May 22, 2018
The Challenge of Creating Secure Patient Portals

Patient portals are changing the way patients think about and access health care. Along with messaging their physicians, patients can now use portals to schedule appointments, access lab results, fill prescriptions, view their health records, update their demographic information, access discharge and medication instructions, and pay their bills. In some cases, they can even video chat with their providers.

The potential advantages should be increasingly clear to physicians, too. Portals can promote patient engagement and allow caregivers to use analytics to measure how well patients are progressing or whether they need to initiate interventions or adjust care plans. And portals can be used to encourage patients to handle routine inquiries on their own, thus freeing up more time to devote to patient care.

Breaches happen

But along with their many advantages, portals present some challenges, chief among them security and Health Insurance Portability and Accountability Act (HIPAA) compliance. Safety concerns are warranted, of course, considering the frightening number of attacks that hackers have been waging against healthcare institutions. If you’re thinking of using patient portals, you need to take all reasonable steps to keep data safe, and you need to make sure you comply with the meaningful use criteria of the Centers for Medicare and Medicaid Services (CMS) Electronic Health Records (EHR) incentive program.

A recent breach illustrates the kind of mistake that’s too easy to make. Recently, an IT consultant discovered that he could not only access his own test results through a healthcare services company portal, he could also access test results and personal health information of other patients. All he had to do was change one digit in the URL, because the records had been set up sequentially with no encryption. Fortunately, he wasn’t out to exploit the flaw, and he made sure the company was alerted.

What’s required

The CMS EHR incentive program mandates six meaningful use criteria related to patient portal functionality:

  • A clinical summary to the patient after each visit
  • Secure messaging (SM) between patient and provider
  • Ability to view, download, and transmit personal health record data
  • Patient specific education
  • Patient reminders for preventative services
  • Medication reconciliation

Additionally, HIPAA requires providers to protect all information maintained in, or available through, patient portals. But just as HIPAA regulations don’t prevent patients from providing access to friends or family to written personal information, regulations don’t prevent patients from granting portal access to others of their choosing. HIPAA does, however, require providers to establish safeguards to prevent unauthorized access to patient information.

That usually means, among other things, providing a password. The best way to prevent vulnerability, say experts, is to give the patient the password in person, minimizing the possibility that unintended recipients will gain access to it via email or other means.

How complex should the password be? Complex enough that providers can be shown to have taken reasonable care to guard against unauthorized access, but not so complex that users have trouble accessing their records, say experts. Ultra-complex protocols requiring multiple layers or character sets may create the impression that providers are trying to deny patients access to their records.

Safer and stronger

Here are some other suggested steps to ensure that your portals are secure:

  • Encrypt the information. Encryption makes information unreadable unless you have a security key, making it useless to hackers or unauthorized users.
  • Implement a need-to-know approach to limit access to information. Employees should have different levels of access, depending on what kinds of information they need to do their work.
  • Consider using two-factor authentication. For example, require patients to type in security codes sent to their mobile phones to be able to log in to the portal.
  • Have strong audit logs. Logs should show what information was accessed, along with details on destination and source addresses, a timestamp, and user login information.
  • Train staff to explain to patients what they can do to keep their health data secure.
  • If you accept online payments through a portal, make sure it complies with The Payment Card Industry Data Security Standard.