Protecting Patient Data: 4 EBPP Solution Security Best Practices

August 13, 2012 Brian Watson

EBPP Solution Security TipsWhen it comes to online payment software, much of the focus (from both solution providers and healthcare organizations) tends to revolve around the impressive effects it can have on financial operations: from speeding statement presentment and balance payment, to eliminating common billing materials and processing overhead, to boosting customer service efficiency.  (And we’re certainly guilty of placing the lion’s share of our attention on that angle in our blog articles as well).

But perhaps the most important place to start the comparison among eStatement solutions is security and compliancy.  Ensuring that your EBPP solution provider has a detailed, documented, tested, and verified set of security processes to safely protect Patient Health Information (not to mention the best-practice technology to back-up those standards) is beyond critical. 

That’s because the costs of non-compliance are considerable.  And growing.  The 2009 HITECH and 2010 Affordable Care Acts have already, or will soon, put into practice a slate of new rules and regulations that not only provide greater scrutiny of business associates and new operating rules for financial transactions, but also beefed-up breech rules and stricter enforcement across the board.

Staving Off the High Cost of Data Spills

As a result, the costs associated with security violations are near all-time highs.  IT security consulting group Ponenmon reports that the average cost-per-record to remedy a healthcare breech in 2011 was $240.  That’s $46 more per-record than the cost-per-breech average for all industries. 

And under the HITECH legislation, fees could potentially be even higher: organizations can fined up to $1,500,000 for each violation per calendar year, and are also on the hook to cover the costs related to notifying each patient whose records have been compromised of their potential vulnerability.

With security of PHI so important, both financially and in terms of patient/public relations, it’s critical that your EBPP solution provider offer best-class data security and application protection.  To ensure that you’re fully covered, look for the following security attributes:

1). Full Regulatory Compliance.  Long gone are the days where online data safety meant antivirus software and a firewall.  Advanced security – from sever, database, and FTP encryption through robust application protection – is now an EBPP given.  Without getting too technical, you should ensure that your provider has a thorough, documented, HIPAA-focused security process and controls plan (that includes protocols for everything from file upload through record disposal), and the compliance bona fides to prove their convictions.

In addition to a verified HIPAA security process and controls plan, you should ensure that your provider is in compliance with the Payment Card Industry (PCI) Data Security Standard and the SAS 70 Type II auditing standard.  Although a solid start, healthcare-specific security credentialing shows an additional commitment to PHI protection.  For example, third-party groups like the HIMSS and the EHNAC provide additional accreditation to organizations with truly best-of-breed security processes.  Shopping with those certifications in mind is a solid way to bolster the security standards of your online payment software.

2). Secure Patient Enrollment.  Superlative application security starts with a rock-solid patient enrollment and password setup process.  We suggest a multi-tiered registration, where the patient first agrees to a Disclosure Policy, then verifies account information (such as service location and guarantor/account number), before establishing a username, password, email address, and secret question (for password recovery).  Finally, adding email verification is a good way to close the registration loop, provide optimal application protection, and ensure that all emails can actually be viewed by patients (instead of being grabbed by a spam filter on the way to their inbox).  

3). Strong Passwords.  Secure EBPP solutions depend on the strength of patients’ passwords.  Unfortunately, relying on patients to come up with resilient, hack-free passwords is a recipe for application security issues.  According to ESET, a leading antivirus solution provider, the two most popular online user passwords are “password” and “123456” (followed closely by other less-than-unbreakable options like “letmein” and “111111”).

To ensure password security, you should establish base password guidelines that encourage combinations that are long, complex, and unpredictable enough to prevent guessing and brute-force attacks.  And then present patients with a password strength advisor during account setup to gauge whether a potential combination passes muster.  For example: all patient passwords should be, at an absolute minimum, 8 characters long (although between 10 and 14 characters is ideal).  In addition, they should incorporate both letters and numbers, and (if possible), both upper and lower case letters.

4). Application Rights and Role Management.  When it comes to online payment software, the patient side of the equation tends to get the majority of security-related attention.  But ensuring that your customer service users are properly registered, tracked, and managed is just as critical from an application protection standpoint.

Best practice eStatement solutions offer master administration rights that enable qualified managers to create users and assign privileges that automatically classify (and restrict) which areas of the EBPP portal they are able to access.  In addition, your EBPP solution should enable administrators to lookup users, add or remove user privileges, delete entire profiles, and view and reset user password information.  Finally, in order to remain compliant and completely protected, an audit trail of all customer service user activity should be available to be viewed by master administrators when needed.

The bottom line: sleek online patient statement presentment and balance payment tools are ideal for accelerated revenue and more efficient billing operations.   But given the costs and risks associated with PHI leaks, back-end application security is an essential starting place for solution evaluation. 

Do you have additional eStatement security questions after reading this post?  We’d be more than happy to act as a sounding board.  Simply contact us today.

Do you use a different patient registration process?  Or alternate password guidelines?  Tell us how your EBPP solution handles PHI security.

Share This: