5 Steps For Securing Patient Portals
By Josh Horwitz, COO, Enzoic.
With the rapid shift to telehealth stemming from the pandemic, both deployment and adoption of patient portals increased. This surge in usage has exposed security vulnerabilities, and we’re now seeing that many of the patient portals in use today are ripe for fraud, phishing, and ransomware attacks. To illustrate the severity of this problem, last year the latter alone cost the healthcare industry nearly $21 billion in downtime, affecting 600 providers nationwide.
COVID-19 transformed the healthcare landscape, making patient portals and telehealth the primary means by which to communicate with providers, access treatment plans and other documents and process payments. Given the convenience this affords for patients and providers alike, these digital experiences will likely remain a primary part of the healthcare industry for years to come. As organizations continue to invest in patient portals and other telehealth innovations, it’s critical that they are cognizant of the myriad security concerns.
It should come as no surprise that hackers view patient portals as an extremely attractive target—credit card data, personally identifiable information (PII) and personal health information (PHI) are all accessible via these platforms. Unfortunately, because patient portals were designed with the user experience in mind, it’s not uncommon for them to have minimal security to make the process as frictionless as possible. Hackers are only too eager to exploit this and other security holes, so it’s critical that organizations address these concerns. With that in mind, read on for five important steps to shore up these vulnerabilities and enhance patient portal security.
- Screen for Compromised Credentials
In many cases patient portals are secured solely by a password; something that is widely recognized as a poor security practice, particularly for accounts that contain such sensitive information.?? This is largely due to the pervasive problem of reusing passwords across multiple sites–something 59% of respondents in a recent survey admit to doing. If just one of these accounts has been breached, then every other site or service associated with the exposed password is also at risk. Therefore, if a patient uses a weak or compromised password to secure their portal, there is a very good chance that bad actors could launch a successful account takeover (ATO). To address this and other password-related vulnerabilities, providers should screen credentials against a dynamic database to ensure that patients aren’t inadvertently opening up the front to hackers. Given the rate at which data breaches occur, it’s also important to implement this screening on an ongoing basis, rather than solely when a patient enrolls in the portal.
- Consider MFA
As the above underscores, it’s never a good idea to rely on just one layer to secure sensitive systems and data. Providers should consider implementing multi-factor authentication to further protect patient portals. However, MFA is not a magic bullet as it introduces additional friction into the user experience and, as such, providers may be hesitant to enforce it.
- Implement Login Monitoring and Device Intelligence
Login monitoring enables providers to determine if a patient is using a device that the system recognizes, and also whether it is associated with previous fraudulent activities or is impersonating multiple patients. Should a device be flagged as suspicious, organizations can implement additional authentication factors before granting access—or shutting it down as the case may be.
- Implement a CAPTCHA
Another important step in eliminating patient portal vulnerabilities is ensuring that all login forms present a CAPTCHA for riskier login attempts. Numerous CAPTCHA products exist that can help providers determine what constitutes a “risky” attempt, but multiple failed authentication attempts from the same source IP address should always start prompting for a CAPTCHA.
- Shutdown Access After Multiple Failed Login Attempts
It’s also critical that portals have a means of shutting down access after too many attempts to login with an invalid password, as this can ward off automated attacks and also alert organizations that such an attack is occurring.
Bad actors are always looking for new ways to infiltrate healthcare organizations, and the rapid adoption and deployment of patient portals has given them a prime opportunity. Whenever and however the post-pandemic world takes shape, it’s a safe bet that portals and other digital healthcare innovations are here to stay. That’s why it’s so important that organizations take a step back and address any vulnerabilities they may have overlooked in the initial rush to offer telehealth to their patients. In tandem with this, companies need to keep security top of mind as they invest in new telehealth capabilities and solutions to ensure they stay ahead of hackers’ increasingly sophisticated efforts.