Co-author: Valerie Jackson

While healthcare organizations are embracing new technologies such as patient portals, a recent report shows that organizations’ cybersecurity measures for these technologies are behind the times. A patient portal is a secure online website that allows patients to access their Electronic Health Record from any device with an Internet connection. Many patient portals also allow patients to request prescription refills, schedule appointments, and securely message providers. With this increased access for patients comes the risk that someone other than the patient will gain unauthorized access to the portal, and to the patient’s electronic protected health information (ePHI).

2019 has seen record numbers of patient records being breached. Halfway through 2019, around 25 million patient records have been breached, eclipsing the number of patient records breached in all of 2018 by over 66%. In this environment where hackers find patient records a valuable commodity on the black market, healthcare organizations are must balance patients’ desire for ease of use with the duty to prevent unauthorized access to patient records. To learn more about how healthcare organizations are meeting this challenge, LexisNexis® Risk Solutions in collaboration with the Information Security Media Group conducted a survey in spring 2019 asking healthcare organizations about their cybersecurity strategies and patient identity management practices. The results of the survey, which included responses from more than 100 healthcare organizations, including hospitals and physician group practices, were recently published in a report, “The State of Patient Identity Management” (the “report”).

The report concluded that healthcare organizations had a high level of confidence in the security of their patient portals, but this confidence may be misplaced based upon the security measures respondents reported they had in place. The vast majority of healthcare organizations reported that they continued to use traditional authentication methods such as username and password (93%), knowledge-based authentication questions and answers (39%), and email verification (38%). Notably, less than two-thirds reported using multifactor authentication. Multifactor authentication verifies a user’s identity in two or more ways, using: something the user knows (passwords, security questions); something the user has (mobile phone, hardware that generates authentication code); and/or something the user does or is (fingerprint, face ID, retina pattern).

While the HIPAA Security Rule does not require multifactor authentication, it does require covered entities and business associates to use security measures that reasonably and appropriately implement the HIPAA Security Rule standards and implementation specifications. Generally, the HIPAA Security Rule requires covered entities and business associates to (1) ensure the confidentiality, integrity, and availability of all ePHI the covered entity or business associate creates, receives, maintains, or transmits, (2) protect against any reasonably anticipated threats or hazards to the security or integrity of such information, and (3) protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required. The Person or Entity Authentication standard of the HIPAA Security Rule requires that covered entities and business associates implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. However, this standard has no implementation specifications. It is also worth mentioning that under the HIPAA Privacy Rule prior to a permissible disclosure, a covered entity must verify the identity of person requesting ePHI and their authority to have access to that ePHI, if either the identity or authority is not known to the covered entity. In addition, the covered entity must obtain “documentation, statements, or representations” from the person requesting the ePHI when such is a condition of the disclosure.

Healthcare organizations are not required to adopt any one cybersecurity framework or authentication method under HIPAA, however increasing cybersecurity and implementing multifactor authentication for access to patient portals certainly helps with compliance under the HIPAA Security Rule. Failure to implement reasonable and appropriate cybersecurity measures could not only lead to a healthcare data breach, but it could also result in a covered entity or business associate being fined by the HHS Office for Civil Rights. To learn more about how the firm can assist healthcare organizations with HIPAA compliance and data security, please contact your Jackson Lewis attorney.