How to protect from the Cyber Risks created by technology providers with the use of mobile and patient portals.
It has been noticed from various studies like Kantar (on 20th March 2020), about best practice cybersecurity methods for Remote care which have shown that privacy and security concerns are hindering patients’ willingness to use health technology, such as patient portals to improve their care. And while many in healthcare are embracing new technologies (TELEHEALTH) and mobile care, cybersecurity is not always prioritized.
Increased remote working and telehealth (health industry) in light of the Corona-virus has contributed so much to Personally Identifiable Information (PHI) records insecurity over the healthcare threat landscape. For the period of the pandemic, ensuring no service disruptions is critical to patient safety. This is so because the telehealth services are mostly targeted by cyber-criminals. The major risks are not addressed to the platform users and deliberately think less of what could happen after they utilized such platforms.
The only basic solution to such a threat is to enforce tech policies that stipulate usage of such technologies to work around PHI data for patients that login to check for a lab test, health status among others
Ways providers can ensure Security of Telehealth Platforms and ensure Patients Adopt to security hardening.
Over time cybercriminals have targeted healthcare industry for reasons such as:
The treasure trove of valuable information in medical records and dated cybersecurity. It is experienced that in the last decade, more than 30 percent of all big data breaches occurred within healthcare systems, according to a study by the American Journal of Managed Care.
Lack of adequate encryption methods, login redundancies, and detection tools, health portals (telehealth forums) are easily accessible to cybercriminals just like they are to authorized users. As these platform’s usage grows, lack of security will become an exponentially greater threat to patients’ PHI and identities.
Technology Providers can never lower the value of PHI to make it unattractive to hackers, but they can protect it more effectively with up-to-date cybersecurity measures. Here are five ways your organization can bring your patient telehealth platform’s security stronger and up-to-date, and how you can protect your networks safe from unauthorized access:
1. Anti-virus and anti-malware software should be kept up to date
Multi-layer verification protects users’ direct access to telehealth platforms, but some vulnerabilities need attention. For instance, HIMSS Analytics found that 78 percent of providers experienced ransomware and malware attacks in 2017.
The email has up to now been the most considered avenue of choice for deploying malware, and these attacks constantly evolve to slip past conventional security measures. If anti-virus software is outdated, it remains vulnerable to every new iteration of malware that attacks the network. Most solutions allow for automatic opt-ins so updates are downloaded and installed as soon as they’re made available.
“Given the sensitivity and richness of medical data, an attack on the portal can be devastating for patients and costly for providers.”
2. Portal sign-up process should be automated
Automating the initial sign-up process can stop false enrollments into the portal at the source. When implemented correctly, the automation only requires the patient to enter a few pieces of information, and then the software can confirm the user’s identity on the back end.
3. Multi-factor verification is a must
After patients have signed up to access the portal, using multi-factor verification can ensure all future sessions are equally secure. For example, two-factor authentication adds additional protection on top of conventional login credentials.
In addition to a password or PIN, users also have to provide something personal such as a cell phone number, fingerprint, iris scan, or more. If the user’s device, account ID, and/or password are compromised, multi-factor authentication can ensure the organization’s network remains safe. Most organizations are using this method and consumers are expecting it.
4. Protect patient identities with identity solutions
Ensure you’re giving access to the right patient. Secure log-in monitoring and device intelligence can help you confirm that the person trying to log in is who they say they are. When something doesn’t add up, identity proofing questions can be triggered to provide an extra check.
In the advancement in technology, the use of biometrics to supplement existing identity-proofing solutions should also be thought of as a solution to supplement on access control. Just as you might use facial recognition to unlock your smartphone, there are now ways to authenticate your healthcare consumers’ identity using the same technology.
What is needed to booster healthcare security programs?
a) Often, organizations get too focused on the external portion of a security defense program. However, it is catastrophic when a cyber-criminal finds their way inside a secure system, the rest of the security measures become easy to penetrate, so it’s easy for the thieves to wreak havoc from that point. Thus, there are two recommendations we have for organizations:
- Have a strong monitoring capability on the inside that provides alerts to intrusion. If a cyber-criminal got past the perimeter defenses, there are still more hurdles for them to overcome to steal the data or cause havoc.
- Develop a strong security training program for all employees on how to ensure system hardening and cyber resilience. Employees continue to be regarded as the weakest link in a company’s security posture. They should be trained on topics such as phishing scams and most social engineering schemes.
“Data security should be a key strand in your patient engagement messaging.”
b) Also, another relatively new strategy to ensure security is to set up “deception grids,” which are tools that set up fake systems. If a criminal got past the perimeter defenses and is inside, he/she has multiple systems to navigate without knowing real or fake ones. If a company is alerted to intrusion in the fake system, you can gain a better handle on how to manage the incident and are safeguarded from real data being exposed or stolen.
How can healthcare organizations prepare their employees to reduce the risk they pose to the enterprise?
- An organization should ensure that security is made a priority and conduct frequent employee training. This is so because many reports show that employees are the weakest link in an organization’s security defense. Often, the lion’s share of security budgets tends to be focused on technology-centric solutions. But companies should devote more attention to the human aspect of security.
- Training can be conducted at key intervals such as during new hire on-boarding, and annually. Some of the key risky employees should be educated about are spear-phishing scams and malware infiltration, which can easily expose a company’s data with just a click.
- Many companies may be reluctant to limit access to certain websites or the devices that employees can use at work because of the potential for employee blowback. It can even become a retention issue for millennial employees who expect to have access to their work and personal life anytime and anywhere. However, organizations should be mindful of the risk and consider using mobile device management software that will let them have some control or visibility into personal devices. Employee training about both the risks and consequences of using an unsecured device at work is also an important step.p;