Electronic health records security: securing patient portals

Electronic health record (EHR) patient portals have become an effective mode of communication between healthcare providers and patients. These online portals electronically store healthcare information in a digital format that patients can view and share across different healthcare settings.

While patient portals are transforming healthcare relationships, some patients are hesitant to adopt this technology due to privacy and security concerns. The security of a patient portal requires a multi-layered approach. By following these best practices, the medical industry can ensure that patient data is safe, while still providing important EHR information through patient portals. Now, let’s review how to secure EHR on a patient portal and who is responsible for what.

Hosting Provider Responsibilities

Physical Infrastructure: Data Center Security

Managing the physical infrastructure security where portal data is hosted, is the responsibility of your colocation provider. A data center should provide secure, redundant protection that meets the same rigorous compliance standards that the healthcare industry must abide by.

Ensuring that a colocation provider’s data center complies with HIPAA is crucial. The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality and security of EHR.

Physical security prevents unwanted intruders or disasters from entering the building. Data Centers should be using camera surveillance, electronic access control, biometric access points and security alarms. If your provider’s data center infrastructure doesn’t meet these standards, patients EHR might be compromised.

Healthcare Provider Responsibilities

Extensive Password Protection

A HIPAA compliant patient portal should require a password to access the system. Requiring single or multi-factor authentication to gain access to a patient portal is the responsibility of the healthcare provider. A password should be complex and reset every 60 days. While requiring patients to create a password is the responsibility of the healthcare provider, hosting providers should also have a robust password protection and validation process in place.

Since the HIPAA Security Rule includes password management as part of its compliance regulations, healthcare providers must have procedures for creating, changing and safeguarding passwords.

Hosting & Healthcare Provider Responsibilities

Logical Security of Sensitive Patient Data

Logical security protects sensitive data by limiting access to only essential people who need it using electronic measures, permissions and access rule and network layers. The healthcare provider should work with their hosting provider to determine logical security that allows for the highest availability without comprising security.

Limiting administrative access and implementing stronger authentication is one way for both hosting and healthcare providers to enhance security and decrease the chance of a breach or data theft. Two or multi-factor authentication adds a new layer of security in addition to a password to gain access to EHR through a patient portal.

Conduct Audits

It’s important for both the hosting and healthcare providers to establish and conduct periodic audits of compliance standards and data storage. Regular reviews will reduce the risk and create a culture of security and accountability.

In addition to consistent audits, there should be security and compliance training in place for any employee that has access to patient portal information. According to MediaPro’s 2017 State of Privacy and Security Awareness report, 78 percent of healthcare employees lacked data privacy and security preparedness. When employees lack proper security training and education, they are more likely to put patient data at risk inadvertently.

Work with Your Hosting Provider to Achieve Compliance in Your Partner Portal

Patient portals offer clear benefits for healthcare providers and patients to be transparent, but if a provider doesn’t have the resources to effectively protect patient sensitive information, patient’s data could be at risk. Partner with a hosting provider that specializes in HIPAA compliant hosting layered with managed security solutions to host your portal and help you develop procedures for best in class security.

LightEdge offers solutions that are aligned with The Health Insurance Portability and Accountability Act (HIPAA). While there is no certification for HIPAA, LightEdge has successfully undergone a third-party examination against the HIPAA Security Rule and has been issued a Type 1 AT 101 letter of attestation confirming our alignment with HIPAA safeguards. Contact us to discuss your goals, including how to keep your patient data secure.