take place through Web-based portals. For many health care providers, this will  represent new ground. Hospital and medical practice websites traditionally have  been informational, rather than access-oriented. Providers, accordingly, will  need to step up their information security and privacy measures.

Jared Rhoads — senior research specialist at the CSC Global Institute for  Emerging Healthcare Practices — said some health care facilities have been  providing patient data access and attending to the associated security issues  for some time. But those providers represent the exception, not the rule.

“Certainly, the vast majority of people have not plunged into [patient data  access], so it is new for them,” he said. “Now, with all the new meaningful use  measures, that is absolutely going to blow this wide open and make this  something that everyone is going to be concerned about.”

A Call for Access

In August, CMS published the final rule governing Stage 2 of the meaningful  use program, which goes into effect in 2014. Stage 1 criteria call for  physicians and hospitals to provide patients an “electronic copy of their health  information.” Stage 2 changes that language. Physicians must provide patients  with the means to “view online, download and transmit their health information.”  Hospitals must offer the same service to patients regarding hospital  admissions.

The government’s escalating demand for patients’ access to health data can be  seen in other policy statements as well.

HHS’ Office for Civil Rights in May issued a memo underscoring patient’s right to information  and encouraging consumers to obtain a copy of their health record — whether  paper or electronic. That message reiterates language in the HITECH Act of 2009,  which gives patients the right to request health data in an electronic format if  the provider is equipped with an EHR.

The access directives appear to be pushing health care providers toward  portals as the mechanism for allowing patients to view and download their health  data.

Mac McMillan — CEO of CynergisTek, a health care IT security firm — said a  number of health systems already have established patient portals, pivoting off  their EHR systems.

“I think patients are going to embrace the ability to go online and set up  their appointments and get their meds and check their test results and  communicate with their doctors,” he said.

But the portal push comes with a privacy and security burden.

“A patient portal, by its nature, has to accept a connection from the public  on the open Internet and that brings you into the realm of Web security,” Sadik  Al-Abdulla, senior manager with CDW’s security practice, said, adding, “It is  the exact same threat landscape that major retailers face, that government  agencies face.”

Securing the Portal

McMillan suggested three core elements for portal security.

  • User Authentication — “If you are going to provide good access control,  there has to be a way on the portal for patients to authorize uniquely to the  portal, such that they are only looking at their own information and not  somebody else’s,” McMillan explained.
  • Secure Transport — A portal that allows users to download information must  provide a secure, encrypted connection between patient and portal. This is often  accomplished through a virtual private network (VPN) or a gateway that’s part of  the provider’s network.
  • Auditing and Integrity Control — Providers need to be able to audit what a  user has done with the information obtained through a portal — what they have  looked at and what they have changed. If a patient is able to enter or alter his  or her health data, integrity control provides a way to verify the information.  The EHR linked to the portal retains a patient’s previous data so they can be  compared with the new data. If a patient with a penicillin allergy inadvertently  changes the health record to indicate no such allergy, the system can flag the  problem.

“Integrity is one of the biggest issues when you start allowing greater  access to the information,” McMillan said. “You need to have a way to absolutely  verify changes so they don’t create health issues.”

Rhoads, meanwhile, cited network scanning and monitoring as a key portal  security measure. The idea is to scan for suspicious activity, such as a series  of unsuccessful logins at an odd hour from an IP address outside of the country.

Privacy, Security and Responsibility

Some health care facilities — academic medical centers, for example — might  develop their own portals and must assume responsibility for building in privacy  and security controls. But many health care providers will turn to vendors for  help in deploying portals. EHR vendors often include portal technology as part  of their systems.

For a health care provider invested in an EHR system, “it becomes a pretty  natural add-on to stick with the same vendor for the portal part,” Rhoads said.

Third-party health care portal vendors also are an option. In both cases,  product vendors should provide the fundamentals of security — authentication,  auditing and integrity checking — within their portal products.

“The portal should have all of those features encoded in the system itself,”  McMillan said.

The secure transport component may be part of the portal or provided  separately, via VPN, for example.

Physician practices in northern New York are beginning to deploy portals  through their EHR systems.

Corey Zeigler — health IT program manager at the Fort Drum Regional Health  Planning Organization — said the portal use is part of a project to get  practices in a three-county area up to speed on EHRs and connected to a regional  health information exchange. He said about 95% of the primary care providers in  the area are participating.

Security, Zeigler noted, is baked into the vendor-provided portals, including  website encryption.

Health care providers aren’t entirely off the security hook when they  purchase a vendor’s product, however. Al-Abdulla commended EHR vendors for  bundling security, but that posture only holds for the initial deployment.  Hospitals should conduct periodic security assessments and architecture reviews,  since the threat landscape and attack vectors constantly change, he said.

Patients have responsibilities as well. The general consensus among industry  executives is that the hospital and its business partners are responsible for  adequate user authentication, secure data storage and secure data transmission.  However, once the data arrive on the patient’s computing device, the security  job shifts to the user.

“It’s the patients’ responsibility to make sure they don’t upload it to a  blog or broadcast it to the world,” Rhoads said.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *