A Shift in the Wind – Securing Patient Portals

Michael Magrath, March 30, 2016

I thoroughly enjoyed my time at HIMSS16 in Las Vegas. It was great to be back, see old friends and make new ones.

The landscape, as it relates to security has certainly changed since my first HIMSS Conference in 2008. I recall walking the exhibit hall discussing multi-factor authentication and identity management only to receive blank stares or interesting comments from prospective partners and customers.   I heard, “we use usernames and passwords and they work just fine, and for added security we use “strong” passwords.  Knowing what I know, I would just walk away and shake my head, realizing the market wasn’t quite ready for solutions to a problem that few folks had even identified as a problem.

HIPAA, HITECH, EPCS, hackers, the HHS Office of Civil Rights’ “Wall of Shame”, ransomware, medical identity theft, and others have all contributed to converting blank stares into laser focused attention on security, authentication and identity proofing.  For the first time at HIMSS that I recall, EHR vendors, healthcare institutions and patient portal providers, visited our booth with genuine concerns and needs to secure access to their patient portals.  Knowing who is accessing PHI, be that the patient or a proxy, is critical and using multi-factor authentication is a genuine need. Our customers are terrified of HIPAA audits and breaches and know full well that their existing approach is severely lacking. The blank stares are gone.

Sure we have a long way to go for The Office of the National Coordinator for Health Information Technology (ONC) to achieve its 2017 goal to reduce vulnerabilities in identity theft be having 65% of health care organizations permit patient access to patient portals with more than a username and static password. And by 2020, ONC expects that at least 50% of health care organizations will have implemented identity proofing and authentication best practices.

What are “emerging technologies” anyway?  One-time password (OTP) generating tokens have been around for years.  VASCO has deployed over 200 million tokens worldwide.  The technology is secure, easy to use, and deployed throughout the world.  It may not be emerging, but for a password laden industry like healthcare, an OTP token is certainly “new and emerging”.

Tokens too retro?  Biometrics more exciting? More James Bond-like?  Fingerprints, especially as handset manufacturers shore up security, will become more and more prevalent in healthcare, especially for us patients to access our own health information stored in portals and health record banks.  Speaking of handsets, voice and facial recognition will also gain traction.  Smartphones are multi-factor authentication devices capable of storing apps to generate OTPs.  They are equipped with a high quality camera capable of capturing facial images and video, and microphones to leverage voice recognition technology.  Banking has utilized them to enhance security and improve our experience, and healthcare is the next likely target for secure and user-friendly multi-factor authentication.

Being a patient with my electronic records dispersed throughout the system, it is reassuring to know that securing my information is finally garnering the attention of the industry.

Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).