Comment: What is the best practice for securing patient portals?

James Romer, chief security architect at SecureAuth + Core Security, discusses how health and care organisations can best secure their patient portals without affecting the user experience, especially in periods of high demand

James Romer, chief security architect at SecureAuth + Core Security

The healthcare industry is undergoing a fundamental transformation driven by technology to help healthcare providers achieve optimal outcomes at lower costs.

Embracing new technology and innovations can address issues around siloed working, connectivity, user adoption and patient engagement while keeping ongoing costs low

This change has been galvanised by the need to provide consistent, gold-standard care to an increasingly-ageing population, while simultaneously addressing the changing needs and expectations of patients, in terms of accessibility to high-quality resources.

Emerging trends, such as video consultations and medical chatbots aim to ease the burden on organisations and staff, without negatively impacting quality of care.

Embracing new technology and innovations can address issues around siloed working, connectivity, user adoption and patient engagement while keeping ongoing costs low.

However, challenges around legacy technologies and existing working culture continue to hamper this shift.

To thrive, and indeed even to survive, healthcare providers must leave behind old technologies and embrace a modern approach to improving engagement, enhancing customer experience, and reducing risk.

To thrive, and indeed even to survive, healthcare providers must leave behind old technologies and embrace a modern approach to improving engagement, enhancing customer experience, and reducing risk

A crucial element of this transformation is the deployment of business apps and patient portals.

Patient engagement models are shifting toward more online interaction via portals to provide users with the information they need regardless of location or time of day. These portals will act as one of the main interfaces between patients and the NHS so everything around the user experience (UX) and security must be a top priority.

Underpinning this must be a secure foundation that enables healthcare providers the agility and scale of required services at times of high demand.

The value of patient data and hacker tactics

The information stored within patient portals is highly attractive to a cyber attacker.

Money can be made on the dark web not only from selling patient data and login details, but also from accessing prescriptions for online resale.

The most-common and effective cyber attack vector is theft of valid user credentials. This is because even the most-advanced technologies designed to fortify the network, encrypt data, and protect endpoints are not be able to detect anomalies in the network if an attacker types in a valid username and password.

By taking a holistic view of the type of security employed across an organisation, healthcare leaders can make intelligent and informed decisions on how to protect the valuable data they possess

Verizonís 2017 Data Breach Investigations Report revealed that 81% of hacking-related breaches leveraged either stolen or weak passwords. Password cracking, keystroke capture, and phishing remain the most-effective tools a hacker can use.

Balancing security and the user experience

Patients and NHS staff both require a service that is seamless and streamlined to ensure continued user adoption.

Incorporating cumbersome authentication procedures or numerous password prompts can adversely affect the user experience and access, and in the healthcare industry any disruption can mean the difference between life and death.

In these cases, portal security will be at the bottom of the priority list and staff will do what they need to obtain the information they require.

Decreased user adoption, increased workarounds and gaps in security will be inevitable consequences. To combat this, security needs to be invisible and act behind the scenes to verify identities, without relying on passwords or on two-factor authentication (2FA) alone.

To demonstrate how this works in practice, a non-profit healthcare organisation based in the US implemented a two-factor solution that used hard tokens, but staff complained about the inconvenience of carrying them.

User satisfaction improved when the hospital moved to a solution that used a question-and-answer approach, but that solution disrupted the user experience, and, critically, it was compatible with only a few of the hospitalís systems and the most-commonly-used devices. To solve the issue, the organisation utilised a solution that provided authentication by creating a unique digital fingerprint for devices, meaning that users only had to log in once every 90 days. Security was achieved without adding friction to the workflow.

Whatís the best practice?

There are a few strategies that can be implemented to ensure that resilience around patient portals is maintained and users are not impacted. These include:

Consider risk-based authentication methods: Unlike defences designed to protect the perimeter and traditional two-factor authentication methods, risk-based authentication can detect and block attackers ó even those who have stolen valid credentials or guessed a userís password.

Think about invisibility: Employ multiple risk checks that silently verify users (using device recognition, machine learning or geographical factors) and only prompt for additional authentication methods when the overall risk exceeds the threshold for that specific type of user and request. Most users will not be aware that the risk check happened.

Consider the entire user base: Organisations need to be able to strategically add security in a way that makes life easier for users, including employees, external or non-affiliated partners, patients, and members. Security should never be reduced to preserve user workflows.

Use controls that are difficult to socially engineer: The human element never disappears from the challenge of cybersecurity. If a lab technician, patient or nurse does fall for a social engineering scam, the security programme should use controls that block the possibility of success. Instead of implementing authentication methods, such as security questions that someone could guess from reading a review page on a social media network, utilise multiple layers of controls that will thwart a criminal who obtained a valid password by impersonating an IT administrator or hospital authority figure.

Make education a priority: Relying solely on technology only addresses a part of the problem. Not all issues can be solved technically. NHS staff need to be aided, through internal education and awareness campaigns, to assist in recognising common malicious attempts such as phishing. These attacks are often used as a mechanism to fool end users into sharing enterprise credentials, or to deliver payloads used to compromise systems.

Ensuring continued success

Patient portals are critical to the success of healthcare organisations, serving as the primary arena for communication and other interactions.

Organisations need to be able to prevent attackers from misusing stolen credentials and protect sensitive information that is contained in the portal to ensure ongoing engagement with users and promote trust.

Breaches of these portals not only drive up costs and increase regulatory oversight, but also do enormous damage to reputation

Breaches of these portals not only drive up costs and increase regulatory oversight, but also do enormous damage to reputation.

By taking a holistic view of the type of security employed across an organisation, healthcare leaders can make intelligent and informed decisions on how to protect the valuable data they possess while actively supporting workers to provide superior care to patients.

Companies