False Sense of Security
Interestingly, organizations appear to be overconfident in their
cybersecurity preparedness despite the growing number of
breaches occurring in the industry. Fifty-eight percent of organizations, for example, believe the cybersecurity of their online
patient portal is above average, according to a 2019 LexisNexis
State of Patient Identity Management Survey. 4 Likewise, LexisNexis found that 50 percent of survey respondents are confident
they have the necessary controls in place to prevent unauthorized access to patient information.
This confidence is ironic given the fact that 93 percent of respondents protect data with a basic username and password
that hackers can easily penetrate. Only 65 percent of survey respondents deploy multifactor authentication—often viewed as
a baseline protective measure—to prevent unauthorized access
to patient information via the telemedicine platform or patient
portal. Clearly, there’s a disconnect between perception and reality. Organizations perceive themselves as safe when, in fact,
they’ve never been more vulnerable to attacks.
Seven Best Practices for Patient Identity
The most secure organizations take a proactive and comprehensive approach to cybersecurity threats with a focus on identity
management. Consider the following seven best practices:
1. Change corporate culture. Adopt a mentality of ‘when we
get hacked,’ not ‘if we get hacked.’ Prioritize patient identity
management by devoting staff and resources to the effort.
Strike a balance between layered security controls that deter hackers and frustration-free access for patient engagement.
2. Make multi-factor authentication your baseline protection. For example, verify patient identity using name, date
of birth, and home address. Organizations increasingly
rely on a variety of sources—knowledge-based questions,
one-time passwords, email verification, facial recognition,
device analytics, or voice biometrics—to authenticate users
based on the criticality of the transactions.
3. Deploy step-up authentication, when necessary. For example, use low-friction verification when patients initially
log in to the portal and layer in high-friction verification
and authentication for transactions such as payments and
4. Adopt a cybersecurity framework. Combine elements of
multiple frameworks (e.g., NIST, HITRUST, ISO, or CO-BIT) into one set of guidelines or choose a single framework that works best for the organization.
5. Reduce duplicate records. Focus on patient matching to
ensure each patient has a single, comprehensive record that
organizations can secure and exchange with greater confidence.
6. Provide employee training. Test employees to ensure they
can recognize and avoid email phishing scams, vendor
spoofing (i.e., an attacker posing as a vendor on a service
call), and IT/IS spoofing (i.e., an attacker posing as inter-
nal IT or IS staff). Teach them to verify identity and obtain
call-back information prior to answering any questions re-
quiring disclosure of protected health information.
7. Think outside the box. Cybersecurity isn’t only verifying
patient identity for patient access. It’s also about validating
employees and vendors. Any point of entry into a system
should be protected.
The time to act is now. Organizations need to acknowledge
and address security vulnerabilities before an attacker takes advantage of their data and their patients.
1. Brook, Chris. “Breached Healthcare Records Tripled in 2018.”
Data Insider, Digital Guardian blog. February 13, 2019. https://
2. Davis, Jessica. “Healthcare Cyberattacks Cost $1.4 Million on
Average in Recovery.” Health IT Security, January 22, 2019.
3. Snell, Elizabeth. “78% of Providers Report Healthcare Ransomware, Malware Attacks.” Health IT Security, December
12, 2017. https://healthitsecurity.com/news/78-of-providers-
4. LexisNexis. “The State of Patient Identity Management.”
Erin Benson, MA, MBA, director, market planning at LexisNexis Risk
Solutions, works with a focus on the development and execution of
strategic planning for member identity and socioeconomic determinants of health solutions.