How to secure patient records when multiple clinicians are involved.

Healthcare environments are busy and high pressured. Clinicians are expected to see a high number of patients in the shortest amount of time, making key health decisions, whilst simultaneously recording detailed and accurate patient records.

When multiple clinicians are involved in a patient’s care, there are likely to be several devices used to access and record medical care against patient records.

In 2020, hacking and IT incidents exposed healthcare information from 24.1 million breached records — which accounts for 91.2% of all breached records, representing an increase of 55% from 2019 and 37 states reporting more breaches in 2020. Extracted from Media City News

The Health Information and Portability Accountability Act (HIPAA) is there to protect patients and sets the standard for securing patient data used by healthcare providers.  Organizations who deal with Protected Healthcare Information (PHI) must have network security measures and access control policies in place, with monitoring and auditing processes to ensure HIPAA compliance.

Relying on passwords, which are often weak or re-used, leaves systems wide open for hackers to gain access to personal data and records.  In a healthcare environment it is vital that data remains secure and only available to those who legitimately need it.

What can you do to become compliant?

You need a system where strong authentication is built in, allowing for a user-friendly experience for healthcare professionals to prove their identity before accessing PHI, whether they are head office based or remote.

Adopting cryptographic based multi-factor authentication (MFA) is the vital starting point for healthcare providers to comply with HIPAA.

There are two main options for cryptographic MFA available to healthcare organizations. One is Public Key Infrastructure (PKI) and the other is FIDO (Faster Identity Online). Both present very secure means of authentication.

FIDO is a cryptographic, high security method of authentication and offers a simple user experience with minimal systems overhead.  FIDO is based on a one key for each relying party mechanism, so works well in business to consumer or supplier relationships, where a user may need independently managed access to multiple service providers.

However, healthcare organizations require greater control of what employees access with a single managed credential. With traditional Public Key Infrastructure (PKI) certificates, extended functionality beyond MFA is available, including encrypted email and document signing. This requires more infrastructure but is especially useful functionality for the transfer of healthcare records between professionals, patients, and their families.

We are therefore seeing an increasing demand for hybrid systems to manage the combination of credentials for employees, contractors, suppliers, and patients.

Unified Credential Management

MyID® from Intercede is a credential management system (CMS) that enables organizations to deploy digital identities to their employees, contractors, and suppliers, enabling them to meet stringent data protection regulations, with a system that is easy to access by end users and administrators.

MyID provides effortless management of corporate digital identities throughout their lifecycle, easily issuing, revoking, and replacing digital identities within a defined policy framework for both PKI and FIDO devices.

MyID has market-leading PKI capabilities, that let you provide your users with the ability to sign transactions, encrypt emails and authenticate securely into the systems and applications they need.

PKI keys and certificates are issued to individuals, not only on smart cards and USB tokens, but increasingly on smartphones and other ‘virtual smart card’ (VSC) devices.   This enables convenient, strong authentication for everyone via their mobile devices without the need for additional hardware.  MyID is designed to work with the systems you already have and support your existing business processes, minimizing the impact on your infrastructure and speeding up deployment.

Once a credential has been issued to a healthcare worker, they can authenticate using the device with a PIN or biometric data to log in and access PHI.  By using a multi-factor option, only the user with the correct credentialed device, plus the correct PIN or biometric, can access PHI.  This largely eliminates the threat of data-breach through phishing, credential stuffing or other account takeover attempts.

Healthcare workers can access the relevant data via a wide range of secure devices, easily, simply and at scale – therefore adhering to the HIPAA Privacy Act and ensuring those who have the right access can easily obtain the information they need instantly.

Why should you choose MyID?

The MyID platform integrates with existing IT systems, giving you a credential management system that delivers the strongest forms of authentication but, importantly in this environment, quick and easy access for clinicians so that no time is lost retrieving patient records.

MyID is secure by design, incorporating multiple levels of security including role-based access control, secure private key generation, hardware protection and a signed audit trail.  MyID connects to existing directories, certification authorities, identity management solutions and mobile device management systems.

Devices such as smart cards, USB tokens, VSCs, smartphones and tablets provide organizations with convenient form factors to securely store and use digital identities.  Using MyID, employees, contractors, and suppliers have secure access to the information they need, within an audited, policy-driven management framework to help you achieve regulatory compliance.

Read our white paper – Secure Healthcare Provision: Identity and Authentication