When CMS (the federal Centers for Medicare and Medicaid Services) released its proposed meaningful use (MU) Stage 2 requirements last February, it threw hospitals two curve balls. It called for them to provide more than 50 percent of patients the ability to view, download, and transmit their health information within 36 hours of discharge from the inpatient or emergency departments. It also mandated that more than 10 percent of patients must actually view, download, and transmit information.
In order to comply with the increased requirements, most of my clients plan to make the required information available through patient portals. While there’s nothing wrong with this approach, I’m troubled that hospitals are more intent on hammering out operational details, such as whether to build or buy a portal, how to register patients for it, and what information to provide and how to display it, than they are in hammering out how they will protect this invaluable data. Oftentimes, aggressive protection of patient data is the afterthought, and this can simply no longer be the case. Providers should focus on security from the onset in building the portal around it instead of rolling out a portal and stacking security on top of it. Why? Their data will be significantly less vulnerable to hackers and breaches, and patients will be better protected against potential identity theft and medical and financial fraud.
As hospitals move to make protected health information (PHI) accessible through portals, smartphone apps, personal health records (PHRs), e-registration, and other online tools, the security risks automatically increase, and it only takes one compromise to lose public trust. Before launching headfirst into patient engagement plans, providers can heed three areas to combat unauthorized access: identity management, access control and authentication. In short, how do you know that the patient is the person he or she says they are?
One effective solution is to employ multi-factor authentication, a form of access control that entails three identity verification factors that make systems harder to compromise:
- Something the patient knows (e.g., password, ID number)
- Something the user has (e.g., SSL certificate, token on patient’s PC)
- Something the user is (e.g., biometric characteristic such as a fingerprint or iris)
Multi-factor authentication also reduces the risk of fraud by a patient’s family member or acquaintance by making it less likely that those people will know enough information to gain access to sensitive data they can misuse.
Online banking fraud is commonly committed by victims’ family members. With that in mind, I strongly recommend that hospitals refrain from using Social Security and medical record numbers as identifiers or including those digits in patient bills. If you’re going to use a number, it’s wiser and safer to assign or ask patients to create a unique numerical identifier instead of using their social security number.
In addition to identity management, providers must incorporate the increased use of mobile devices into their security planning. In the past, patients would have accessed their information via either a home PC or laptop. Now, however, people are increasingly downloading data through smart phones and tablets, raising a different set of security challenges and risks.
Lastly, hospitals should take into account the location of where the patient will be accessing the information. Restricting access only to domestic IP addresses can often deter cyber-crime from hackers based overseas, but be careful not to block patients who could be accessing overseas, for example, military men and women, would be locked out.
The bottom line is that the Department of Health and Human Services, payers and other stakeholders will continue to push for patient engagement because engaged, empowered and informed patients will lead to improved and cost-effective outcomes. Hospitals that start making security a top strategic priority will be better prepared for Stage 2 patient engagement requirements and beyond while laying the groundwork for gaining a competitive edge on PHI protection.
Eric Mueller has 20 years of diversified experience spanning IT strategic planning and execution, revenue cycle optimization, security and compliance, new product and technology launch, organizational design and re-structuring, P&L management, and mergers and acquisitions.
Prior to joining WPC, Mueller served as CEO to a privately-held healthcare services and technology provider of revenue cycle technology where he grew revenue by 65 percent and increased sales significantly.