Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Patient Portal Security Is A Tricky Issue

Posted on April 25, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Much of the discussion around securing health data on computers revolves around enterprise networks, particularly internal devices. But it doesn’t hurt to look elsewhere in assessing your overall vulnerabilities. And unfortunately, that includes gaps that can be exposed by patients, whose security practices you can’t control.

One vulnerability that gets too little attention is the potential for a cyber attack accessing the provider’s patient portal, according to security consultant Keith Fricke of tw-Security in Overland Park, Kan. Fricke, who spoke with Information Management, noted that cyber criminals can access portal data relatively easily.

For example, they can insert malicious code into frequently visited websites, which the patient may inadvertently download. Then, if your patient’s device or computer isn’t secure, you may have big problems. When the patient accesses a hospital or clinic’s patient portal, the attacker can conceivably get access to the health data available there.

Not only does such an attack give the criminal access to the portal, it may also offer the them access to many other patients’ computers, and the opportunity to send malware to those computers. So one patient’s security breach can become a victim of infection for countless patients.

When patients access the portal via mobile device, it raises another set of security issues, as the threat to such devices is growing over time. In a recent survey by Ponemon Institute and CounterTack, 80% of respondents reported that their mobile endpoints have been the target of malware the past year. And there’s little doubt that the attacks via mobile device will more sophisticated over time.

Given how predictable such vulnerabilities are, you’d think that it would be fairly easy to lock the portals down. But the truth is, patient portals have to strike a particularly delicate balance between usability and security. While you can demand almost anything from employees, you don’t want to frustrate patients, who may become discouraged if too much is expected from them when they log in. And if they aren’t going to use it, why build a patient portal at all?

For example, requiring a patient to change your password or login data frequently may simply be too taxing for users to handle. Other barriers include demanding that a patient use only one specific browser to access the portal, or requiring them to use digits rather than an alphanumeric name that they can remember. And insisting that a patient use a long, computer-generated password can be a hassle that patients won’t tolerate.

At this point, it would be great if I could say “here’s the perfect solution to this problem.” But the truth is, as you already know, that there’s no one solution that will work for every provider and every IT department. That being said, in looking at this issue, I do get the sense that providers and IT execs spend too little time on user-testing their portals. There’s lots of room for improvement there.

It seems to me that to strike the right balance between portal security and usability, it makes more sense to bring user feedback into the equation as early in the game as possible. That way, at least, you’ll be making informed choices when you establish your security protocols. Otherwise, you may end up with a white elephant, and nobody wants to see that happen.

Mobile Apps Pose Security Risks

Posted on July 11, 2013 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Mobile apps that share files via the cloud may be popular, but they pose risks in a clinical setting, according to a study reported by FierceMobileHealthcare.

The study, which was conducted by the Ponemon Institute, concluded that many health organizations aren’t taking the steps needed to guard protected health information on mobile devices and in the cloud.  In fact, more than half of respondents (54 percent) reported having an average of five data breaches involving the loss or theft of a mobile device containing  PHI, according to FierceMobileHealthcare.

About 33 percent of Ponemon respondents said they need to access PHI to do their work. That being said, only 15 percent of survey respondents were aware of HIPAA’s security requirements for regulated data on mobile devices.  This was the case despite the fact that 33 percent of respondents were part of a HIPAA-covered entity.

Meanwhile, 40 percent of respondents weren’t sure if their organization’s policies on employee access and use of regulated data on mobile devices were HIPAA-compliant. Twelve percent said they were compliant, 31 percent were partially compliant and 17 percent said they were noncompliant.

While healthcare organizations may be playing it a bit fast and loose where use of the cloud via mobile is concerned, they’re still being very cautious where other  uses of the cloud are concerned, FierceMobileHealthcare notes.

According to a recent survey by technology vendor CDW, healthcare organizations ranked seventh out of eight industries studied when it came to adoption of cloud computing.  According to CDW, healthcare leaders cited security concerns about proprietary data and applications as reasons they’d been reluctant to adopt cloud technology.