Password security isn't just for providers. Practices should make sure its patients are using tough passwords when using their patient portal.
You may be very careful about your password security-choosing strong passwords and guarding them carefully-but you can’t be sure your patients will be equally prudent in their use of the passwords they use to access your patient portal.
“HIPAA security rules don’t apply to patients,” pointed out Ron Sterling, president of Sterling Solutions, a healthcare information technology consulting firm in Silver Spring, Maryland. “The practice has no responsibility for what patients do with their health information.” It is also comforting to know that if an individual patient’s portal account is hacked, the intruder won’t be able to get to any other patients’ records or anywhere else in your system. “The key security issue,” said Sterling, “is protection of system administrator access.” Even though compliance isn't an issue and you may think patient passwords aren’t your problem, if you want your patient portal to be successful, you need to give your patients a little help with password security.
“Providers need to engage with patients and be very familiar with the portal they are using so that they can show patients that it is safe to retrieve information,” said Tammie Olson, of Management Resource Group, an Ocean Springs, Miss., firm offering financial management and support services for the healthcare community. And of course, that information won’t really be safe if the patient doesn’t choose a strong password and protect it well. Sterling suggests having a display on the portal as well as giving patients a handout that explains the basics of password security.
Your portal program may reject passwords that aren’t strong enough, forcing patients to choose better ones, but if they do not understand what (and why) the program is going for, this could be just an added frustration making them less likely to use the portal. It is also not guaranteed they won’t write the password down and put it in an easy-to-find location. Olson suggested designating someone on your staff as the go-to for patient portals. “This person would introduce patients to the portal and encourage them to choose safe passwords. They would also educate patients about when and when not to use the portals,” she said.
“We require 6-15 characters [for portal passwords], and these must consist of at least one letter and at least one numeric character, though we don’t require symbols,” said Jennifer Perry, practice administrator for Norwood Clinic, a large multi-specialty practice in Birmingham, Ala. “We encourage patients to choose passwords they can remember, but to refrain from using their family or pets’ names. One technique we recommend is using the first letter of each word in a familiar phrase or song,” she added.
Education is Key
Your patients, like everyone else, will occasionally forget their passwords. It’s easiest all around if patients can reset forgotten passwords themselves, but of course that is not always possible. “We provide a link for patients to recover and reset their passwords themselves. If they are still unable to reset it, they may contact our IT team,” said Perry. Do make sure that, however your portal works, it is clear to patients how to select and reset passwords, not only for the protection of their health information, but so that the portal will be user friendly. “Education of patients is the key to successful and safe use of patient portals,” said Olson.