Skip to main content

Back to Blog

Locking Down Patient Portals

Five Defensive Solutions Healthcare Organizations Can Take Right Now

The pandemic has affected every aspect of society, but the healthcare industry has been at the center of the changes. Telehealth services and patient portals became more important overnight, as patients needed to access information without visiting a physical location. But as healthcare expands to be a hybrid of in-person and online care services, patient portals have become a port of entry of fraudsters, phishing attempts, and malware attacks.

This isn’t a forecast: it’s already happening. Hundreds of providers were affected last year alone, costing them a collective 21 billion dollars

What are patient portals?

Patient portals are websites or apps where patients can communicate with providers and administration, access their treatment plans including prescriptions, and process payments. This means one digital location for a patient’s personal information (PII), personal health information (PHI), as well as their insurance details and credit card information. Unsurprisingly, this wealth of data makes patient portals an attractive target for cybercriminals.

It’s been proven that having a central hub to access and reference all of one’s medical information is incredibly useful. These conveniences will likely stick around. Therefore, healthcare organizations and IT professionals must respond to the massive security concerns surrounding patient portals.

Here are five steps that a healthcare organization can do to protect themselves and their patients.

  • Implement a CAPTCHA

CAPTCHAs are a useful step to help deter bots and other risky login attempts. Fortunately, many people now expect CAPTCHAs when logging in to a secure form.

  • Establish a Login Limit

This is a simple and useful response to repeated failed login attempts. If someone or something is using invalid passwords, again and again, it could be a sign of an automated attack. Having a means of shutting down access to the account in question is an efficient way to guard against these attacks and alert the organization that an attack may be in progress.

  • Use Login Monitoring

Login Monitoring and Device Intelligence can determine if the device a patient is using to log in is recognized as theirs. Organizations want to be able to lock the account if the device is being used to impersonate multiple patients or if it’s been previously used in fraudulent attempts. Whether this is done through geolocation, IP recognition, or other identifiers, organizations can then take action, flag the account, or shut it down.

  • Screen for Compromised Credentials

Screening for compromised credentials is a highly effective method of protecting systems and user data. Many patient portals are only protected by a user-chosen password which is not enough security for the amount and the type of information being actively stored in the portals. This is compounded by the sheer number of people who reuse passwords—upwards of 60% of users, according to a Google survey. If any one of those accounts has been breached, all other sites, apps, and services associated with the reused, and now exposed, password are at risk. Screening new passwords against a blacklist of breached credentials is an excellent first step, but to protect their systems, organizations need to screen on an ongoing basis.

  • Consider Using Multifactor Authentication (MFA)

MFA is an excellent option to augment existing defenses by adding security that is separate from the password layer. This could be in the form of sending a one-time code to a phone or getting the user to scan their fingerprint. However, MFA is not a cure-all, because of the additional user friction.

Telehealth and patient portals are here to stay, and they will continue to evolve. Now is the time for IT Teams to implement strong defenses in their existing digital solutions and stay engaged with cybercriminals’ ever-shifting infiltration efforts.