Educating Patients About AuthenticationA Portal for EHR Access Raises Security Issues
When creating a patient portal that provides access to electronic health records, healthcare organizations must educate patients about the need for authenticating their identities, says Sharp HealthCare CIO Bill Spooner.
In an interview with HealthcareInfoSecurity's Howard Anderson (transcript below), Spooner notes that some patients have complained that the authentication method for its patient portal is cumbersome.
"It's a real communications issue to help the patients understand that we're trying to protect them," he notes. "And as we read in the press about some of the breaches that have happened, and seem to happen almost every week or every month, we want to relate to them that we're trying to ensure that it doesn't happen to them."
In the interview, Spooner also:
- Describes why the seven-hospital delivery system is investing in a mobile device management system;
- Discusses why patient Social Security numbers are now masked in Sharp's core information systems following a case involving two internal billers who fraudulently obtained credit cards;
- Outlines the organization's approach toward building its own health information exchange and eventually linking it to community and statewide exchanges.
Spooner has been CIO for more than 15 of his 30 years at Sharp HealthCare. Sharp was an early leader in electronic health records and has received several awards for its consumer website. In 2010, Sharp launched its mySharp portal to more closely engage its patients in their care. Spooner was the recipient of the 2009 John E. Gall Jr. CIO of the Year award.
HOWARD ANDERSON: For starters, please describe Sharp HealthCare.
BILL SPOONER: Sharp HealthCare includes seven hospitals located on four campuses all in San Diego County, California. We have about 15,000 employees, 2,600 affiliated physicians. We're the largest private employer in San Diego County. We have about $2.5 billion gross revenue. We're an integrated delivery network with a large multi-specialty medical group of 400 physicians and an 800-physician independent practice association affiliated with us. ...
ANDERSON: As CIO of such a large healthcare system, how much of your time is available to privacy and security issues?
SPOONER: I have a security team presently of five people that report to me. The time that I spend on it really varies, and I have to say that, fortunately, in the past six months to a year, I haven't had to spend a lot of time with this because we've done a good job. ... We spend a lot of time trying to evaluate requests that really [try] to stretch our fabric in terms of providers who need access to systems that technically we aren't comfortable with providing, just because of either HIPAA requirements or something similar. It's more on the policy side that I spend my time. I spend very little time in terms of the actual technical side. I've got a pretty strong team.
Top Security Priorities
ANDERSON: What is the top priority information security project for this year?
SPOONER: ... The top project is two-fold. [First,] it's really trying to find out how we can best provide all physicians, in a secure manner, access to our systems. Physicians have so many different roles. They may be medical staff members who practice entirely at Sharp, and we allow them access. They may be referring physicians who are not members of the medical staff, but they really need to see the information. So how do we find a safe, effective way of giving them access to the information?
[Second,] looking on the other dimension, it's the patient. As we're getting more into collaborative care, we want the patient to go online to look at their records. We've rolled out a portal within our multi-specialty medical group with 67,000 patients, and so we need to be able to provide a convenient access mechanism that still provides us the protection that we think we need. ... It's an interesting message when we're trying to explain to the patient as we put these controls in place to protect their information.
Patient Portal Security
ANDERSON: You've built your own patient portal. How are you handling authentication for that?
SPOONER: We're using a third-party product for the initial enrollment and that asks the patient questions ... about where they lived at a particular point in time or when they negotiated a mortgage contract, and things like that. It's information that only they would know essentially, and then on an ongoing basis, this system sends a token. Every time they log in, they enter their username and password and it texts them and phones them with a token.
ANDERSON: That's a code, right?
SPOONER: Yes, a number that they've got [a limited amount of time] to enter. ...
ANDERSON: What has the patient reaction to that been?
SPOONER: Well, that's probably more security than they find with their bank. The initial reaction hasn't been all that positive about it. They're doing it, but they say it's cumbersome, and as we've done surveys of our patients, that's one of the things they object to. We've been working though with our provider to try to streamline that process to them, not only in search of reliability but just to make it a little bit smoother in terms of the work flow. One of the interesting things was that, initially, the text message was coming through with some other number on the subject line, really a transaction number rather than the token number. So they were entering the wrong number. So we've changed that so that they're not confused about the number.
