Loading...

Best practices for secure patient portals

The roll-out of patient portals has been a slow burn. While consumer finance, retail and other markets have given customers secure electronic access to their personal information for decades, healthcare has been playing catch-up. But thanks to regulatory pushes, such as the Promoting Interoperability and Meaningful Use programs and the Affordable Care Act, digitized health records are now the norm. Over half of healthcare consumers in the US use patient portals to access their health information at the click of a button – just as they do with their bank accounts or grocery deliveries.

Aside from the convenience factor, research suggests that when patients have access to their health records through patient portals, they experience better health outcomes, greater satisfaction levels, and improved communication with their provider. There’s a higher chance of spotting errors. Adherence to medications is increased, and care becomes more accessible for some otherwise hard-to-reach patients. For providers, this sense of ownership, transparency and connection contributes to elevated consumer loyalty and engagement.

As consumers embrace online portals to view their medical records and lab results, renew prescriptions, schedule appointments, and in some cases pay bills, they expect and assume their provider will keep that data secure. Providers must balance convenience and security.

Unfortunately, some patients remain unconvinced of their providers’ ability to get this balance right.

Patients worry about portal privacy and security

Despite the upsides, a quarter of patients with access to online portals in 2017 chose not to access them because of worries about privacy and security.

They’re right to be cautious: medical identities are said to be worth 20-50 times more than financial identities. It’s no wonder identity thieves are increasingly targeting the healthcare industry.

In 2018, the US Department of Health and Human Services’ Office for Civil Rights (OCR) reported 351 data breaches of 500 or more healthcare records, resulting in the exposure of more than 13 million patient records. Hackers are always on the lookout for vulnerabilities to exploit, with patient medical records, log-in credentials, passwords and other authentication credentials among their top five targets.

Without adequate IT security, your prized patient engagement tools – like patient portals – can become an open door for hackers.

As a provider, your job is to make it easy for patients to access and manage their own data, but hard for fraudsters to get their hands on sensitive data.​​​​​​​​​​​​​​

​​​​​​​How to keep patient portals secure

The good thing about being somewhat late to the party is that healthcare organizations can learn from other industries in how they have tackled online security challenges without creating too much of a burden for consumers.

Think about how consumers authenticate their accounts for financial services or even social media profiles. Typically, there’s an email to verify they are who they say they are, or a two-factor authentication process with a code sent to their cell phone. Most patient portals don’t have these layers of security.

At Experian Health, we recommend a multi-layered solution incorporating device recognition (especially important as more users access portals via cell phones and tablets), identity proofing and fraud management. Here are some examples:

  1. Sign-up screening

When someone enrolls in the portal, use identity proofing to ensure they are who they say they are. It’s particularly important to ask out-of-wallet questions, such as their city of birth, first car model, or previous address to make sure they’re not an imposter.

  1.     Log-in monitoring

Device intelligence will help you confirm the patient is using a cell phone or tablet your system recognizes, to minimize the risk of someone else accessing their account. This technology will tell you if the device is associated with previous fraudulent activities or potentially impersonating multiple patients. If a device fails to meet the risk threshold, identity proofing questions can be used to verify the user’s right to access the account.

  1. Additional checks on risky requests

Some patient portal activities, like downloading medical records and editing a patient’s profile, increase the risk. You’d want to add an extra layer of control here, such as additional out-of-wallet questions, to safeguard your patient’s data.

  1. Rapid response and damage containment

Given the sensitivity and richness of medical data, an attack on the portal can be devastating for patients and costly for providers. In the event of an attack, providers can put in place early warning systems to flag up which patients have been compromised and trigger rapid response measures to shut down the attack and prevent the damage from spreading.

  1. Promote interoperability

Physicians and care providers need to share information on patients in the course of providing good care. But how are they doing this? To keep that data secure and ensure it’s only seen by the right people, you can set up your systems to share data across different platforms in a safe and secure way.

Underlying all of this is the need to reassure your patients that you can be trusted with their data. Victoria Dames, Senior Director of Product Management, Experian Health, explains:

“Healthcare breaches are nothing new, and neither is hackers’ and identity thieves’ penchant for medical records. What is new, however, is the broad range of tools that organizations can now utilize to stop them from accessing that personal data. Give patients the peace of mind they deserve by taking advantage of up-to-date solutions that actually work in our ever-evolving tech climate.”

Learn more about how protect patient portals and encourage more patients to enjoy the full benefits of their patient portal, knowing that their sensitive personal details are safe.