Security vs. Usability
By Julie Knudson
For The Record
Vol. 26 No. 3 P. 22
Portals seek to create rewarding patient experiences without endangering protected data.
Patient portals are rewriting the patient-physician landscape in that never before has access to medical information been so free and yet so guarded. And achieving equilibrium in the new balancing act—security vs. usability—is presenting providers with serious challenges.
Angela Hunsberger, a senior health care consultant on the ambulatory services team with Hayes Management Consulting, says much of the difficulty revolves around addressing multiple perspectives. “Regarding usability and security, patients want advanced technology in dealing with their health care as they do with most areas in their life,” she explains. After years of using smartphones to access nearly every aspect of their lives, patients expect the same technology in health care. “However, when dealing with health care, we require an extra layer of security to safeguard confidential patient data,” she says.
As patients clamor for easy, anywhere access, providers first must focus on security. On the usability side, patients are looking not only for data but also notifications and alerts they can control. Those desires bump up against the provider side of the equation. “Covered entities have got to exercise a lot of control because of HIPAA about how the information is accessed and used,” says Steve Emery, director of product management at Medfusion.
What data are shared and what aren’t? What can patients safely control, and what needs to remain within the provider’s purview? “The portal could have its hands tied a little bit,” Emery notes. And though patients frequently will support the limitations set on a portal when the reasoning is clear, there may be times when users can’t get everything they want. In addition, systemwide protections may appear clunky to individual users, who typically focus only on their own data and not the potential for hackers or other threats to breach the networks of entire entities.
Additional issues come into play in regards to providing portal access for those patients who are younger than 18. “That’s probably our biggest challenge because we are a pediatric organization,” says Dorothy O’Hagan, MA, RHIT, CCS, director of HIM at Rady Children’s Hospital in San Diego. The management of minors’ health information involves more than just the patient; their parents also are part of the discussion. As the patient ages, access levels become more complex. “Once those patients reach the age where reproductive health is an issue, it’s a challenge to balance those federal or state regulations with the parents having access to the information,” O’Hagan says.
At Rady Children’s, proxy access that allows guardians to oversee a child’s medical record through the portal becomes minimal when the patient reaches age 12. “At this age, we offer a very limited view of the patient record,” says Tracy A. Elmer, RHIA, the facility’s director of clinical information systems and biomed. “There is no access to appointment, medication, or growth chart information at this point.” When the patient turns 18, parent proxy access is removed, and only patients can log in to their medical record via the portal.
Does Security Hamper Access?
A handful of potential choke points often are the crux where strict security measures affect a portal’s functionality. The first is getting patients into the system. “In-person registration is likely going to decrease your numbers, which will have an adverse effect on patient engagement and will have an adverse effect on meaningful use numbers,” says Adam Greene, JD, MPH, a partner in the Washington, D.C., law office of Seattle-based Davis Wright Tremaine.
This becomes a particular problem for providers who serve large regional areas and where patients may find it difficult to get to the office for onboarding. “Remote authentication, if done well, can help by allowing patients, especially ones that may live hours away from their health care provider, to see their information before they ever first set foot in the provider’s office,” Greene says, adding that in-person authentication offers much higher security, but the trade-off is reduced access and a potentially significant inconvenience for patients.
Even if one aspect of the portal is easily accessible, engagement may still falter if the rest of the experience is clunky. “In order for enrollment rates to be successful, the process must be quick, easy, and convenient,” Hunsberger says.
However, security bottlenecks often don’t stop at initial registration. Once a patient is logged in, the portal’s design must be focused on the patient’s needs, with tools that encourage him or her to be engaged today and in the future. Simply offering raw data without a meaningful interpretation or without providing instructions should patients have additional questions is unlikely to keep users coming back to the portal.
Another limiting factor can be the type of technology used and accepted by the portal itself. Can registration or access to the portal be accomplished only through a PC-based browser? That may be bad news for patients using smartphones or tablets. “One of our challenges in activating patients is that a very large segment of our patient population is of a financial demographic that may not necessarily have computers in the home,” Elmer says. “It therefore hampers them being able to access that portal at all.”
Rady Children’s addresses the issue by offering access through the most common operating systems available on smart devices. However, not all providers have taken that step. Implementing the technology necessary to securely support multiple platforms requires not only an initial investment of time and money, it also necessitates ongoing administration to ensure that security measures are up-to-date on every operating system accepted by the portal.
Doing Authentication Right
Authentication levels for initial registration as well as ongoing access vary from portal to portal. When onboarding patients, some providers require that the process be initiated, and occasionally completed, in-person at the office. While this limits the potential of an unauthorized user being granted access to the portal, it can prove problematic for patients who aren’t nearby or for whom transportation issues make visits difficult.
Providers who allow remote registration may choose to do so through an invitation sent directly to the patient’s confirmed e-mail address (provided while in-office). This enables a security layer to help bridge the gap between in-person onboarding and publicly accessible Web signups. “The big deal is getting the right person connected to the account in the first place,” Emery says.
An e-mail invitation typically contains a unique link that connects directly to patient accounts and activates portal access. “I think that invitation process is critical,” says Emery, who believes many practices, mindful of data security concerns, aren’t comfortable with a less individual approach.
Even if the signup process is open to the public, Hunsberger says there still are opportunities to leverage security measures that limit access to individual patient accounts. “As I was implementing several portals, I actually registered myself on a lot of different online portals just to see that process and the different layers of security,” she says.
