Industry Insights with Michael Magrath

Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

A Shift in the Wind - Securing Patient Portals

A Shift in the Wind - Securing Patient Portals

I thoroughly enjoyed my time at HIMSS16 in Las Vegas. It was great to be back, see old friends and make new ones.

The landscape, as it relates to security has certainly changed since my first HIMSS Conference in 2008. I recall walking the exhibit hall discussing multi-factor authentication and identity management only to receive blank stares or interesting comments from prospective partners and customers. I heard, "we use usernames and passwords and they work just fine, and for added security we use 'strong' passwords." Knowing what I know, I would just walk away and shake my head, realizing the market wasn't quite ready for solutions to a problem that few folks had even identified as a problem.

HIPPA, HITECH, EPCS, hackers, the HHS Office of Civil Rights' "Wall of Shame", ransomware, medical identity theft, and others have all contributed to converting blank stares into laser focused attention on security, authentication and identity proofing. For the first time at HIMSS that I recall, EHR vendors, healthcare institutions and patient portal providers, visited our booth with genuine concerns and needs to secure access to their patient portals. Knowing who is accessing PHI, be that the patient or a proxy, is critical and using multi-factor authentication is a genuine need. Our customers are terrified of HIPAA audits and breaches and know full well that their existing approach is severely lacking. The blank stares are gone.

Sure we have a long way to go for The Office of the National Coordinator for Health Information Technology (ONC) to achieve its 2017 goal to reduce vulnerabilities in identity theft be having 65% of health care organizations permit patient access to patient portals with more than a username and static password. And by 2020, ONC expects that at least 50% of health care organizations will have implemented identity proofing and authentication best practices. What are "emerging technologies" anyway? One-time password (OTP) generating tokens have been around for years. VASCO has deployed over 200 million tokens worldwide. The technology is secure, easy to use, and deployed throughout the world. It may not be emerging, but for a password laden industry like healthcare, an OTP token is certainly "new and emerging".

Tokens too retro? Biometrics more exciting? More James Bond-like? Fingerprints, especially as handset manufacturers shore up security, will become more and more prevalent in healthcare, especially for us patients to access our own health information stored in portals and health record banks. Speaking of handsets, voice and facial recognition will also gain traction. Smartphones are multi-factor authentication devices capable of storing apps to generate OTPs. They are equipped with a high quality camera capable of capturing facial images and video, and microphones to leverage voice recognition technology. Banking has utilized them to enhance security and improve our experience, and healthcare is the next likely target for secure and user-friendly multi-factor authentication.

Being a patient with my electronic records dispersed throughout the system, it is reassuring to know that securing my information is finally garnering the attention of the industry.

About the Author

Michael Magrath

Michael Magrath

Director of Business Development, VASCO Data Security

Magrath is a nationally recognized leader in field of healthcare identity management. A frequent speaker and thought leader, he is an active member of the Identity Ecosystem Steering Group (IDESG) established in response to the Obama Administration's National Strategy for Trusted Identities in Cyberspace (NSTIC) and participates on IDESG's Healthcare Committee and is a member of HIMSS' Identity Management Task Force. He previously served as Chairman of the Smart Card Alliance's Health & Human Services Council from 2010-2014 where he spearheaded workgroup initiatives to stimulate the understanding, adoption, use and widespread application of smart card technology in healthcare. Currently, Magrath leads the healthcare business group at VASCO Data Security. Prior to VASCO, he served as Director for Identity Solutions for DrFirst and focused on streamlining and securing the identity management process for healthcare providers nationwide and increasing the adoption of electronically prescribing controlled substances (EPCS).

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.