Protecting truckloads of data on the information superhighway

SSL Journal

Subscribe to SSL Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get SSL Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

SSL Journal Authors: Gilad Parann-Nissany, Liz McMillan, Lori MacVittie, Mark O'Neill, RealWire News Distribution

Related Topics: SSL Journal, Security Journal, Health 2.0, Sarbanes Oxley on Ulitzer

Blog Feed Post

Patient Portal Puts a Spotlight on Secure Messaging


For healthcare professionals participating in the Centers for Medicare & Medicaid Services electronic health record (EHR) incentive program, you’ll soon need to demonstrate compliance with the Stage 2 Meaningful Use requirements in order to continue receiving incentive payments. Stage 2 requires expanded use of patient portals, as well as implementation of secure messaging, allowing patients to exchange information with physicians regarding their health care.

Given the Health Insurance Portability and Accountability Act (HIPAA) requirement for secure communication of Protected Health Information (PHI), a spotlight has been placed on the support for secure messaging. Healthcare professionals, hospitals and their technology vendors need to ensure appropriate security measures are in place to avoid jeopardizing incentive payments, or they risk receiving financial penalties for non-compliance.

Secure Messaging Requires Authentication and Secure Networks

Messaging solutions are applications within portals; as such, they are as secure as the portals, networks, policies and protocols that support them. The integrity of patient-provider secure messaging is based in great part on the comprehensiveness of policy, network and data warehousing security measures.

Policy measures are based on procedures within healthcare facilities and anticipated patient use. This is an important part of security that shouldn’t be overlooked, and is successful in combating internal security threats and casual external attempts to access portals by unauthorized parties.

From the technology perspective, protecting the security of patient-provider messaging requires taking measures to prevent malicious access to patient portals and protecting the transfer of information among those portals, healthcare providers and associated data warehouses. These broad areas of security must be addressed to protect patient-provider communication via secure messaging applications.

Patient Portal and Messaging Authentication

Patients are expected to access portals and messaging applications from a variety of devices and locations, including desktop, portable and mobile devices in both private and shared computing environments. In this vein, security considerations are vast and encompassing, necessitating the use of protocols such as link-level security services Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to support the transmission of protected data over a public, unsecured network.

Security measures to protect access to patient portals and messaging applications can be as simple as implementing passcodes and commonly related authentication protocols to advanced solutions including biometric authentication.

The caution in deploying all authentication solutions is losing patient and provider support due to frustration from cumbersome password requirements and policies. ‘OAuth’ security, utilizing UserID, and password tokens to access data may all be effective solutions to limit access to specific information, especially when implemented as part of a larger identity management solution.

Authentication solutions need to equally consider information security, compliance mandates and patient satisfaction. A balance needs to be found where sufficient security measures are employed to protect patient information without hampering the patient experience and unwittingly lowering the patient portal adoption rate and encouraging application abandonment.

Network Security

The exchange of information between devices and data warehouses requires the use of specified encryption and hashing algorithms (keys), protecting data as it moves across a network. Keys such as RSA, AES, DES, 3DES and others are candidates for such security and are proven effective at preventing outside attacks on information systems, such as those posed by hackers seeking to steal patient information or otherwise do harm.

But as effective as encryption is at thwarting outside attacks, it has no effect on threats posed by disgruntled staff, careless device use or device theft. In these cases, patient and provider education, authentication protocols and threat assessment tools and activities are a necessary part of a comprehensive security solution.


Patient portals and messaging applications pose a number of administrative and organizational challenges for healthcare providers and their technology partners. With the Stage 2 Meaningful Use mandate for secure messaging looming, healthcare professionals have to address these challenges head-on, tackling a number of privacy issues related to protecting sensitive patient information.

Secure messaging requires a holistic view of security across the breadth of a communication network and variety of end-user devices and computing environments. Solutions for authenticating users, protecting information from hackers and reducing the threat of internal security breaches are equally necessary and need to be considered within an overall security strategy. Education and training should be considered part of your security plan.

Secure messaging is a critical application that promises to reduce the cost of healthcare, improve the productivity and efficiency of administrative and clinical staff and increase the level of patient participation in their care. It needn’t be a security concern, but rather a reminder to exercise solid security measures in your communication network and information systems.

Secure messaging isn’t only a Stage 2 Meaningful Use mandate; it’s smart business, and security is the foundation of its usefulness and associated success.


William McElmurry is an accomplished executive with over 30 years of leadership experience in many segments of the healthcare marketplace including work with providers, payers, and software solution vendors. He is an active member of the Healthcare Financial Management Association (HFMA) and the Healthcare Information and Management Systems Society (HIMSS) where he was a moderator at the World of Health IT conference. Bill currently serves as Senior Vice President and Vertical Practice Leader at SoftServe, Inc.

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of