With the rapid shift to telehealth stemming from the pandemic, both deployment and adoption of patient portals increased. This surge in usage has exposed security vulnerabilities, and we’re now seeing that many of the patient portals in use today are ripe for fraud, phishing, and ransomware attacks. To illustrate the severity of this problem, last year the latter alone cost the healthcare industry nearly $21 billion in downtime, affecting 600 providers nationwide.
COVID-19 transformed the healthcare landscape, making patient portals and telehealth the primary means by which to communicate with providers, access treatment plans and other documents and process payments. Given the convenience this affords for patients and providers alike, these digital experiences will likely remain a primary part of the healthcare industry for years to come. As organizations continue to invest in patient portals and other telehealth innovations, it’s critical that they are cognizant of the myriad security concerns.
It should come as no surprise that hackers view patient portals as an extremely attractive target—credit card data, personally identifiable information (PII) and personal health information (PHI) are all accessible via these platforms. Unfortunately, because patient portals were designed with the user experience in mind, it’s not uncommon for them to have minimal security to make the process as frictionless as possible. Hackers are only too eager to exploit this and other security holes, so it’s critical that organizations address these concerns. With that in mind, read on for five important steps to shore up these vulnerabilities and enhance patient portal security.
Screen for Compromised Credentials
In many cases patient portals are secured solely by a password; something that is widely recognized as a poor security practice, particularly for accounts that contain such sensitive information.?? This is largely due to the pervasive problem of reusing passwords across multiple sites–something 59% of respondents in a recent survey admit to doing. If just one of these accounts has been breached, then every other site or service associated with the exposed password is also at risk. Therefore, if a patient uses a weak or compromised password to secure their portal, there is a very good chance that bad actors could launch a successful account takeover (ATO). To address this and other password-related vulnerabilities, providers should screen credentials against a dynamic database to ensure that patients aren’t inadvertently opening up the front to hackers. Given the rate at which data breaches occur, it’s also important to implement this screening on an ongoing basis, rather than solely when a patient enrolls in the portal.
With vaccinations underway, it’s becoming possible to envision the light at the end of the pandemic tunnel; however, the post-COVID world will have some notable differences. One such example is the likely requirement of “immunity passports” to do any number of things: have elective surgery, attend college, or travel internationally.
The European Union, China, Israel and Japan are among the nations that have launched or plan to unveil such programs. In the U.S., states will be in charge of developing their programs with federal support as required. Given the partisan differences surrounding the pandemic response and economic recovery, this is likely to introduce numerous challenges in and of itself. But political concerns aside, the emergence of more coronavirus tracing apps and programs also brings some serious security challenges.
As PBS’ Laura Santhanam recently put it, “Unlike the physical [vaccination card used to track Yellow Fever], there are growing concerns about data privacy as documents verifying COVID-19 vaccination would exist and generally be accessed digitally.” In fact, these concerns are so pressing that a new Forrester report includes the vulnerability of COVID-19 apps as one of the five major problems which could impede post-pandemic progress in 2021.
With that in mind, let’s take a look at some of the chief vulnerabilities and what governments and businesses alike should be cognizant of as these apps become more mainstream.
Improper Access Controls. Hospital administrators. Physicians. Insurance adjusters. Claims specialists. Pharmacy techs. The list of potential roles that could access vaccination data is massive, and that’s just within the healthcare setting. When you expand to other industries, the list is virtually endless. In order to protect sensitive data, it’s important that all COVID-19 apps and programs are designed with strong role and event-based access controls.
For example, a doctor may require “Write” access in order to edit or add information pertinent to a patient’s immunity or reaction to the vaccine. However, this permission should be the exception rather than the norm as hackers could wreak havoc should they be able to manipulate data within these apps and programs.
Healthcare employees are on the frontlines of the coronavirus pandemic, in many cases working extended hours under extremely taxing circumstances in an effort to treat the growing number of infected patients. In this environment, it’s critical that everyone is cognizant of an unfortunate reality of our times: hackers are always looking for ways to capitalize on a crisis.
As Forbes’ Thomas Brewster put it, the last few weeks have seen “…an avalanche of digital threats piggybacking on the coronavirus pandemic,” and these are only likely to increase as the international community continues to grapple with the virus. With scams ranging the gamut from a coronavirus tracker that installs malware onto visitors’ devices to takeover of teleconferencing software to fraudulent company discounts or services related to the coronavirus, there is no shortage of ways bad actors are seeking to exploit consumers’ fear and confusion.
