8 Security Features You Need in a Patient Portal
- Blake Rodocker
- May 26, 2017
Updated On June 3, 2020.
Healthcare authorities are implementing new laws to boost interoperability within healthcare organizations and give patients more control and access to their personal health information. With this newfound sharing model, healthcare organizations and IT vendors must implement stricter patient portal security measures to protect valuable patient information. Healthcare data is increasingly becoming a more popular target with hackers as they innovate their techniques to gain access to this valuable and sensitive information.
As a result, the increased sharing of patient data has led to the demand for secure patient portals and mobile apps, which can serve as effective tools for secure patient-provider data exchange, communication, and care management. While patient portals allow information to be accessed and shared conveniently, healthcare organizations should be aware that there are several patient portal privacy and security issues. It’s the responsibility of the healthcare organization to ensure individual health information is kept private and secure.
Features required for patient portal security
Here we look at what features are required for patient portal security, and the protection and confidentiality of collected health information.
- Encrypted database features. Encryption allows data to be securely transmitted or stored, meaning that it is readable only by authorized persons by converting the original message or information into ciphertext. There is a very low probability that anyone other than the authorized party could decrypt and convert the ciphertext into readable information. It is best to use the industry-standard AES-256 encryption to keep data secure at rest and TLS v1.2 or v1.3 with a robust cipher suite (following NIST recommendations) for data in transit.
- Provide Role-Based Access Control (RBAC). Regulate who has access to specific information based on the role of each employee or user within the organization. For example, administrative staff may not need to see the same information and data as nursing staff. Consider what information each employee needs and grant access to the specific areas as required. RBAC is also an important concern for patient-authorized representatives or proxy accounts. Having proxy patient portal access that appropriately manages dependent accounts (e.g. a parent managing their child’s account) is a growing concern for healthcare organizations as patient portal adoption rates increase. 45% of the hospitals in the US do not offer proxy patient portal access.
- Extensive password protection and MFA (multi-factor authentication). Your HIPAA patient portal should require a password to access the system, and again if there is a period of inactivity of 30 minutes. If a password is entered incorrectly too many times, it should lock user accounts. Ensure that all employees (users) passwords are following NIST recommendations and are reset every 60 to 90 days. A more robust validation can be applied with multi-factor authentication. Bridge Patient Portal, for example, supports SMS-based two-factor authentication for password resets and account registration. The patient portal sends an SMS message to a mobile phone with a time-sensitive security code to complete the patient portal security registration or password reset. Keeping a secure password can be a complicated procedure, that is why some secure patient portals offer biometric authentication (fingerprint and facial recognition) to provide patients with a quick, secure, and frictionless experience when accessing health information.
- Audit Trails. It’s crucial to establish an audit trail that records key activities and conduct periodic reviews to reduce the risk associated with inappropriate access and violations against HIPAA rules. Robust training, policies, and agreements should also be in place for all staff members with patient portal access to ensure patient portal security.
- Consent. Your secure patient portal should store, display, and print patient consent forms. The most critical consent form is an opt-in agreement where a patient understands and agrees to the risks associated with the inevitably insecure patient-provider communication.
- Meet federal and state laws with regard to privacy and security. Follow the regulations set by healthcare authorities such as the Office for Civil Rights (OCR) and Health & Human Services (HHS) in regards to laws such as ADA, HIPAA, and CCPA.
- Custom Privacy Policy and Terms and Conditions. You should have a custom Privacy Policy and Terms and Conditions of Access, which outlines how your healthcare organization handles the privacy of personal information that you collect and how it operates on a day-to-day basis. If your healthcare organization does business within California, it’s essential that you also have a CCPA compliant patient portal.
- PCI Compliance. HIPAA compliant bill pay requires that patient credit card details should not be transmitted or stored unless your clinic complies with PCI Security Council Standards, which keeps the patient’s payment card data secure.
Bridge is ONC 2015 Edition Certified and adheres to strict HIPAA and patient portal security protocols. Learn more about how Bridge implements compliance and security for its secure patient portal solution as well as its customers.