Related Post
Report
2024 Identity and Security Trends
Report
Saviynt a Gartner Peer® Insights Customers Choice for IGA
Solution Guide
IGA Buyer's Guide
Solution Guide
PAM Buyers Guide
Whitepaper
Focus on patient care, not complex identity management.
Telehealth has done much to broaden healthcare access over the last decade, but the pandemic made it mainstream. Healthcare providers quickly realized the benefits of offering remote care, and many have been eager to adopt telehealth. For example, an estimated 20% of all emergency room visits — and 24% of routine office visits and outpatient volume — could be delivered virtually via telehealth.
But while this technology has created a wealth of opportunity, it comes with vulnerabilities that endanger patient privacy. In 2020, according to HIPAA Journal, there were 642 significant healthcare data breaches (defined as over 500 records), a 25.4% increase from 2019 and a 74.5% increase from 2018.
To ensure patient privacy, organizations using telehealth platforms and other software must consider the system’s security, how much data they gather, and how they store that data. By nature, telehealth involves large amounts of protected information that, if leaked, can lead to expensive fines and remediation. A healthcare data breach now costs $7.13M, up 10% from 2019.
$7.13M is the current cost of a healthcare data breach.
First, let’s define what we’re including when we say “telehealth.” Telehealth encompasses a broad array of technologies and services available to patients and practitioners. Telehealth platforms may stand alone or integrate with patient portals and EHR systems.
Because telehealth services leverage the internet, they are subject to the risks that connectivity creates. Centralized data and management of access are essential to making these solutions secure. It requires using privileged access management (PAM), which provides identity governance and administration (IGA) to track and secure access. Patient privacy hinges on supplying the right access to the right people for the right resources only as long as necessary. IGA also ensures governance rules (HIPAA specifically) are applied and maintained consistently.
Read Data Access Governance for Healthcare Privacy Compliance to explore key privacy regulations such as HIPAA and CCPA.
With virtual appointments, patients log into a web-based portal to access a provider via a virtual conference call, which typically involves video. The interaction between patient and practitioner facilitates discussion, diagnosis, and prescribing for many conditions.
According to the APA, remote therapy services have been on the rise since 2017. Virtual appointments are common in behavioral health for therapy sessions. Follow-up appointments and lab result reviews are also conducive to telehealth. It’s important to note that virtual appointments aren’t always appropriate (or billable!) for certain diagnoses or conditions, particularly for patients with complex medical histories.
Virtual appointments offer convenience and protection from infectious diseases for patients and providers alike. Patients benefit from the flexibility, and healthcare organizations experience reduced no-show rates. But telemedicine must address privacy considerations. Protecting patient data requires healthcare organizations to exercise best practices in three areas: administrative, physical security, and technical security.
Virtual appointments present compliance challenges for health organizations because of how HIPAA defines protected health information (PHI). The HIPAA Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Patient portals offer patients convenient access to their health records. This helps meet interoperability requirements and allows health organizations to share patient data with authorized associates to deliver better care. Securing access to patient portals presents a challenge. Healthcare technology must walk a fine line between user experience and security. Bad actors easily acquire public information such as a patient’s phone number or address. Yet, access authorization can’t be too complicated for the average patient.
Healthcare organizations can take steps to verify a patient’s identity when they sign up for a patient portal. Integration with identity verification software helps prevent identity fraud by improving the ease and accuracy of identification. This allows healthcare providers to off-load some risk in protecting patient data.
Once the patient’s identity has been verified and associated with their medical records, they will need credentials to access them regularly. Credentials can be created and managed by the healthcare organization or a third-party authentication source such as Google, Yahoo, or Facebook.
Unfortunately, while federated authentication like this may be easier for patients, it adds risk. Third-party authentication vendors open the door for PHI exposure by relying on the third-party to ensure that a patient’s credentials are secured.
The rising use of telehealth also accelerated remote collaboration between providers. Specialists remotely connect with doctors and staff to review patient records, consult, and provide guidance. While this results in more comprehensive care, it also introduces a further risk of PHI disclosure.
Insider threats account for almost one-third of all attacks. Even individuals with the best intentions can unwittingly fall prey to bad actors through social engineering or phishing. Any compromised account is a security hole.
Experian describes the coming year as a ‘cyber-demic,’ calling COVID-19 vaccine rollout information and personal healthcare data “particularly vulnerable.” Healthcare organizations and their associates must implement Identity Governance and Administration for collaborative tools and the data shared on them.
Security in telehealth requires that you have a full picture of a user’s risk profile, including access analytics, usage analytics, individual user activity, and inherent user risk. User activity should be tracked and monitored by type, role, permissions, data accessed, and functions performed. Healthcare security requires access management tools to perform real-time authentication and apply policies that deliver appropriate access to each user.
See what Cerner has to say about taking a proactive approach to healthcare identity governance administration.
To maintain HIPAA compliance, you must collect only as much data as needed to provide quality care. For this reason, you need to know what information is collected, stored, and shared. Then, you must be sure this data is protected. Security goes beyond just encrypting data in storage — appropriate access controls must be maintained.
While healthcare security challenges with telehealth might seem significant, it’s possible to protect patient privacy and achieve regulatory compliance with the right tools. Using a unified platform that offers a convergence of identity governance and access management enables healthcare organizations and vendors to deliver convenient and comprehensive healthcare without compromising patient privacy.
Learn more about how healthcare providers can balance information sharing and patient privacy for better care.
Report
Report
Solution Guide
Solution Guide
Whitepaper