The introduction of electronic health records (EHRs) has changed medical practice forever. Thanks to the Health Information Portability and Accountability Act (HIPAA) and other government regulations, patients have been granted access to their medical records at the same time that new security measures have been mandated to protect patient privacy. Changes in healthcare regulations and health insurance, especially with the passage of the Affordable Care Act, have given consumers more incentive to advocate for their own healthcare and treatment, including increased online interaction with doctors, clinics and hospitals.
This has created a conundrum for healthcare providers: How do they support patient interaction and still ensure that interaction and patient records remain secured? Solution providers who have the right expertise in designing and maintaining secure enterprise infrastructures can help them create secure systems to support patient communications.
The telemedicine industry, including online patient interaction, is expected to grow from $14.2 billion in 2012 at a compound annual growth rate of 18.5 percent through 2018. At the same time, patient records are becoming more attractive targets for cybercriminals. The FBI reports that healthcare fraud costs anywhere from $74 billion to $247 billion per year in the United States. IDC Health Insights reports that one in three medical records are likely to be compromised, because medical records are five to 50 times more valuable on the black market. Where a stolen credit-card authentication or PIN has limited value, stolen medical records reveal sensitive personal information such as Social Security numbers and birth dates and can be used for Medicare fraud or to steal prescription drugs.
At the same time, the Cisco Customer Experience Report revealed that 74 percent of patients are open to virtual doctor’s visits. Four out of 10 consumers surveyed said they want to receive health updates through their mobile devices, including information about referrals and medications. Twenty-five percent said they use their mobile devices for disease management and for health-related reminders. Seventy-six percent of patients also said they prefer virtual medical access to human interaction, because it saves time.
So what strategies can solution providers bring to healthcare providers in order to secure patient records while still encouraging patients to manage their own care online?
Start with Enterprise Monitoring
Securing the enterprise needs to be the first priority. User authentication and sophisticated security management tools and procedures can provide a first line of defense.
Protection has to go beyond firewalls and anti-malware software. For example, 40 percent of healthcare system hacks occur at the application layer. That’s why more hospitals and care facilities are using penetration testing to isolate weaknesses in source code, legacy applications, and mobile and Web applications. They also are using more application-scanning tools to look for credible threats in real time and minimize false positives.
Big data applications also are increasingly making their way into healthcare security. Using real-time analytics, big data applications can identify traffic anomalies that fit various attack profiles or hacks and automatically take action, such as isolating a server, rerouting data traffic or closing a session to prevent data theft.
These types of tools running behind the scenes protect EHRs while enabling protected patient interaction.
The Proliferation of Mobile Access to EHRs
Mobile technology is thriving in care facilities, as well as among consumers. Doctors and nurses now use tablets and handheld devices in order to access patient records while on rounds, making entries to patient records in real time. The same technology that delivers EHRs to mobile devices in hospitals can deliver the same records to consulting physicians at other practices, pharmacists, doctors outside the office and patients on the go.
Research shows that nine out of 10 people in the healthcare industry use their own mobile devices for work, and 40 percent are not password-protected. Clearly, BYOD has to be part of the security strategy, as well as mobile device management, so mobile devices can be disabled or wiped if they are lost or stolen.
And the data itself needs to be protected. In addition to system authentication and secure data access, data should be encrypted for added protection, so if a hacker intercepts Wi-Fi-transmitted data, it is useless for identity theft of cybercrime.
Mobile systems also create new concerns about regulatory compliance. HIPAA violations are expensive and can run into more than a million dollars in fines. Security experts can work with health information systems personnel to ensure regulatory compliance, as well as secure data access.
The Problems with Portals
More medical practices are experimenting with patient Web portals to facilitate wellness care, help patients manage appointments and records, and streamline communications with physicians. However, portals are presenting their own share of problems. The first is promoting adoption—you can provide patients with a portal, but you can’t make them use it. There also are concerns about serving patients who don’t have reliable Internet access or older patients who are intimidated by the technology. And then there are issues such as patients relying on online communications for medical emergencies.
The bigger issue with patient portals is data security. Ensuring secure data access requires additional security procedures, such as two-step verification, which creates added complexity and places a greater burden on the patient. And chances are high that the patient will be accessing the portal from an unsecured device or an unsecured location, such as the local Starbucks.
Solution providers with a strong background in enterprise security can assist healthcare providers in navigating the challenges of security and patient interaction. They can aid with decision-making, helping assess solutions such as patient portals or mobile wellness apps for their security risks and viability. They also can present alternative solutions, such as securing EHRs in the cloud or authentication and encryption strategies. The need to provide secure access to electronic medical records is only going to become more acute as the technology evolves, and solution providers who can stay abreast of the latest security practices are bound to promote their own healthy practice.