Healthcare News & Insights

Secure portal in health care

Doctor Video Chatting With Nurse And PatientOne of the most advanced technologies in health care is the development of the patient portal. In this guest post, Dean Wiech, managing director of a global provider of access management and governance solutions, reviews the history and function of patient portals, and steps hospitals can take to protect them. 

__________________________________________________________

Patient engagement is the name of the game, but despite the many headlines claiming portals are coming to make health care better, perhaps the news really is in support of their second coming.

Portals have existed in the healthcare field for years. They exist for several reasons – to provide employees with access to HR information, such as PTO and payroll; to provide an employee directory; and to gain information about events and open positions. They also allow patients the ability to gain access to information, to schedule appointments, review treatment plans, make payments and view medical records.

Evolution of portal technology

Portal technology started in the financial sector and has evolved and grown dramatically in the years since. Until recently, with some payment tried through healthcare’s meaningful use program, providers have had little need to adopt portal technology. However, that changed with the American Recovery and Reinvestment Act of 2009 (ARRA). In particular, the HITECH Act set aside about $20 billion for health information technology. This funding will potentially offset the costs of electronic medical record systems for practicing physicians.

Without getting too far into the weeds, to attest for meaningful use (Stage 2), eligible professionals were required to have 5% of their patients view, transmit or download their health information. Additionally, providers were required to implement notifications for follow-up appointments and identify clinically relevant health information for more than 10% of their patients with two or more appointments in the preceding two years. This led to a steep rise in portal adoption and use. In 2012, 57% of providers supposedly had a patient portal in place. Portals, in this case, were developed to give patients better access to their information.

For these reasons and more, hospitals and health systems are one of the biggest users of single sign-on technology. This technology, and the security features built in for “frequently-on-the-move” nurses and physicians, makes the task of logging in and out of computers as simple as placing an ID badge on a card reader. Gone are the days of tedious logins to a system from one floor to another or area of the hospital. Now, a simple flash of a card and access is granted to the individual user based on some easily established rules.

The two technologies are able to merge, providing secure portal and application access coupled with the ease of use of single sign-on. Of course, as is probably obvious, a secure portal is different from the typical portal in a number of ways.

Collection of applications

The primary function of this portal isn’t to be a collection of information, but rather a collection of applications. The applications contain links to software that providers need to perform their daily responsibilities with a bit less hassle or more of a streamlined approach.

When it comes to portals, even if a health system adopts one of the most advanced portals that can address the issue of HIPAA and other federal requirements, by nature they’re designed to send information to others which can impact the integrity of the information shared. The primary concern is related to the security of the data itself. Although patient portals do use protections, they don’t encrypt individual patient files. So even with their existing protections, patient portals essentially create an additional entry point that could pose a security risk. These challenges can potentially be assuaged by implementing separate file-sharing encryption software or by encrypting the files themselves.

As Leon Rodriguez, former director at the Health and Human Services Office for Civil Rights points out in a post on HealthIT.gov, portals and healthcare technology systems are built with specific protocols to protect the information stored within them as required by the HIPAA Security Rule. The rule requires healthcare systems to set up physical, administrative and technical safeguards to protect their electronic health information, including safety measures that may be built in the systems, such as:

  • “Access controls” like passwords and PIN numbers, to help limit access to your information
  • “Encrypting” stored information. This means your health information can’t be read or understood except by someone who can “decrypt” it, using a special “key” made available only to authorized individuals, and
  • An “audit trail,” which records who accessed your information, what changes were made and when.

As Rodriguez pointed out, and as we see every day, security features can be easily introduced for a greater level of protection across the entire system and for each user. In doing so, there’s a chance the entire system or every application can be breached even if one area is hacked for accessed inappropriately.

Likewise, restrictions can be placed on a variety of identifiers and on a per application basis at any level in the organization or user group. For example, separate rules can be established for different departments, geographic locations, units, floors or even individuals. These restrictions can include elements including time and day of week, on/off network, IP address and device type. Sensitive applications, such as electronic health records or finance systems, can be set up to require an additional PIN code even after the user has accessed the portal.

Increase security

Finally, health system must increase security, ensure proper access for appropriate employees for the correct reasons, but they also must reduce password issues and increase efficiency for clinicians.

Simple solutions can easily mitigate these issues. For example, single sign-on allows clinicians to have a single set of credentials to log on to a computer or workstation. Once they log in, they’re automatically signed into all authorized systems and applications.

Fast user switching and “follow me” is another component to potentially improve access, and proper access to appropriate information and systems. Specifically, fast user switching simplifies the log-in process even further by requiring users to only insert a pass card to gain access.

In addition, follow me allows users who have opened applications on Citrix and/or Terminal Server to continue their work on another computer. This results in considerable time savings, particularly in the case of specialists who make their rounds among departments.

Let’s look at a real-world example: A nurse typically works a 12-hour shift and only accesses three or four specific applications and from inside the network on a shared PC. Restrictions based on time or day won’t really be convenient as the nurse could work a double shift or swap to cover for a friend. However, since they only need access to the applications while at work, restricting them from outside the network does make sense. But if one of those applications is email, it solely could be configured to be opened from outside the network and from any type of device.

The benefit of this approach is that if credentials are lost, stolen or hacked, being able to restrict access to specific timeframes, device types, internal or external network, can prevent the potential exposure to sensitive data. There’s no reason someone from an IP range in Europe should be trying to access the hospital’s EHR or other data systems.

By taking this step to protect applications behind a secure portal, healthcare organizations can provide another level of security to restrict who is accessing what data and from where and when.

Dean Wiech is managing director of Tools4ever, a global provider of access management and governance solutions. He’s responsible for US operations.

 

 

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.