Where unauthorized users begin to see roadblocks is when they attempt to move beyond the initial login and actually register to view protected data. “Typically, you’re initially exposed to limited basic information when you first create a portal account. The second step usually requires you to verify your identity before you have access to advanced features inside the portal,” Hunsberger explains. This two-factor authentication, which is the gold standard for portal access (at least during the activation stage), may come in the form of a previously determined challenge question or by entering a unique code or one-time-use password given to the patient by the provider.
In some circumstances (eg, contentious divorce cases), the need may arise to provide extra protection to a particular patient’s portal account. Because ex-spouses, parents, and even children are likely to know the answers to all the standard questions (birthdays, first pets, favorite vacation destinations), how can providers respond to requests to increase patient account security and reduce the risk of unauthorized access?
Depending on the organization’s comfort level with the portal and the patient’s personal desire for security, additional measures may be available. “There are a few potential opportunities for a patient who is particularly sensitive about security to help ensure their information is protected,” Greene says.
One method common in other industries is multifactor authentication, where users have a login name and password with an additional layer of security on top. Greene says the extra protection often is something similar to “a text message to their cell phone that indicates a particular password, so it’s only accessible if you have the cell phone in hand.” He believes there’s nothing that would necessarily prevent an EHR portal from using two-step verification, which typically is leveraged by e-mail providers and financial institutions.
“Currently, the industry doesn’t really have a whole lot of individual choice on this,” Emery says, adding that specific users rarely have the ability to add extra security measures to their account. “It’s pretty much systemwide.” For example, if a particular portal platform offers an option for increased authentication, those features either are on or off for all users.
The issue may be more closely related to timing than need or desire. Portals still are a relatively new addition to the health care sector, and the development of additional security protocols or the personalization of features has yet to materialize. “One thing we’d really like to invite is for patients and users of our portal to communicate some of [their suggestions] to us,” Emery says. “What would they like? How important is that to them, the ability to do things like that?”
As responses and requests are gathered and analyzed, the ability to customize how security measures are implemented likely will evolve, he adds.
The mechanisms to reset a forgotten password vary from platform to platform. At the point patients realize they need to reset their password, security protocols dictate whether the issue can be handled online, by phone, or face-to-face. “We do permit remote management of lost or forgotten passwords, and our process doesn’t require a parent or patient to come in,” Elmer says. “They have a customer service number they can call.”
Some providers allow a self-service approach to password resets in which patients can regain access to their accounts through an online-only platform. Others, such as Rady Children’s, allow some form of remote reset that hinges on personal interaction to authenticate the user. And several organizations continue to limit account access requests to in-person only. “This goes right down to an organization’s policy,” Hunsberger says.
If an organization doesn’t implement some method to support automated password resets, it needs to examine its procedures for safeguarding patient identities, says Hunsberger, who notes that policies also should address instances in which patients lose or forget their username or the answer to one of their preselected challenge questions. She encourages providers to tackle these concerns early in the portal’s launch to be better able to respond quickly to any patient help calls.
The security threat landscape isn’t static, which means provider organizations must constantly monitor portal risks. Software coding errors are a significant source of threats, according to Greene, who says hackers may be able to “get through an externally facing application and access both the information within that application and even expose other systems.”
If an organization has software security experts on staff, part of their job must entail regularly evaluating the active code for potential weaknesses. “More often, health care providers may not have that level of expertise internally,” Greene says. “It may be important to either engage someone to independently check the software or to get some strong assurances from the vendor of the software that it has been independently tested.”
Because the exploitation of software weaknesses will continue to threaten the security of patient portals, Elmer says the system infrastructure must be designed correctly in the first place. Rady Children’s portal can be accessed only through a secure device or terminal and a compatible browser. “It does rely on authentication and providing the highest level of encryption technology that’s available,” she says. “Every year, we also go through a very robust security audit.”
Existing measures are scrutinized, the infrastructure is assessed against the threat environment, protocols are reviewed for effectiveness, and the entire process is inspected for compliance. Firewalls, password masking, and antivirus software help provide additional layers of security and monitoring.
External hackers have the potential to expose records and steal data, but less sophisticated threats also pose significant risks to patients. “Most of the breaches that occur are when someone inside the facility does something incorrectly,” Emery says. “Either it’s someone reading something they shouldn’t be reading or downloading and using data in an improper way or putting it onto an unencrypted device of some kind and carrying it out of the office.”
Besides educating employees, providers can seek outside sources for help. “There are several vendors out there making real inroads into helping facilities with this,” Emery says. For example, vendors are offering systems that watch for potentially risky behaviors, monitor which file types are downloaded to mobile devices, and control network access to ensure that connections have the necessary encryption and authorization credentials.
— Julie Knudson is a freelance business writer based in Seattle.
Should You Change Your NoPP?
As the use of portals becomes more widespread and provider organizations incorporate them into their ongoing operations, some are asking whether the Notice of Privacy Practices (NoPP) needs to be revised. “Based on the HIPAA requirements put out this year, we have recently done a complete revamp of our Notice of Privacy Practices,” says Dorothy O’Hagan, MA, RHIT, CCS, director of HIM at Rady Children’s Hospital in San Diego.
However, because the modifications largely resulted from changes to the HIPAA regulations, the portal wasn’t a primary concern. “There is no specific language in ours that addresses portal management or access,” she says.
In some organizations, disclaimers, particularly those concerning appropriate usage, are being added to NoPPs. “We have seen some practices deliberately add to their NoPPs a clause that if there is abuse of the portal, the practice reserves the right to cut off access or deactivate the portal account,” says Steve Emery, director of product management at Medfusion.
Aside from setting parameters around use and security, he believes the NoPP can serve a purpose beyond privacy notification. “It’s a great place to put an extra plug for a portal if the practice is really trying to drive patient engagement,” he notes.