Updated On September 20, 2022.
Healthcare data is becoming an increasingly popular target of hackers¹ as they innovate their techniques to access this valuable and sensitive information. According to the U.S. Department of Health and Human Services (HHS), healthcare breaches from January to May of 2022 nearly doubled² from the same time last year. With the uptick in hacking incidents, healthcare authorities are implementing new laws³ to boost interoperability within organizations and give patients greater control and access to their personal health information. With this newfound sharing model, healthcare organizations and IT vendors must implement stricter patient portal security measures to protect valuable patient information.
Are patient portals secure enough to resist attacks? The increased sharing of patient data has led to the demand for more secure patient portals and mobile apps, which can serve as practical tools for secure patient-provider data exchange, communication, and care management. While patient portals allow information to be accessed and shared conveniently, healthcare organizations should be aware of several patient portal privacy and security issues. The responsibility falls to the healthcare organization to ensure patient information is kept private and secure.
Features required for patient portal security
Here we outline the eight required features for patient portal security and the protection and confidentiality of collected health information.
- Encrypted database features. Encryption allows data to be securely transmitted or stored, meaning it is readable only by authorized persons by converting the original message or information into ciphertext. There is a very low probability that anyone other than the authorized party could decrypt and convert the ciphertext into readable information. It is best to use the industry-standard AES-256 encryption to keep data secure at rest and TLS v1.2 or v1.3 with a robust cipher suite (following NIST recommendations⁴) for data in transit.
- Provide Role-Based Access Control (RBAC). Regulate who has access to specific information based on the role of each employee or user within the organization. For example, administrative staff may not need to see the same information and data as nursing staff. Consider what each employee needs and grant access to the specific areas as required to avoid common patient portal privacy and security issues. RBAC is also an important concern for patient-authorized representatives or proxy accounts. Having proxy patient portal access that appropriately manages dependent accounts (e.g., a parent managing their child’s account) is a growing concern for healthcare organizations as patient portal adoption rates increase. 45%⁵ of the hospitals in the US do not offer proxy patient portal access.
- Extensive password protection and MFA (multi-factor authentication). Your HIPAA-compliant patient portal should require a password to access the system, and again after each 30-minute period of inactivity. If a password is entered incorrectly too many times, it should lock the user’s account. Ensure that all employee (user) passwords follow NIST recommendations⁶ and are reset every 60 to 90 days. A more robust validation can be applied with multi-factor authentication. Bridge, for example, supports SMS-based two-factor authentication for password resets and account registration. The patient portal sends an SMS message to a mobile phone with a time-sensitive security code to complete the patient portal security registration or password reset. Keeping a secure password can be a complicated procedure. Some secure patient portals offer biometric authentication (fingerprint and facial recognition) to provide patients with a quick, secure, and frictionless experience accessing health information.
- Audit Trails. Establishing an audit trail that records key activities and conducting periodic reviews is crucial to reduce the risk associated with inappropriate access and violations of HIPAA rules. Robust training, policies, and agreements should also be in place for all staff members with patient portal access to ensure patient portal security.
- Consent. Your secure patient portal should store, display, and print patient consent forms. The most critical consent form is an opt-in agreement where a patient understands the patient portal privacy and security issues and agrees to the risks associated with inevitably insecure patient-provider communication.
- Meet federal and state laws with regard to privacy and security. Follow the regulations set by healthcare authorities such as the Office for Civil Rights (OCR) and Health & Human Services (HHS) regarding laws such as ADA, HIPAA, and CCPA.
- PCI Compliance. HIPAA-compliant bill pay requires that patient credit card details should not be transmitted or stored unless your clinic complies with PCI Security Council Standards⁷, which keep the patient’s payment card data secure.
As the healthcare industry witnesses heightened attacks, organizations should be prioritizing how to best secure patient data and become proactive in taking steps to prevent a future breach. If your organization is currently using or plans on implementing a patient portal, it should ensure that the platform offers these eight features for optimal patient portal security.
Bridge is ONC 2015 Edition Certified and adheres to strict HIPAA and patient portal security protocols. To learn more, check out the compliance and security measures that make the Bridge platform one of the securest patient engagement platforms on the market.
- Barlow, C. (2021). Hackers Are Leveling up and Catching Healthcare Off-Guard. [online] Help Net Security. Available at: www.helpnetsecurity.com/2021/05/18/hackers-attacking-healthcare/
- U.S. Department of Health & Human Services (2019). U.S. Department of Health & Human Services – Office for Civil Rights. [online] Hhs.gov. Available at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- CMS.gov. (2022). 2022 Medicare Promoting Interoperability Program Requirements. [online] CMS.gov. Available at: https://www.cms.gov/regulations-guidance/promoting-interoperability/2022-medicare-promoting-interoperability-program-requirements
- National Institute of Standards and Technology. (2021). Security Recommendations. [online] NIST. Available at: https://www.nist.gov/itl/voting/security-recommendations
- Heath, S. (2020). Patient Portal Proxy Access Limited, Spurs Password Sharing. [online] PATIENT ENGAGEMENT HIT. Available at: https://patientengagementhit.com/news/patient-portal-proxy-access-limited-spurs-password-sharing
- National Institute of Standards and Technology. (2022). Digital Identity Guidelines. [online] NIST. Available at: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5
- Security Standards Council. (N.D.) Standards Overview. [online] Security Standards Council. Available at: https://www.pcisecuritystandards.org/standards/