As such, it’s important that hospitals and healthcare institutions help employees safeguard their data and ensure they are cognizant of the increased security threats associated with the pandemic. Following are a few tips to consider:
A rise in phishing scams. As mentioned above, many hackers are employing phishing scams to pose as companies offering a legitimate coronavirus-related service in an attempt to trick recipients into sharing credit card information or other personal data. The good news is that there are some common characteristics associated with phishing attacks that people can use to vet these communications. For example, encourage employees to check for grammar, punctuation and formatting errors as these are often phishing red flags. It’s also important to review links before actually clicking on them and look for things that appear odd such as dashes, extra characters, or additional letters and numbers. Another good practice is to check the email address itself to see if it contains multiple numbers or letters. Finally, encourage employees to always reach out to the company in question to determine the authenticity of an offer before clicking on any links if they harbor doubts.
Increased online shopping: With more shopping taking place online, particularly for healthcare employees working long hours, the importance of strong, unique passwords is more critical than ever. It’s extremely common for people to create simple passwords that they share across multiple accounts. However, if those credentials have been leaked in a previous breach, hackers can easily use them to access these accounts and all the data they contain. Healthcare institutions must stress the significant vulnerability of this poor password practice, and encourage employees to review existing passwords and ensure any new accounts they create are protected by strong, unique credentials. Password manager solutions can be extremely helpful, particularly for people who are setting up numerous new online accounts in response to “Stay Home” orders.
An uptick in connectivity: With people working from home or participating in remote learning programs, many families are experiencing an increase in internet connectivity. This undoubtedly puts a strain on bandwidth, but it also introduces some security vulnerabilities. For example, what if a child accidentally downloads malware on the home network? And are connected devices like voice assistants or smart TVs protected by unique passwords, or do they still have the default factory settings? It’s important that employees are aware of the threats that can arise with greater connectivity and ensure they take steps to address them. It’s also essential that hospitals insist employees use their VPN whenever accessing work-related systems or data from home to keep this information protected.
In addition to the considerations outlined above, it’s also important that healthcare employees keep an eye on the evolving cybersecurity landscape as it relates to the pandemic. It’s likely that hackers will continue to find new ways to exploit the situation for their own nefarious purposes. As employees work diligently to combat coronavirus, it’s essential that hospitals remind them to keep their personal information safe.
With the healthcare sector a top target of hackers, cybersecurity and privacy are of paramount concern—so much so that HIMSS20 has dedicated an entire track to the topic. According to its description, “Every organization must respect and maintain the privacy and security of patient information, no matter how small or large and no matter where they are located.”
While cybersecurity is clearly a primary area of focus, the frequency of attacks on healthcare institutions is on the rise—the HIPAA Journal found that the equivalent of 50% of the U.S. population has been affected by data breaches over the past decade. While there are several reasons healthcare institutions continue to fall prey to attacks, one of the most common ones may surprise you: employee password reuse and password sharing.
Risk Rises with Password Reuse
Most healthcare workers know better than to reuse passwords across multiple sites and applications. Still, this security best practice is often overlooked in the name of convenience and the urgency associated with providing high-quality care. However, password reuse puts the entire organization at risk when an unrelated third party is breached, as cybercriminals can easily obtain breached or leaked credentials via the Dark Web and use them against other online accounts or systems.
With breaches occurring on a daily basis, hackers can select from an unlimited supply of newly compromised passwords. If even just a handful of your employees reuse passwords across applications and accounts, it won’t be long before hackers leverage this password faux-pas for their own advantage. And if your organization is anything like the average company, it’s likely that password reuse is also pervasive. According to Google, at least 65% of people use the same password for multiple, if not all, sites and systems.
Password Sharing Increases Vulnerabilities
When every second counts in administering critical care, the last thing hospital staff have time for is issues with login. For this reason, many healthcare workers will share credentials, with 74% of respondents in one study admitting they had obtained a colleague’s password. The researchers state, “Apart from…large-scale mistakes and malicious acts… one of the most common breaches of PHI is the use of another’s credentials to access patient information, i.e., the use of the EMR password of one medical staff member by another.”
It’s easy to understand why healthcare workers would default to this practice, but it’s equally easy to visualize how password sharing substantially increases security vulnerabilities.
With threats inherent in everything from:
How the password is initially shared (i.e. is it stored in multiple email accounts?)
What else individual staff members may use it for (e. is it being reused for other work and/or personal accounts?)
What is the staff turnover (e. what happens if a disgruntled former employee can still access company systems?)
It’s evident that hospitals cannot afford the risks associated with password sharing.