Of the three main components of HIPAA (the Privacy Rule, Security Rule, and Breach Notification Rule) the Security Rule is particularly relevant to healthcare mobile app development. The majority of these applications, from patient portals to mhealth apps, store or transmit electronic protected health information (ePHI). It’s essential to keep this information safe, and the Security Rule has in-depth guidance on the extent to which this needs to be accomplished, but with a fair amount of flexibility as to the strategies for implementation.
Here, we decode the Security Rule as it applies to the patient portal and mHealth app development, specifically in regards to user authentication. In Part 2 of this series, we cover auditing, and in Part 3, we discuss issues related to data transfer, such as encryption and notifications.
What is an Appropriate Level of Authentication for Online Patient Access to Health Information?
During HIPAA compliant healthcare application registration, healthcare organizations need to set up procedures that verify the person’s identity requesting access to ePHI. There is a false belief that the only way to ensure the user is who they claim to be is for registration to be done in person, within the practice — aided by a staff member. While this is an option — considered outdated by some — it is not a HIPAA requirement. An alternative option is for a patient to provide an email address over the phone and receive an invitation to register for the healthcare mobile app platform. Providing your email address in person is considered more credible than most setup authentications on the web, where the email address is entered into a registration form. Patients could also register autonomously, also referred to as self-registration. While these two remote options are less secure than in-person authentication, they are preferred for convenience. Additional verification can be added by asking the patient challenge questions produced by a 3rd party such as IDology during registration.
A simplified registration process increases healthcare application use, such as a patient portal. And increased patient portal use results in improved patient engagement, more efficient patient appointment scheduling and cancellations, and enhanced treatment plan adherence.
At Bridge Patient Portal, one of the most common complaints made by healthcare organizations using other patient portals (typically bundled with their EHR vendor) is the cumbersome process patients must undergo to register.
Multi-factor authentication is defined as requiring a patient to produce more than one type of credential when logging into an application. The majority of logins only need a user to enter information such as a username and password. In multi-factor authentication, additional information is required such as a code on a card, security token, SMS message, and/or by direct verification of identity, like a fingerprint or challenge questions. As passwords and access to email accounts can easily be compromised, multi-factor authentication is growing in popularity for healthcare mobile app platforms. While the HIPAA Security Rule does not require multi-factor authentication, it is important to thoroughly consider its provisions on information access management and access control to determine how to best account for them in your HIPAA compliant healthcare application.
How Strong Do Passwords Need to Be?
More and more mobile app platforms now require users to adopt “strong” passwords. While HIPAA requires the use of passwords, there is no legal specification on password strength. Therefore, each healthcare organization can decide on password requirements during the application development phase. We recommend following the NIST Digital Identity Guidelines, which recommends that a password should be between 8 to 64 characters long, and all ASCII characters, including the space character, are acceptable.
It’s also essential that when a user creates or changes a password, it be tested against the following:
Passwords obtained from previous data breaches (One can check if an account has been compromised in a data breach on a website such as https://haveibeenpwned.com/.)
Repetitive or sequential characters (e.g. “aaaaaa” or “1234abcd”)
Context-specific words, such as the name of the service, the username, and derivatives thereof.
How Should Passwords Be Managed and Monitored?
HIPAA does include addressable implementation specifications on password management and login monitoring. Addressable means that an organization can decide to implement the specification as is, choose to put an alternate security measure or measures in place, or even — if the specification is not reasonable or appropriate to the particular entity — implement nothing. The key is that the decision and reasoning behind the implementation must be documented in written form, with in-depth consideration and appropriate justification demonstrated.
In this case, HIPAA stipulates that Covered Entities and Business Associates include several important features in their security awareness programs. One is to train staff on procedures for creating, changing, and safeguarding passwords. The other is that staff also learn how to monitor login attempts by external users and report any potentially problematic login activity, such as failed login attempts. Each organization needs to fully consider these addressable matters to plan, document, and implement its strategy.
What Are the Login Timeout Requirements, and How Does This Apply to a Personal Mobile Device?
HIPAA includes automatic logoff — when the application ends a user’s session after a specific period of inactivity — as another addressable implementation specification. However, the time to logoff is not stated. In choosing the number of minutes of allowed inactivity before a session is terminated, it’s essential to consider on what device and in what environment the application will be used. If you’re working with a mhealth app or HIPAA compliant messaging that will be used by patients on their phones anywhere they go, including crowded areas, a short time to logout of 2 to 3 minutes is advisable. However, if you’re working on the physician’s side of an application used in a private doctor’s office, a longer time to log out, like 10 to 15 minutes, is acceptable.
After a predetermined period of inactivity, a patient is required to re-enter their long-form, complex, secure password. Biometric authentication simplifies the login process and allows patients to seamlessly verify their identity through fingerprint or facial recognition technology before accessing the HIPAA compliant healthcare application.
We’ve only scratched the surface of the Security Rule. Check out Part 2 (HIPAA auditing) and Part 3 (encryption, servers, and notifications to patients).
Pablo architected and manages our HIPAA-compliant hosting infrastructure. He is an Amazon Web Services (AWS) Certified Solutions Architect and is about to receive a Masters degree from the University of Buenos Aires in Computer and Information Systems Security and Information Assurance. He has a passion for all things related to cybersecurity and cloud hosting. He publishes a monthly cybersecurity newsletter which is shared with our clients.
Healthcare authorities are implementing new laws to boost interoperability within healthcare organizations and give patients more control and access to their personal health information. With this newfound sharing model, healthcare organizations and IT vendors must implement stricter patient portal security measures to protect valuable patient information. Healthcare data is increasingly becoming a more popular target with hackers as they innovate their techniques to gain access to this valuable and sensitive information.
