Top strategies for securing access to EHRs

Prioritize frictionless authentication

Nandini Vyakaranam, principal product manager at RSA, noted the importance of unimpeded access for providers to do their jobs.

"If it fails, the stakes are quite high," Vyakaranam said. "We need to make sure one of the top critical capabilities is that the system, the access, is always available, and it is resilient."

But unfettered access isn't realistic either. "There really needs to be a balance struck between that seamless access that practitioners need when they're face-to-face with a patient and the security that's required," said Dan Cinnamon, distinguished security advisor at Okta, an identity and access management company.

Also critical is an easy login flow, according to Vyakaranam. "We cannot expect a doctor or a nurse to go over a 1-minute authentication flow," she said. "It has to be frictionless, and at the same time it has to be very secure."

Security and authentication methods are evolving due to government initiatives like the 21st Century Cures Act, which aims to bring advances to patients faster and enable seamless sharing of electronic health information.

Cinnamon recommended implementing security policies around an established cybersecurity framework like that of the National Institute of Standards and Technology. These security measures differ only based on the level of risk, Cinnamon said. 

Although managing access to EHRs is similar to other types of systems, Cinnamon would classify EHRs as a high-risk application like financial records, he said.

"There are some very specific use cases because of practitioners' environments, but in a lot of ways, I would advise treating [the EHR] like a highly sensitive application at a high assurance level," Cinnamon said.

Although other systems such as billing must have high security standards as well, all security modules should be up to date when securing the sensitive protected health information of an EHR, Vyakaranam said.

That includes up-to-date Federal Information Processing Standards releases and Transport Layer Security, a cryptographic protocol that ensures communication channels between a client and server are secure. Cryptographic modules encrypt and store data at rest.

Role-based access control 

With role-based access control, organizations restrict access to systems depending on an individual’s position in an organization. Identity management systems incorporate lists of various roles and specify what access users have based on their responsibilities.

Health systems grant various levels of EHR access to administrators, pharmacists and telehealth providers. Nurses might have a NIST assurance level 3 compared with a billing clerk who would have a "very low" assurance level, according to Vyakaranam.

Encryption

Encryption is basic for EHR security. It's "table stakes," according to Cinnamon.

"A lot of the latest HL7 standards are requiring an application calling to an EHR to use public-private key mechanisms to authenticate itself," Cinnamon said.

Cinnamon explained how public/private key encryption differs from a legacy EHR system collecting and transmitting a password over a network.

"In contrast, public/private key encryption allows the user's secret credential to remain safely on a physical device -- either on the device running the EHR client software or on a USB key carried by the practitioner," Cinnamon said. "When the user wishes to log in to the EHR, their private secret/key is used to digitally sign a small bit of non-secret information that is sent to the identity system."

The identity system then validates the digital signature.

Zero trust

The zero-trust security model consists of a "never trust, always verify" approach. The framework provides criteria on when to provide access based on the location of the clinician, time of day, device posture and access pattern behavior, according to Vyakaranam.

"We apply those algorithms and that intelligence behind the scenes to say that, OK, we are aware of the context," Vyakaranam said.

Multifactor authentication challenges are a method of maintaining a zero-trust strategy.

Multifactor authentication

Multifactor authentication typically combines steps such as a token or a badge plus a password, or a mobile push.

"These are multiple ceremonies that a person has to go through," Cinnamon said. "They have to type something in and then do something else, and then maybe type something in again."

However, multifactor authentication is now moving beyond a password plus another authentication method to require one step, like a fingerprint, which can prove two factors at the same time, Cinnamon explained.

Meanwhile, the Fast IDentity Online 2 standard from the FIDO Alliance provides guidelines on how to authenticate with passkeys. FIDO2 uses cryptographic algorithms to produce private and public passkeys.

"If we're not smart about multifactor authentication, we're going to put a whole lot of undue burden on that practitioner, and all sorts of bad things happen," Cinnamon said.

Cinnamon advised that health systems offer flexibility in the type of access they provide.

"A lot of times, organizations struggle with MFA because they're overly rigid in what they allow practitioners to use," Cinnamon said.

A doctor could log in to an EHR using a FIDO key followed by facial recognition, Vyakaranam noted.

"It is as simple as tapping on the key and entering the EHR system," Vyakaranam said.

Vyakaranam said the FIDO passkey is the "gold standard" because it’s phishing resistant and easy to use. QR codes can be used in a mobile app with validation around the biometric in the background.

Blockchain

Blockchain technology, in which encrypted blocks of text are organized in chains, could help secure access to EHRs while still ensuring interoperability.

A study in the International Journal of Environmental Research and Public Health discussed how blockchain technology could decentralize data to avoid poor interoperability and data leaks in EHRs.

"Due to the decentralization of data management, each node can have a complete copy of the blockchain such that all data access is completely transparent to every node in the blockchain, making it impossible to furtively tamper with data without knowledge of the other nodes," the report stated.

"Privacy and security of blockchain means encrypting the data stored in the block with hash functions, such as the SHA-256 encryption algorithm," according to the study.

Mobile drivers' licenses

Mobile drivers' licenses could authenticate healthcare users as artificial intelligence takes off, Cinnamon predicted.

Mobile drivers' licenses "are a form of identity verification that is done when enrolling an authenticator, like a password, or a mobile MFA device," Cinnamon said. "It's used to securely bind the password/push/device to you as a person."

A practitioner may use a mobile driver's license to enroll in an e-prescribe credential, according to Cinnamon.

"The DEA requires this identity verification process to occur when enrolling for e-prescribe credentials," Cinnamon said.

A look ahead at secure EHR access

Vyakaranam sees the healthcare industry adopting a passwordless approach, like in finance, because it provides a frictionless experience for the clinician to gain entry to the EHR while providing better security than traditional authentication methods such as passwords. 

Going forward, secure EHR access will be on "essentially any device, anywhere, anytime," Cinnamon said. Today, that includes "EHR access within institutions, on thin clients, on a virtual desktop infrastructure into a Windows server that’s running an EHR," he said.

Expect to see a shift to more access on mobile devices such as tablets, Cinnamon predicted.

"That opens up a whole new set of concerns because it's not quite so locked down anymore," he said. "I think a lot of the strategies we take around zero trust and dynamic access based upon context and all that is going to continue to be super important going forward."

Brian T. Horowitz started covering health IT news in 2010 and the tech beat overall in 1996.