Breaches in online vaccination schedulers are the among the security problems the healthcare sector is scrambling to fix.
Although COVID-19 vaccinations are now underway, the rollout has not been as seamless as people had hoped. Notably, issues with signing up and challenges with security in electronic health records (EHRs) have been reported across the healthcare system.
For instance, Michigan-based Beaumont Health allowed users to schedule unauthorized appointments and circumvent current state mandates because of a glitch, effectively letting 27,000 people cut in line. Other healthcare systems have discovered vulnerabilities in their security measures, which is why many are turning to new tech for help. In addition to downtime, systems have faced issues related to duplicate patient records and other problems due to EHR misconfigurations as they rush to scale with the demand.
A balance of security and usability is always critical, and that is up to each organization to manage. But solutions being rolled out need to have clearly identified security capabilities to secure data while also enabling a broad population to easily schedule their appointments.
Chris Gervais, chief technology officer and chief security officer at Kyruus, a healthcare scheduling and data management company, notes that health systems have limited abilities to easily scale because most EHRs are not built for the traffic patterns needed.
“Patient portals are generally not built to handle the amount of concurrent usage and can put undue pressure on the core EHR, compromising its ability to power core clinical workflows,” he says. “As patient portals become unavailable due to load, that then puts pressure onto access center phone systems, which can, in turn, themselves become overloaded from the sheer number of incoming calls.”
Jacob Ansari, chief information security officer of Schellman & Company, a global independent security and privacy compliance assessor, says the distribution for COVID-19 vaccines provokes several interesting information security questions. For instance: Are we protecting the personally identifiable information (PII) of vaccine recipients, especially as vaccination sites are increasingly localized, at pharmacies and assisted living facilities, for instance? Are we protecting the PII of recipients answering survey questions? Are we protecting the actual distribution of vaccines from those who would seek to disrupt shipment or destroy supply?
“These are questions I hope public health officials at all levels are asking themselves, and (I also hope they are) seeking expertise from information security professionals,” Ansari says. “It’s very likely that there are already controls in place to protect these pieces of information from disclosure or misuse, but whether … any gaps (remain) or (whether) the protections in place are sufficient is hard to gauge without some inside knowledge of the process.”
According to a CI Security report based on publicly reported breaches to HHS, breaches were up by 35.6% in the second half of 2020 compared with the first half, and the number of patient records that were breached increased by more than 180%, although the bulk of those incidents are tied to business associates rather than providers directly.
Hari Prasad, CEO and co-founder of Yosi Health, a healthcare technology solutions company, notes that COVID-19 vaccination plans and schedules add another layer of complexity to the already challenging world of data protection with EHR systems. “One of the key challenges with the schedule management systems is that they may not be fully connected to the EHRs,” he says. “As a result, their (ability) to offer real-time scheduling is minimized.”
Plus, the simple fact that a person is scheduled in a given wave could expose data on their age or a particular health condition. Therefore, managing these schedules and patient communications with secure modern solutions is a must.
“It is crucial for health systems to ensure not only that they have the right protections —such as immutable off-site copies of their data — in place but, more importantly, that they are working with business associates who practice the highest security standards verified by standards organizations like HITRUST,” Prasad says.
Jay Anders, M.D., a former internist and now chief medical officer of health data company Medicomp Systems, says one of the key issues is data accessibility and accuracy of that data. “Unfortunately, this is not a new problem. The industry has struggled with data entry and reporting into immunization registries for many years,” he says. “The issue is and remains: How do physicians give safe, proper care if they don’t have the data? If a vaccine is given on a Monday, but this is not reported accurately or completely, then it’s difficult for a treating physician to give proper care when that patient shows up to an office visit on Wednesday but with an incomplete medical record.”
Alastair Blake, M.D., vice president of clinical and commercial partnerships at Nference, which synthesizes biomedical knowledge, has looked into the de-identification of patient records to enable research into COVID-19. Nference has collaborated with partners at Mayo Clinic to publish extensively on the impact of the COVID-19 pandemic, leveraging its de-identification technology to fully harness the EHR data.
“Our de-identification solution, nCognito, is powered by algorithms and methods that were designed to satisfy and go beyond HIPAA (Health Insurance Portability and Accountability Act) Safe Harbor requirements,” Blake says. “The approach consists of two steps: automatic detection of PII, followed by transformations of these information elements.”
Step one involves detection of PII entities using an ensemble architecture of attention-based neural networks that identifies complementary features across different protected health information types (e.g., names, dates, ages) in both structured and unstructured data sources. These PII entities are then transformed and replaced with suitable surrogates, matched for features such as sex and ethnicity. “This approach does not use redaction, thus making data more intuitive to use while minimizing the risk of data users noticing a de-identification error if one occurred,” Blake says.
Dedicated landing pages
Some lesser issues are scheduling problems that result in people not knowing when vaccine appointments are available and in overloads of systems. This creates problems for those distributing the vaccines. Gervais says creating separate vaccine scheduling flows from patient portals with applications purpose-built for scheduling specifically can help solve some of the problems. “This has helped minimize EHR disruption and enabled healthcare organizations to manage surges in traffic more effectively,” he says. “When appropriate, it has also enabled organizations to make scheduling available to more than just their existing patients, who are the only ones able to access an organization’s patient portal.”
Additionally, creating dedicated landing pages that can quickly update messaging to relay vaccine availability throughout the day can help reduce confusion for patients and their families, as well as wasted time refreshing pages. “This will proactively reduce traffic to avoid systems being overloaded by people looking to obtain appointments when there are none available at that time,” Gervais says, noting that will also help with security. “It is also important for organizations to develop a load-balancing strategy with their public websites, patient portal and call centers,” Gervais adds. “They should use scalable platforms for vaccine scheduling to leave patient portals available for specific interactions and reduce the risk of downtime.”
Keith Loria is a freelance writer in the Washington, D.C., area.