It's a real communications issue to help the patients understand that we're trying to protect them. And as we read in the press about some of the breaches that have happened, and seem to happen almost every week or every month, we want to relate to them that we're trying to ensure that it doesn't happen to them.
ANDERSON: On the physicians' side, is there a portal for them too?
SPOONER: Basically, physicians access our Citrix network and that's their portal. All of their applications are displayed under that environment.
ANDERSON: And how do you handle authentication for them?
SPOONER: Everybody has RSA tokens. We've started to use some of the soft tokens, so if people have iPhones, there are these little pieces of software that provide the token rather than having to carry the physical chip.
ANDERSON: Are you accommodating personally owned mobile devices - BYOD - yet?
SPOONER: We're accommodating them on a limited basis. We allow our physicians and management to have access for their e-mail, and we've got a separate inclusion list in which they enter their names. We allow the physicians to access the patient information if they can get it through Citrix. To date, we haven't put in any dedicated iPad-type applications. We know they're coming.
We're looking at the various mobile device management products, and we're nearing conclusion of the selection process and expect to bring that into place so that we can better track and manage the devices that are coming into the environment, because we know they're there.
ANDERSON: Is mobile device management a critical component of this whole movement to mobility, do you think?
SPOONER: We think it's got to be, because we're concerned about the device owner that also wants their personal applications, whether it's their Wall Street Journal subscription or their Sudoku puzzle, and to keep that available to them. At the same time, we want to protect our patient information.
ANDERSON: Will that mobile device management system enable you to monitor these devices whether they're personally owned or not?
SPOONER: To some extent, yes.
Health Information Exchange
ANDERSON: What about HIEs? Are you forming your own health information exchange?
SPOONER: We're implementing what we're calling an enterprise HIE using a commercially available product, and our approach to it is to be able to provide connectivity with any physician who has an EHR and practices in our hospital; they would be able to exchange information among themselves and exchange information with the hospital system. We would be the conduit for them out to a community-wide HIE. ... That's kind of our overall model.
ANDERSON: You're the first link, and then the regional HIE, statewide HIE and national from there?
SPOONER: Yes, and in San Diego at the University of California they were the lucky recipients of one of the Beacon grants and so they're working on the community HIE and this is all evolving. It's kind of hard to say how it will be five years from now, but right now we're working through not only the technology but the use case around that technology.
ANDERSON: Is your internal HIE up and running, and how do you handle patient consent?
SPOONER: It's very close to up and running. We have our hospital system loaded and we're getting close on having the main physician product loaded, but we're not quite there yet. The approach that we're taking with the enterprise HIE is similar to our internal systems, recognizing that we allow anyone with medical staff privileges to have access to the systems, which really provides them access to all patients, and we feel that we are covered by that under the business associate's provisions. In the enterprise HIE, they will see everything else. With the community HIE, we will require opt-in consent, specific consent, for any patient whose information is to go outside of our enterprise.
ANDERSON: You mentioned briefly in your presentation that you had an incident where some people in the patient financial services department were taking Social Security numbers and then getting credit cards and making some purchases. How did you detect that, and what advice would you give to others on preventing that from happening?
SPOONER: ... It was a patient, from my understanding, who got a bill and there was some police investigation involved and that's where they traced it.
ANDERSON: And what steps have you taken to prevent that from happening again?
SPOONER: The primary thing that we did was to mask Social Security numbers, because many of our systems had the full Social Security number on display. Our software vendors were very quick in helping us to respond to it, to put in masking so that all you see is the last four digits. In fact, they rolled that out to their product as a standard feature now, but there are some functions where you have to have the full Social Security numbers, for instance Medi-Cal, which is California's version of Medicaid. We have some special screens with separate access for people who have to deal with those functions; otherwise, the general population does not see a Social Security number. On top of that, we did a lot of education internally to emphasize that patient information is sacred.
ANDERSON: And that ongoing training, I assume, is very important when it comes to security in preventing breaches.
SPOONER: Absolutely, and in our environment we do some training with new employee orientation and then we do an annual refresher that everyone's required to do, and it's basically some web-based training, computer-based learning modules.