How well are healthcare organizations protecting patient information?

Healthcare organizations have high levels of confidence in their cybersecurity preparedness despite most of them using only basic user authentication methods in the face of an increasing number of patient identity theft and fraud instances in the marketplace, according to LexisNexis Risk Solutions.

Key survey findings

Specifically, the survey results showed:

• 58% believe that the cybersecurity of their patient portal is above average or superior when compared to other patient portals
• 65% report that their individual state budgets for patient identity management will not increase in 2019
• 93% use username and password as the patient portal authentication method
• 65% deploy multi-factor authentication
• 39% use a knowledge-based Q&A for verification
• 38% use email verification
• 13% deploy device identification

“There are some surprises in the results, particularly the higher than expected confidence that organizations have in regards to the security of their patient portal and telemedicine platforms given that only 65% deploy multi-factor authentication,” said Erin Benson, director, market planning, Healthcare, LexisNexis Risk Solutions.

“Multi-factor authentication is considered a baseline recommendation by key cybersecurity guidelines. Every access point should have several layers of defense in case one of them doesn’t catch an instance of fraud. At the same time, the security framework should have low-friction options up front to maintain ease of access by legitimate users.”

Other industry reports show that healthcare data breaches increased 5% in 2018, affecting 15 million patient records. This is three times more than what was reported in 2017. There was also a record 1 billion bot attacks in the first quarter of 2018, and 44% of HCOs at large experienced crypto mining.

Top three cybersecurity takeaways

Traditional authentication methods are insufficient: As a result of many healthcare data breaches, hackers have access to legitimate credentials; users are also easily phished. Therefore, traditional username and password verification are considered an entry point, not a barrier, and alone cannot be relied upon to provide a confident level of security.

Multi-factor authentication should be considered a baseline best practice: HCOs should rely on a variety of controls, ranging from knowledge-based questions and verified one-time passwords to device analytics and biometrics to authenticate users based on the riskiness of the transaction.

The more risky the access request is, the more stringent the authentication technique should be.

The balance between optimizing the user experience and protecting the data must be achieved in an effective cybersecurity strategy: HCOs need to make it easy for patients and partners to access records while ensuring adequate data protection.

To do this, an HCO’s cybersecurity strategy should layer low to no-friction identity checks up front, making it easier for the right users to get through and layer more friction-producing identity checks on the back end that only users noted as suspicious would complete.