As a result, the increased sharing of patient data has led to the demand for secure patient portals and mobile apps, which can serve as effective tools for secure patient-provider data exchange, communication, and care management. While patient portals allow information to be accessed and shared conveniently, healthcare organizations should be aware that there are several patient portal privacy and security issues. It’s the responsibility of the healthcare organization to ensure individual health information is kept private and secure.
Features required for patient portal security
Here we look at what features are required for patient portal security, and the protection and confidentiality of collected health information.
Encrypted database features. Encryption allows data to be securely transmitted or stored, meaning that it is readable only by authorized persons by converting the original message or information into ciphertext. There is a very low probability that anyone other than the authorized party could decrypt and convert the ciphertext into readable information. It is best to use the industry-standard AES-256 encryption to keep data secure at rest and TLS v1.2 or v1.3 with a robust cipher suite (following NIST recommendations) for data in transit.
Provide Role-Based Access Control (RBAC). Regulate who has access to specific information based on the role of each employee or user within the organization. For example, administrative staff may not need to see the same information and data as nursing staff. Consider what information each employee needs and grant access to the specific areas as required. RBAC is also an important concern for patient-authorized representatives or proxy accounts. Having proxy patient portal access that appropriately manages dependent accounts (e.g. a parent managing their child’s account) is a growing concern for healthcare organizations as patient portal adoption rates increase. 45% of the hospitals in the US do not offer proxy patient portal access.
Extensive password protection and MFA (multi-factor authentication). Your HIPAA patient portal should require a password to access the system, and again if there is a period of inactivity of 30 minutes. If a password is entered incorrectly too many times, it should lock user accounts. Ensure that all employees (users) passwords are following NIST recommendations and are reset every 60 to 90 days. A more robust validation can be applied with multi-factor authentication. Bridge Patient Portal, for example, supports SMS-based two-factor authentication for password resets and account registration. The patient portal sends an SMS message to a mobile phone with a time-sensitive security code to complete the patient portal security registration or password reset. Keeping a secure password can be a complicated procedure, that is why some secure patient portals offer biometric authentication (fingerprint and facial recognition) to provide patients with a quick, secure, and frictionless experience when accessing health information.
Audit Trails. It’s crucial to establish an audit trail that records key activities and conduct periodic reviews to reduce the risk associated with inappropriate access and violations against HIPAA rules. Robust training, policies, and agreements should also be in place for all staff members with patient portal access to ensure patient portal security.
Consent. Your secure patient portal should store, display, and print patient consent forms. The most critical consent form is an opt-in agreement where a patient understands and agrees to the risks associated with the inevitably insecure patient-provider communication.
Meet federal and state laws with regard to privacy and security. Follow the regulations set by healthcare authorities such as the Office for Civil Rights (OCR) and Health & Human Services (HHS) in regards to laws such as ADA, HIPAA, and CCPA.
PCI Compliance. HIPAA compliant bill pay requires that patient credit card details should not be transmitted or stored unless your clinic complies with PCI Security Council Standards, which keeps the patient’s payment card data secure.
Bridge is ONC 2015 Edition Certified and adheres to strict HIPAA and patient portal security protocols. Learn more about how Bridge implements compliance and security for its secure patient portal solution as well as its customers.
Many industries have already discovered the benefits of outsourcing IT systems to a professional IT service, and while healthcare is no stranger to the concept, it is once again gaining prominence.
A recent Black Book report, which surveyed over 1,030 hospital IT leaders, 240 CFOs and over 1,000 business leaders, found an overwhelming number of recipients in favor of using outsourced health IT solutions, such as point-of-care technology, healthcare IT infrastructure, and HIPAA compliant security. Nearly 73 percent of hospitals with over 300 beds are now looking outside for their technology solutions, and 81 percent of providers with less than 300 beds have prioritized outsourcing complex IT operations in their development plans.
The main reason for the increased demand in outsourcing is due to the growing importance of IT in the delivery of quality patient care. Healthcare organizations are relying on technology more and more, like the need for a secure patient portal, as an essential component of their operations within the rapidly changing healthcare scene.
Advantages of Health IT Outsourcing
The last time that the healthcare industry saw prominent growth in outsourcing was in the late 1990s in order to control costs through broad based IT solutions. Today, positive return-on-investments and immediate access to fully trained IT staff and required technologies are the key drivers.
According to the Black Book survey, 90 percent of outsourcing hospitals reported an immediate return on investment (3 months or less) for health IT outsourcing in Q3 2015 when the survey took place. Many providers are also simply not in a position to hire and train internal IT staff, whereas outsourcing can help to implement new technologies faster by utilizing and putting together resources quickly.
84 percent of respondents reported that their relationship with outsourcing vendors is exceeding their expectations, and almost 86 percent of CFOs and 91 percent of CIOs would be willing to reshape an entire organization in order to implement outsourced IT services in the most effective and efficient manner.
Hospitals have increasingly felt the pressure of managing revenues, and severely tightened margins have further put pressure on bottom lines. Outsourcing can help lower costs considerably, especially as the push for more sophisticated patient records, secure patient portals, data analytics, and population health management continues to grow.
Doug Brown, managing partner of Black Book Market Research commented, “Most hospital leaders see no choice but to evaluate and leverage next-generation information and financial systems as an outsourced service in order to keep their organizations solvent and advancing technologically.”
While there have been past failures reported on outsourcing, the causes of these failures mostly resulted from selecting the wrong vendor, unrealistic expectations, or insufficient performance monitoring. Consumers have since used their experiences to adapt and improve their IT outsourcing contracts.
Certainly, it’s clear that the business value to be gained from health IT outsourcing, in terms of economics, technological skills and expertise, established processes, and service quality, can ensure a cost effective solution and allow healthcare organizations to focus on their core business.