The Security Imperative In The Healthcare Industry: Steps To Defending Telehealth And Patient Portals Against Cyber Attacks

Mike Wilson is the Founder & CTO of Enzoic, a cybersecurity company that helps prevent account takeover of employee and customer accounts.

Doctor having online consultation with patient


The healthcare industry is one of the biggest targets for cybercriminals. In 2020, ransomware attacks alone cost the industry $20.8 billion in downtime, affecting well over 600 providers nationwide. The pandemic transformed the landscape for healthcare, with the rapid adoption of technology to support telehealth, and patient portals became the primary way to communicate with providers, access treatment plans and related documents and process payments.

Patient portals quickly became a way to counter the challenges created by the pandemic, and security was often forgotten about or, at best, an afterthought in the rush to provide contactless and convenient access to healthcare. This resulted in opening the door for fraud, phishing and ransomware attacks. The portals are extremely attractive to cybercriminals, as each account contains a treasure trove of valuable personal and health data.





Hackers view telemedicine as an easy target for a couple of reasons. First, you have data in motion between networks and personal devices, coupled with the rapid integration of new technologies with no unified security strategy. In addition, personally identifiable information (PII) and personal health information (PHI) is extremely valuable. As a result, cybercriminals have ramped up their efforts to find victims to steal from or demand ransoms from.

Many patient portals have minimal security to make the experience for patients friction-free. Most are secured solely by a password, which means the primary vulnerability is back to the age-old problem of passwords. Passwords continue to be the Achilles' heel for systems and software across industries. If weak or compromised passwords are in use, it's increasingly likely that hackers can launch a successful account takeover (ATO).


One common technique attackers use is credential stuffing. This is when bad actors use bots to automate attacks with previously stolen login credentials from older breaches to try and gain access to the system to harvest information from the accounts they crack. As the volume of sensitive information stored in patient portals increases, credential stuffing attacks will continue to escalate. Adding to the issue is that it’s no longer just names and addresses hackers are accessing.

Once a successful credential stuffing attack happens on a patient portal, the next step is data scraping. This is a software technique for extracting information and usually transforming unstructured data on the web into structured data that can be stored and analyzed in a central database.

Top ArticlesREAD MOREHere’s Why Bitcoin ETFs Could BackfireOn Bulls




Top ArticlesREAD MORESolana Prices Rally Nearly 25% In Two Days As Bullish FactorsDrive Gains




In addition, new PII data is being exposed, including international mobile equipment identity (IMEI) numbers. An IMEI number is linked to a specific user's phone, increasing the likelihood of successful SIM-swap attacks. This can result in cyber criminals gaining access to two-factor authentication by intercepting one-time passwords tied to other accounts — such as e-mail, banking or any account deploying advanced authentication security features — using a victim's phone number.

Healthcare providers must up the ante against the increasingly sophisticated efforts of cybercriminals to reduce the security risks created by the reliance on telehealth and patient portals. So, what steps can providers take to defend against these attacks?

1. Make multi-factor authentication (MFA) mandatory.

Sensitive systems and data should require more than one login factor for security. Healthcare providers must add layers rather than hoping that one will suffice. By integrating several verification steps, it reduces the risk of a successful password attack. It’s time that the HIPAA Security Rule is updated to explicitly state that MFA is mandatory for access to patient data in all healthcare organizations.

2. Screen for compromised credentials.

Healthcare providers must continuously screen to ensure compromised credentials are not in use with the deluge of exposed credentials readily available on the dark web and the internet. Rather than relying on static lists, they need to check passwords daily against a dynamic database so they can take immediate action if a compromise is detected. Banishing a hacker’s ability to use stolen passwords will shore up cybersecurity and reduce the vulnerabilities of patient portals.

3. Monitor logins and maintain device intelligence.

This is another critical step to help identify and ward off automated attacks. Monitoring confirms if the patient is using a device that the system recognizes. In addition, it determines if the device is associated with previous fraudulent activities or is impersonating multiple patients. If a device is flagged as suspicious, additional authentication factors can be required, such as previously established security questions or knowledge-based authentication (KBA), before access is granted.

Determining which traffic is from an actual human versus a bot helps eliminate automated account takeover attacks. Detecting an increase in failed login attempts is a good indicator that a credential stuffing attack is targeting a patient portal.

4. Implement a CAPTCHA on all login forms.

Another good practice is to ensure that all login forms present a CAPTCHA for riskier login attempts. There are a number of CAPTCHA products available that help assess whether a login attempt is considered “risky,” but multiple failed authentication attempts from the same source IP address should always start prompting for a CAPTCHA.

5. Shut down access after too many failed login attempts.

This is a basic authentication security step, but I would be remiss not to mention that unlimited attempts to log in to the same account with invalid passwords should not be allowed. Shutting further authentication attempts to an account off for some period of time after a certain number of failed attempts is a good way to prevent unauthorized access.

The convenience of telehealth for providers and patients alike means it's here to stay, and patient portals will continue to be the primary way we access healthcare. Therefore, healthcare organizations must quickly address the security vulnerabilities that have arisen due to the rapid adoption and combat the increasingly sophisticated efforts of cybercriminals.

Previous post
Back to list
Next post