By Josh Horwitz, COO, Enzoic.
With the rapid changeover to telemedicine due to the pandemic, both the provision and acceptance of patient portals increased. This surge in usage has exposed security flaws, and we can now see that many of the patient portals in use today are ripe for fraud, phishing, and ransomware attacks. To illustrate the severity of this problem, last year the latter alone costs the health industry Nearly $ 21 billion of downtime affecting 600 vendors nationwideCOVID-19 transformed the healthcare landscape, making patient portals and telemedicine the primary means of communicating with providers, accessing treatment plans and other documents, and processing payments. Given the convenience this provides for both patients and providers, these digital experiences are likely to remain a staple part of the healthcare industry for years to come. As companies continue to invest in patient portals and other telemedicine innovations, it is important that they understand the myriad of security concerns.
It should come as no surprise that hackers see patient portals as an extremely attractive target – credit card details, personally identifiable information (PII), and personal health information (PHI) are all accessible through these platforms. Unfortunately, since patient portals are designed with ease of use in mind, it’s not uncommon for them to have minimal security in order to make the process as smooth as possible. Hackers are all too eager to exploit these and other vulnerabilities, so it is critical that organizations address these concerns. With this in mind, read five important steps to remedy these vulnerabilities and improve the security of the patient portal.
- Compromised Credentials Screen
In many cases, patient portals are protected by a password alone; something that is widely viewed as a poor security practice, especially with accounts that contain such sensitive information. This is mainly due to the ubiquitous problem of reusing passwords across multiple websites – around 59% of respondents in a current survey admit to doing. If just one of these accounts was breached, any other website or service linked to the disclosed password would also be compromised. Therefore, if a patient uses a weak or compromised password to secure their portal, there is a very good chance that malicious actors will launch a successful account takeover (ATO). To address these and other password-related vulnerabilities, providers should check their credentials against a dynamic database to ensure that patients do not accidentally open the front door to hackers. Given the frequency of data breaches, it is also important to implement this screening on an ongoing basis and not just when a patient logs into the portal.
- Look at MFA
As shown above, relying on just one layer to protect sensitive systems and data is never a good idea. Providers should consider implementing multi-factor authentication to further protect patient portals. However, MFA is not a silver bullet as it adds additional points of friction to the user experience and as a result vendors may be reluctant to enforce it.
- Implement login monitoring and device intelligence
Login monitoring enables providers to determine whether a patient is using a system-recognized device and whether it is related to previous fraudulent activity or posing as multiple patients. Should a device be flagged as suspicious, organizations can implement additional authentication factors before granting access – or shutting it down if necessary.
- Implement a CAPTCHA
Another important step in eliminating any weaknesses in the patient portal is to ensure that all registration forms have a CAPTCHA for riskier registration attempts. There are numerous CAPTCHA products that can help vendors determine what is a “high risk” attempt, but multiple failed authentication attempts from the same source IP address should always result in a CAPTCHA being entered.
- Shutdown of access after multiple failed login attempts
It is also important that portals have a way to close access after too many login attempts with an invalid password, as this can ward off automated attacks and warn companies of such an attack.
Evil actors are always looking for new ways to infiltrate health organizations, and the rapid adoption and deployment of patient portals is an excellent opportunity for them. Whenever and however the world takes shape after the pandemic, it is a safe bet that portals and other digital innovations will remain in healthcare. This is why it’s so important for companies to step back and fix any vulnerabilities they may have missed in the initial rush to deliver telemedicine to their patients. At the same time, organizations must keep security in mind when investing in new telemedicine features and solutions to ensure they stay one step ahead of increasingly sophisticated efforts by hackers.
Thank You For Reading!
Reference: electronichealthreporter.com
