Securing Patient Portals

The U.S. Department of Health and Human Services (HHS) defines a patient portal as a secure online website that gives patients convenient 24-hour access to personal health information from anywhere with an Internet connection. The portal enables patients to view their e-health records, results of medical checkups and to virtually interface with their doctors.

In support of the ONC, the HIMSS (Healthcare Information and Management Systems Society) Identity Management Task Force recommends all patients go through an identity proofing process and be issued a two-factor authentication credential before they access any of their medical records through a patient portal.(1)

This recommendation comports with other global initiatives enabling patient access to their electronic health records. For example, the UK’s Patient Online Program supports general practitioner practices to offer and promote online services to patients, including access to coded information in records, appointment booking and ordering of repeat prescriptions.

(1) HIMSS Identity Management Task Force, “Recommended Identity Assurance for Patient Portals,”


As the healthcare industry continues to be under attack from hackers, patients want to ensure their medical records remain secure and confidential. They also want to be sure they have access to their own health records and, in turn, that only authorized healthcare professionals will have access to them. Today, the overwhelming majority of patient portals are accessed via a username and static password. Static passwords are not secure, can be guessed, or hacked.



Two-factor authentication — something you have (e.g. a one-time password generating authenticator) and something you know (e.g. a PIN code) — provides assurance to entities within a healthcare environment that the individuals seeking access to data are who they say they are. VASCO’s Identity proofing ensures the required technical, regulatory and logistical aspects of identity validation and credential issuing are in place before authorized parties begin using the two-factor authentication protocols required by the DEA.

The VASCO Trust Platform is a unique ecosystem built on trusted digital identities. It helps healthcare organizations (as well as other enterprises) to make a shift from securing individual unconnected pieces to delivering a complete security solution based on trust that allows patients (for example) to do more, with greater convenience and productivity.

Solution options include:

DIGIPASS for Apps Illustration

DIGIPASS for Mobile:
  • Frictionless authentication and e-signing experience for mobile users
  • Integrated with VASCO's patented CRONTO technology and Open QR codes

emptyDIGIPASS for Apps:
  • Comprehensive SDK that natively integrates application security, two-factor authentication and transaction signing into mobile applications
  • Drive new levels of interconnected mobile app security and intelligence without performance lags or customer visibility
  • Easy to use
    - Biometric authentication (selfie, fingerprint)
    - Support for push notifications

MYDIGIPASS for Healthcare:
  • Certified as full-service Credential Service Provider (CSP) at NIST SP 800-63 Level of Assurance 3 under the SAFE-BioPharma FICAM Trust Framework
  • One-stop shop for EHR vendors and hospitals: includes identity proofing, credentials issuance and delivery

Related Products

This website uses cookies to improve user experience, functionality and performance. If you continue browsing the site, you consent to the use of cookies on this website. Note that you can change your browser/cookie settings at any time. To learn more about the use of cookies and how to adjust your settings, please read our cookie policy.