Monday, March 15, 2021
Blog topics: Archive
Perspectives from the Field Series
The strength of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the Indiana Executive Council on Cybersecurity (IECC). Hence the name "Perspectives From the Field Series" in which we invite experts to discuss the real and challenging issues we are facing in the field and the proposed solutions from the experts to better the lives and businesses of all Hoosiers.
In the third installment of our series, our focus is centered on "Patient Safety Awareness Week." In recognition of this campaign, Valita Fredland offers her thoughts -- as an experienced information privacy and security professional -- about the importance of protecting a patient's personally identifiable information (PII) and preserving the privacy of their medical records, as mandated by federal law.
Last semester, I was helping my daughter set up a new e-mail account that she could use for her college search process. As information privacy and security professional, I take such tasks seriously. E-mails are a common way for criminals to steal Personal Identifiable Information (PII) and credentials that can be used to commit other crimes. Therefore, when my daughter and I set up her new e-mail, I selected the two-factor authentication sign-in option. My daughter accused me of being an overzealous privacy professional (true that) and implementing crazy cybersecurity protection that makes it too hard for her to access her account.
In recognition of Patient Safety Awareness Week, I thought I'd share the explanation that I gave to my daughter about why using two-factor authentication for ANY account with PII is not crazy. Patient information is some of the most sensitive PII. With advances in technology, patients have growing control over their digital electronic health records; patients can request digital copies of their medical records from their health care providers; they can store their records themselves, and share the records with others. No matter where patient records are stored, the login access should have two-factor authentication.
Two-factor authentication is a cybersecurity method of verifying that you are who you say you are so that even if your username and password fall into the hands of criminals, they cannot pretend to be you and log in to your accounts. For example, when a patient logs into a patient portal to access a provider's medical records, the patient enters a username and a password to get access, then, as added security, using a second factor, the medical records system would send a temporary code via another method, often via text message, phone call or an e-mail, to the patient which would have to be entered before access to the records is granted. Simple, right?
Even though it is simple to use two-factor authentication like this, only about 10 percent of users set it up for their accounts. Why, might you ask? Well, I think my daughter's complaint is the most common "it takes too long!". So, we tested it. For most accounts that we tried, this extra authentication factor added no more than 10 seconds when logging in to an account.
While there are certain nuances among two-factor systems that can cause hiccups and frustrations, they are likely less frustrating than having your data stolen or misused. And usually, this important security method is both simple and easy.
So, here's to you, and all of us who are patients! To celebrate Patient Safety Awareness Week, companies responsible for the privacy and security of sensitive PII, such as patient information, should make two-factor authentication available for their systems, and patients and other users of accounts with sensitive PII should turn on two-factor authentication. It's not crazy!