How Secure Are Patient Portals?
Patient portals are a great way to give your patients access to their Electronic Health Records (EHRs). They’re also convenient for streamlining requests for prescription refills, scheduling appointments and communicating.
However, patient portals can also be a big security risk. If someone gets unauthorized access, they’ll be able to see your patients’ electronic protected health information (ePHI). That could result in a HIPAA violation—and a costly fine.
Healthcare portal data breaches are becoming increasingly common as the confidential ePHI data they contain is incredibly valuable on the black market and can fetch as much as $1,000 per record. In 2020, there were nearly 600 data breaches—and over two-thirds of them were as a result of hacking or IT incidents exposing more than 24 million patient records.
According to a Kantar/Digital Health Summit study, while many patients recognize the value of patient portals to their healthcare experience, they also have legitimate concerns about the privacy and security aspects of using them.
Let’s have a look at the security of patient portals, their cyber security weak links and some ways to make yours more secure. This way, you can reassure your clients that your clinic won’t be responsible for the next big data breach.
Convenience vs. security
With any electronic data system there is a trade-off between convenience and security. The more protected any system is against unauthorized access, the more inconvenient it tends to be for legitimate users. With things like patient portals, this is an incredibly hard balance to strike, as you want your patients to adopt and use your portal system while still keeping their data secure.
Any HIPAA-compliant healthcare portal will have the capabilities to be a secure system—if it’s used correctly. All the data transmitted between the server and your clients will be encrypted, users will be properly authenticated so as to prevent unauthorized access and protect patient data and there will be logs and audit trails kept in case something needs to be checked. Unfortunately, as the number of data breaches shows, not all portals are used in a secure manner.
While all healthcare businesses have to abide by the HIPAA Security Rule, it doesn’t mandate specific security measures. A username- and password-protected online portal meets the minimum requirements, but from a cybersecurity point of view, that is clearly not sufficient. It’s vulnerable to things like:
- Patients using weak passwords.
- Patients reusing passwords on different platforms.
- Patients sharing passwords with other people.
- Phishing attacks targeting patients.
- Phishing attacks targeting staff, leading to malware on office computers.
- Device theft.
How to keep your patient portal secure
The common weak point exploited in most hacks is the same: the people using the software, and their tendency to prioritize convenience over security. Hacking into a secure data center is, when it’s even possible, incredibly difficult and expensive, while tricking a user into giving up their password can be done with a simple email.
The following recommendations can help keep your patient portal secure:
Request users create strong, unique passwords. One of the most important steps in securing your patient data is to set password guidelines. It won’t stop all attacks, but it will make it harder for attackers to simply try a list of common or previously leaked passwords.
Add another step to the login process. Single-factor authentication (a username plus a password) is always vulnerable to hackers. Adding another step (such as a code sent by SMS or email) makes it much more difficult for bad actors to gain access to your systems. If possible, make two-factor authentication mandatory for all patients.
Additional identity verification, which requirers users to enter their date of birth, address or some other piece of identifying data, is another way to protect patient data. It can also stop unauthorized access (and the potential HIPAA violations that come with it) when a device is stolen.
Document and monitor all login attempts. Any suspicious activity, like repeated login attempts from different countries, should trigger additional security, such as a mandatory password reset or additional account verification.
Train employees on safety. Patients and the patient portal aren’t the only potential issue. Employees should be trained to be suspicious of any emails related to the client portal, in particular ones that require them to click a link or enter a password. They should also be careful about downloading any files or attachments and encouraged to double-check and report any suspicious activity.
Perform all updates on software and systems. Other types of malware can compromise your client portal, too. Keep all the computers, antivirus protections and client portals up to date. Out-of-date software is a major cyber vulnerability.
Audit your secure system regularly. Check for suspicious activity. Set up a process where every few weeks somebody looks through the logs to ensure everything is working and appears as it should.
Reassuring your patients
When used correctly, patient portals are secure and convenient for everyone involved. They’re much easier to manage than paper records, and the built-in secure messaging makes HIPAA compliance simpler than things like email.
If you know you’re taking the necessary steps to protect patient data, you can reassure your clients that your practice has a secure patient portal, address their concerns and make them more likely to use it. That’s a win for everyone.