“The State of Patient Identity Management” Survey Analysis Shows Discrepancy in Cybersecurity Preparedness and Marketplace Reality

Healthcare Organizations are Overly Confident in their Security Measures to Protect Patient Data

LexisNexis® Risk Solutions has announced the results of the online survey conducted in collaboration with Information Security Media Group (ISMG) to investigate the cybersecurity trends in healthcare. The survey included responses from more than 100 participants from healthcare organizations (HCOs), including hospitals, physician group practices and payers in spring 2019.

“The State of Patient Identity Management” report highlights HCOs’ cybersecurity strategies, current best practices in patient identity management and investment plans for improvement. Moreover, the analysis of results demonstrates that HCOs have high levels of confidence in their cybersecurity preparedness despite most surveyed organizations using only basic user authentication methods in the face of an increasing number of patient identity theft and fraud instances in the marketplace. Specifically, the survey results showed:

  • 58% believe that the cybersecurity of their patient portal is above average or superior when compared to other patient portals
  • 93% use username and password as the patient portal authentication method
  • 65% deploy multifactor authentication
    • 39% use a knowledge-based Q&A for verification
    • 38% use email verification
    • 13% deploy device identification
  • 65% report that their individual state budgets for patient identity management will not increase in 2019

“There are some surprises in the results, particularly the higher than expected confidence that organizations have in regards to the security of their patient portal and telemedicine platforms given that only 65% deploy multifactor authentication,” said Erin Benson, director, market planning, Healthcare, LexisNexis Risk Solutions. “Multifactor authentication is considered a baseline recommendation by key cybersecurity guidelines. Every access point should have several layers of defense in case one of them doesn’t catch an instance of fraud. At the same time, the security framework should have low-friction options up front to maintain ease of access by legitimate users.”

Other industry reports show that healthcare data breaches increased 5% in 2018, affecting 15 million patient records. This is three times more than what was reported in 2017. There was also a record 1 billion bot attacks in the first quarter of 2018, and 44% of HCOs at large experienced crypto mining.

The top three cybersecurity takeaways of the report are as follows:

One –  Traditional authentication methods are insufficient: As a result of many healthcare data breaches, hackers have access to legitimate credentials; users are also easily phished. Therefore, traditional username and password verification are considered an entry point, not a barrier, and alone cannot be relied upon to provide a confident level of security.

Two –  Multifactor authentication should be considered a baseline best practice: HCOs should rely on a variety of controls, ranging from knowledge-based questions and verified one-time passwords to device analytics and biometrics to authenticate users based on the riskiness of the transaction. The more risky the access request is, the more stringent the authentication technique should be.

Three –  The balance between optimizing the user experience and protecting the data must be achieved in an effective cybersecurity strategy: HCOs need to make it easy for patients and partners to access records while ensuring adequate data protection. To do this, an HCO’s cybersecurity strategy should layer low to no-friction identity checks up front, making it easier for the right users to get through and layer more friction-producing identity checks on the back end that only users noted as suspicious would complete.

To access further details about the survey results and full analysis, download a free report.

Source:  LexisNexis Press Release