Is Your Patient Portal A Security Risk?
As convenient as patient portals are for communication with those you care for, they can also pose serious risks to you and your healthcare organization. Are you sure your patient portal is secure?
A key priority in any effective healthcare organization is keeping in touch with patients. No matter what type of medicine you practice, communicating with patients and allowing them to access their data is a must.
That’s why patient portals are so valuable in the healthcare industry. However, as with any technology that offers access and convenience, it’s vital that you make sure there’s no accompanying security risk.
What Is A Patient Portal?
The patient portal is a secure website through which patients can access their electronic health record (EHR). Additionally, depending on the type of medical practice and software involved, the patient portal may also allow for a range of different associated tasks to be carried out, such as requests for prescription refills, appointment scheduling, and direct messaging.
Why Do Patient Portals Put You At Risk?
This is the case with any technology that provides access in a convenient manner. A fundamental ongoing battle in consumer technology is between security and convenience.
The fact is that greater security often means less convenience – albeit, in small ways. Regardless, when it comes to something like a patient portal, the priority is usually to enhance the user experience, rather than configure the best security settings possible.
Here’s a basic example – when it comes to Wi-Fi connectivity settings, would you prioritize security or convenience? On one hand, it’s much more convenient to users if the device in question is configured to automatically connect to open and available Wi-Fi hot spots.
But that’s not very secure, is it?
Are Patient Portals Actually Exposing Patient Data?
In a word? Yes.
2019 is a landmark year for the lack of security around patient data, with more than 25 million patient records breached in the last 6 months alone. This is more than a 66% increase when compared just to 2018.
What Does HIPAA Say About Patient Portal Security?
HIPAA, as you likely know, is not often as specific in its stipulations as you might like. If you’re subject to HIPAA, then you’re expected to employ security measures that reasonably and appropriately meet the HIPAA Security Rule standards and implementation specifications.
What does that mean?
Due to the statistics stated above, these portals have been neither reasonable nor appropriate – in other words, just having a portal with a login isn’t enough. How do you beef up that security to become ‘reasonable and appropriate’? Keep reading.
In the report, “The State of Patient Identity Management”, the surveyed healthcare organizations reported using the following security measures in patient portal authentication processes:
- Username and password (93%)
- Knowledge-based authentication questions and answers (39%)
- Email verification (38%)
While that could be considered the standard when it comes to protecting access to patient portal data, if one of these surveyed organizations were to experience a breach, it would be proven otherwise.
The good news is, you can do more to protect your patients’ data.
What Can I Do To Secure Patient Portal Access?
One of the best ways to add security to user authentication processes is with Multi-factor Authentication (MFA). MFA requires the user to utilize two methods to confirm that they are the rightful account owner.
There are three categories of information that can be used in this process:
- Something you have: Includes a mobile phone, app, or generated code
- Something you know: A family member’s name, city of birth, pin, or phrase
- Something you are: Includes fingerprints and facial recognition
How Does A Multi-Factor Authentication Solution Work?
- User logs into the session with primary credentials.
- The session host validates credentials with Active Directory.
- Then, it sends credential validation to the cloud via the login app.
- The MFA client sends its secondary authentication to the user. User approves.
- The MFA client sends approval back to the session host via the login app.
- The user accesses their session very securely.
Though MFA does make it harder for the account owner to access the account, it also makes it difficult for cybercriminals to gain access to patient data. Their job becomes much tougher because they now need to do more than just hack the user’s password. They’ll need personal information about the account owner as well.
With so many accounts being too easy to break into, hackers are more likely to just move on instead of trying to break through the multiple factor authentication process.
Like this article? Check out the following blogs to learn more: