Accessibility, privacy, and security all play an important role in building a visitor’s trust in your healthcare website. Ensuring that each visitor has the best user experience is no small feat, and neither is protecting their information. Healthcare providers must continuously balance accessibility and security as strict regulations and requirements arise and change, or risk alienating or angering their visitors.
Millions of Americans live with disabilities that impact how they use the internet, which is why efforts to regulate and improve accessibility have been renewed and expanded within the healthcare industry. Much of this renewed effort can be attributed to the growing number of accessibility lawsuits the healthcare sector has had to deal with in recent years1. Even without the lawsuits, many healthcare websites are beginning to understand the value of an offering that everyone can easily access and navigate.
Although the goal is to ensure that every patient can easily access the website of their choosing, healthcare providers must also ensure that no unauthorized eyes gain access to a visitor’s private health information. If patients ever feel as though their electronic health records are not completely safe and confidential, they could opt to withhold vital health information, which might have dangerous consequences.
Poor security and privacy practices not only put healthcare organizations at risk, they also put visitors in danger. Malicious cyberattacks are the leading cause of data breach in the healthcare industry, and attacks of this kind have increased by 125% since 20102. Security threats are constantly evolving, and it can be incredibly difficult for healthcare organizations to protect patient data from these criminals. Small data breaches might not financially cripple an institution, but patients will be much less likely to trust the provider with information. The larger breaches can end up costing a healthcare organization millions of dollars.
The growing reliance on technology has made accessibility more important than ever before, and it has also made cybercrime much more lucrative. For healthcare providers and other organizations that host and/or transmit protected health information, security and privacy must never be taken lightly.
How can a healthcare website ensure that every site visitor’s accessibility needs are met? How can healthcare organizations keep patient information secure and assure patients that only authorized persons have access to it? This research paper covers the top accessibility, privacy, and security best practices for healthcare websites.
Accessibility Best Practices
Americans with disabilities should be able to use the Internet without any limitations, but websites that don’t adhere to accessibility guidelines make that difficult. A variety of assistive technologies exist to help these patients use the web, so forward-thinking web designers follow these guidelines/requirements to safeguard against any potential issues:
- Section 508 of the Rehabilitation Act of 1973: This law, which was officially updated on January 18, 2018, requires that federal agencies make any and all electronic and information technology (EIT) accessible to those with disabilities.3
- Web Content Accessibility Guidelines 2.0: These guidelines are voluntary, but they are recognized worldwide. These guidelines have three levels of conformance (A, AA, AAA), but meeting A or AA levels is perfectly acceptable.4
Even without the threat of a lawsuit, meeting these accessibility guidelines is recommended for all healthcare organizations. In fact, implementing the following accessibility best practices can actually offer SEO benefits due to accessible content being machine readable:
- Review WCAG and Section 508: Some of these guidelines and rules can be relatively easy to implement, like the use of color, contrast ratios, and moving banners or video backgrounds. Using alternative text, closed captions for videos, and transcripts for any form of audio also helps a great deal. Some of the more involved rules might require a developer, but having an accessible website will be worth it.
- Understand Your Website: The content management system (CMS), website design, and content itself all play a part in accessibility. Design changes may be necessary, and switching to an entirely different CMS could be on the table in some cases.
- Check with Your Legal Team: Especially with the rise of lawsuits over accessibility in the healthcare sector, it would behoove all providers to determine current and future liability. This process will help an organization prioritize steps toward achieving accessibility.
- Talk to Your Marketing Team: For healthcare institutions that work with outsourced marketing or web teams, make sure they understand how important accessibility is moving forward. Keep this team up-to-date with all relevant laws and guidelines.
Even after following these four best practices for accessibility, healthcare providers should know that the job is never finished. Guidelines can be updated, and changes/updates to websites can pull an organization off track. These best practices should be repeated on a regular basis to ensure continued success.
