The healthcare industry is a permanent and blaring target to the hunters of the dark web – a danger which healthcare IT professionals must be constantly prepared to meet on the virtual field of battle. By John Harris, SVP of product management, SIGNiX
By John Harris, SVP of product management, SIGNiX
The healthcare industry is a permanent and blaring target to the hunters of the dark web – a danger which healthcare IT professionals must be constantly prepared to meet on the virtual field of battle.
With some of the most significant data breaches of all time reported in the last year – such as those at Premera Blue Cross, Anthem, and most recently UCLA Health System – medical identity theft is a red-hot issue among the healthcare community. And it’s only getting hotter.
According to a study released in February 2015 by Ponemon Institute, medical identity theft incidents increased 21.7 percent in 2014 over the prior year, with an estimated 2.32 million Americans victimized last year.
And the healthcare industry was hit hard. A separate study released by Ponemon in May 2015 found more than 90 percent of healthcare organizations studied suffered a data breach. Forty percent of them experienced more than five data breaches within the past two years.
The Role Of E-signatures In Data Security
Safeguards to prevent a data breach are not limited to network infrastructure or the security efforts of an EHR system. They cover the spectrum of digital technology used by a healthcare organization including electronic signatures, whose use is on the rise.
E-signatures are becoming more integral to the healthcare industry due to the rising prevalence of electronic health records and other digital processes and the long-sought decline of paper-based processes like faxing. Today, e-signatures are used in transactions relating to care coordination, referral management, Medicare and private payer billing, controlled substance prescriptions, and obtaining informed consent.
These documents live in cyberspace, where they are transported and signed, and often contain a collection of one’s most sensitive, personally identifiable information. Because it is critical to identify individuals with the highest levels of certainty, the contents of many e-signed documents may contain an accurate address, date of birth, Social Security number, phone numbers, email addresses, information about family members, financial information and much more.
Indeed, for e-signatures in healthcare, the stakes are incredibly high.
E-signatures Equipped For A Threatening Environment
Though the uses of e-signatures generally work toward the same end state, their technical makeup varies across the board. The latter can either enhance or endanger a strong HIT security strategy.
The foremost distinction between e-signature technologies well equipped to operate in a high-pressure cyber environment and those that are not is the level of independence inherent in the technology. That is, e-signatures that can cut all ties with their vendor while remaining forever valid offer a much stronger defense against identity theft.
Where some technologies use an image of a signature in a PDF document and store the remaining legal, cryptographic evidence on an external server or file, independent e-signatures embed the cryptographic evidence of a signature directly into a signed document – permanently. There is no need to link back to a vendor to verify a signature.
This technology meets heightened encryption and security standards set by international organizations, and it allows providers to host documents on their servers only – the e-signature vendor’s copies of signed documents can be digitally shredded, i.e., completely destroyed without a trace of metadata, because there’s no need to keep a link to this information. This means one less point-of-access for a cybercriminal to breach and heightened control by healthcare providers and IT managers, who have sole control over the storage and usage of the electronic documents.
Another essential component of secure, independent e-signature technologies is a robust identity authentication system, which can verify that the person signing a document is actually who she says she is. In fact, independent e-signature technology offers a range of authentication options, and anyone in the healthcare industry would be well-advised to consider multiple levels of identity authentication before granting access to documents. For example, a signer can be required to input a one-time PIN access code received via a text message, or pass a knowledge-based authentication process, which requires signers to answer questions about personal information drawn from public databases about matters not readily found in your wallet or social media profile, such as asking the make and model of a car you registered for license tags years ago or asking you to verify past home addresses.
Tamper-evident technology is another key component to protecting e-signatures from medical identity fraud. This technology tracks and records changes throughout the entire signing process (not just after all parties have signed) and will alert users in real-time to any changes that have occurred in a document, which could indicate foul play.
E-signatures cannot prevent data breaches outright. But as the healthcare community further embraces its electronic future, the relevance of implementing well thought out technology that empowers control and security to providers becomes even more pressing. The wrong e-signature technology could tilt the odds in the hacker’s favor.
About the author
John Harris is the senior vice president of product management at SIGNiX, an electronic signature solutions provider that makes signing documents online safe, secure, and legal for any business. SIGNiX offers an independently verifiable cloud-based digital signature solution, which combines workflow convenience with superior security.