SMS 2 Factor Authentication
We have improved the security of our Patient Portal by enabling 2 step SMS verification. This is a setting that is turned on for Patient Portal enabled customers (unless opted out).
We believe the security of your data to be our highest priority. We seek to provide solutions that are both secure and that are perceived as secure by the people using them. Our Patient Portal solution processes patient data including medical records and we take this seriously.
Throughout 2020 we have had millions of patients complete their forms online via our portal. While the majority of customers and patients have not expressed concern, we have received valuable feedback from a number of practices and patients. This has prompted us to carry out an external review of the portal and the security measures we have in place. The review revealed that while the existing solution is compliant, additional measures should be put in place to further protect Personally Identifiable Information (PII) and Protected Health Information (PHI) as advised by the Information Commissioner’s Office.
Why is this important?
Patient PII and PHI is processed in the portal which benefits you and your patients by enabling a seamless, contactless patient experience. Online attacks are becoming more common and more intelligent, and we seek to deliver a product that protects patient data. The existing security does not protect patient data where a patient’s email account has been accessed maliciously. This is a risk we consider serious.
SMS verification codes
SMS verification codes provide a layer of security that protects against this sort of attack. SMS verification is an industry standard used across a wide range of account-based systems and is understood by most users online. We are introducing one-time SMS verification codes for portal log-in.
Why not email?
Email accounts are at risk of being hacked. If a patient’s email has been maliciously accessed the patient’s personal and medical information could be easily accessed if the verification code is sent to the same compromised email account as the original email request to complete the forms. Mobile numbers are protected behind the patient’s personal device security and are at far lower risk of being intercepted. Sending a verification code via SMS provides greater security as the patient must have access to both email and SMS messages to log in to Patient Portal. For this reason, we only send verification codes to mobile numbers on the patient file in EXACT.
Want to opt out?
If you understand the risk to PII and PHI and still wish to opt-out of SMS verification codes, please email portalsecurity@soeuk.com
Patients cannot log into Patient Portal?
“Please contact the practice to provide the information they require to sign in.”
Patients without an SMS number in EXACT will see the below message when they try to log in on patient portal. To fix this issue when a patient calls you, they would need to provide you a mobile number for their patients record. Ensure you save the patient record before then requesting forms and sending the patient a new Patient Portal link via SMS or Email.
©2023 Henry Schein One International. All rights reserved.