Privacy and Security Best Practices
Protected health information – medical record numbers, Social Security numbers, medications, procedure information, and more – is some of the most sensitive data that can be stolen, which is why penalties and fines are so substantial when regulatory requirements aren’t met. Criminals are constantly inventing new ways to pierce healthcare entities and keeping up with the onslaught of attacks can be exhausting. HIPAA has three broad rules that healthcare providers must adhere to:
- HIPAA Privacy Rule: The HIPAA Privacy Rule protects the medical records and other personal health information of patients, and this rule covers healthcare clearinghouses, health plans, and any provider that conducts transactions electronically. This rule limits uses/disclosures that can be made of patient information without authorization from the patient in question. In addition, this rule gives patients the right to examine, obtain a copy, or request corrections to their health information.5
- HIPAA Security Rule: This rule created a standard for the protection of individuals’ electronic personal health information, as long as said information is created, received, used, or held by a HIPAA-covered entity. The Security Rule attempts to ensure the integrity, confidentiality, and overall security of electronic protected health information through administrative, physical, and technical safeguards.6
- HIPAA Breach Notification Rule: This rule requires HIPAA-covered organizations and their business associates to disclose when breaches of protected health information occur.7
These regulations help ensure that HIPAA-covered healthcare providers keep patient information as secure as possible by only allowing authorized persons to access it for authorized purposes. Despite all of this, HIPAA does not mandate the use of specific technologies. Instead, it is up to each healthcare provider to determine how to best attain these goals.
As criminals continue to find new ways to steal patient information, regulatory requirements will become more robust. Healthcare providers that are proactive in safeguarding patient information are going to be best-positioned for future compliance. In order to lower the risk of being a victim of these costly data breaches, it’s best for healthcare organizations to establish best practices to follow:
- Educate Staff
Human error continues to be the largest threat to security for the healthcare industry, so properly educating staff can go a long way. As natural as human error is, negligence can be disastrous for a healthcare provider and end up costing millions of dollars. Make sure to train each employee on privacy and safety so they can make the proper decisions when handling sensitive information. Even when all employees are trained and show appropriate caution with electronic health records, refresher courses should still be mandatory. The technology landscape changes so rapidly that education never truly finishes.
- Restrict Access
There’s no reason to give employees the power to access the entire network of patient information and other data; that would be a recipe for failure. Instead, implement controls that restrict access to certain information or applications so employees have what they need to properly perform their jobs and nothing more. In cases where access restrictions are necessary to access important data, utilize multi-factor authentication as an extra form of validation. Multi-factor authentication includes two or more of the following: password, PIN, card/key, or biometrics.
Restricting access does slow processes down in some cases, but the added protection is more than worth it.
- Track Usage
Tracking access and other usage data is invaluable because it provides a log of which users access certain information or resources, as well as when, where, and what time they access it. Healthcare organizations can use this information to identify weak areas and make improvements. If a breach of some sort actually occurs, usage history can be tracked throughout the organization and entry points can be identified. This process makes it much easier to determine the cause of the breach, assess damages, and patch any weaknesses.
- Perform Risk Assessments
As important as it is to be able to identify the cause and entry point of a breach, a proactive approach is even more valuable. Performing risk assessments on a regular basis can help healthcare providers spot vulnerabilities and other areas of concern before a breach/incident happens. Proper prevention is much cheaper than sitting pat and waiting for a breach to occur, and it comes without any damage to the organization’s reputation.
- Evaluate Associates
A chain is only as strong as its weakest link, which is why healthcare providers should assess other HIPAA-covered entities and business associates. Healthcare information is constantly being transmitted between providers in order to deliver care and facilitate payments. Taking the time to evaluate all of these associates is crucial.
For all modern healthcare websites, accessibility, privacy, and security are more important than ever. Failing to adhere to guidelines and regulations can cost healthcare providers patients, or even lead to fines and other punishments. Creating a culture of inclusiveness and security is an ongoing effort, but failing to keep up with the rest of the sector is no longer an option.