By Clive Riddle, July 19, 2019

LexisNexis Risk Solutions in collaboration with Information Security Media Group has released results from their recent survey of hospitals, medical groups and payers, in their new 18-page report The State of Patient Identity Management, which found 50% are confident they have the necessary controls in place to prevent unauthorized access to patient information, 58% believe their portal cybersecurity is above average (and only 6% feel they are below average), yet 35% don’t deploy multifactor authentication.

To digress, some insight into those results can be gained from reading last week’s mcolblog post by Kim Bellard on Our Dinning-Kruger Healthcare System, which discusses the Dunning Kruger effect involving “the cognitive bias that leads people to overestimate their knowledge or expertise,” illustrated in the world of NPR’s Lake Wobegon – where “all the children are above average.” 

88% of the organizations surveyed had patient/member portals, and 93% use username and password as the patient portal authentication method. 65% deploy multifactor authentication, with 39% using a knowledge-based Q&A for verification, 38% using email verification, and 13% deploy device identification. 65% report that their individual state budgets for patient identity management will not increase in 2019.

Here’s the top three cybersecurity takeaways of the report according to LexisNexis:

1. Traditional authentication methods are insufficient: As a result of many healthcare data breaches, hackers have access to legitimate credentials; users are also easily phished. Therefore, traditional username and password verification are considered an entry point, not a barrier, and alone cannot be relied upon to provide a confident level of security.
2. Multifactor authentication should be considered a baseline best practice: HCOs should rely on a variety of controls, ranging from knowledge-based questions and verified one-time passwords to device analytics and biometrics to authenticate users based on the riskiness of the transaction. The more risky the access request is, the more stringent the authentication technique should be.
3. The balance between optimizing the user experience and protecting the data must be achieved in an effective cybersecurity strategy: HCOs need to make it easy for patients and partners to access records while ensuring adequate data protection. To do this, an HCO's cybersecurity strategy should layer low to no-friction identity checks up front, making it easier for the right users to get through and layer more friction-producing identity checks on the back end that only users noted as suspicious would complete.