Blog
← Back to Blog
May 05, 2017 dental

Patient Portals Are Great for Your Practice. Are They Secure?

Patient using digital health portal

Patient portals are becoming standard in dental and medical practices. Online appointment scheduling, treatment plan review, secure messaging, billing access. Patients love the convenience, and it reduces phone call volume for your front desk. Win-win.

But every portal is a door into your practice's data. And not all doors are equally well-locked.

The Security Considerations

Authentication

How do patients log into the portal? If it's just a username and password with no option for two-factor authentication, you're relying entirely on patients choosing strong, unique passwords. Spoiler: they won't. A compromised patient portal account exposes that patient's health records, billing information, and possibly their insurance details.

Look for portals that support 2FA, or at minimum, require strong passwords and lock accounts after failed login attempts.

Data in Transit

Any patient portal must use HTTPS (TLS encryption) for all communications. This is non-negotiable. Check for a valid SSL certificate and ensure the portal doesn't fall back to unencrypted HTTP for any pages. If a portal loads any content over HTTP, even images, it creates a vulnerability.

Data at Rest

Where does the portal store patient data? Is it encrypted? If the portal vendor is cloud-based, what cloud infrastructure do they use? Do they have SOC 2 compliance? A HIPAA Business Associate Agreement (BAA)?

If a vendor can't answer these questions clearly, that tells you something.

Integration Points

Patient portals typically integrate with your PMS. That integration requires some form of data exchange, either through direct database connections, APIs, or file syncing. Each integration point is a potential vulnerability. Ensure the integration uses encrypted connections and authenticated access.

Questions to Ask Your Portal Vendor

  1. Will you sign a HIPAA Business Associate Agreement?
  2. Where is patient data stored, and is it encrypted at rest?
  3. Do you support two-factor authentication for patient accounts?
  4. How is data transmitted between the portal and our PMS?
  5. What is your breach notification process?
  6. How often do you conduct security assessments or penetration tests?
  7. What happens to our data if we cancel the service?

HIPAA Requirements

A patient portal that handles PHI is subject to HIPAA. That means:

  • The vendor must sign a BAA before you go live
  • You must include the portal in your HIPAA risk assessment
  • Access logs must be maintained and reviewable
  • Patients must be able to request access to their data through the portal
  • The portal must support secure messaging (encrypted, not regular email)

Our Recommendation

Patient portals are worth implementing. They improve patient satisfaction, reduce administrative burden, and support meaningful use requirements. But treat the selection process like you would any other security decision: evaluate the vendor's security posture, get the BAA signed, and include the portal in your risk management program.

The last thing you want is a patient portal that becomes a patient data breach portal.