Security Risk Assessment for Patient Portals of Hospitals: A Case Study of Taiwan

Growing cyberattacks have made it more challenging to maintain healthcare information system (HIS) security in medical institutes, especially for hospitals that provide patient portals to access patient information, such as electronic health record (EHR). This work aims to evaluate the patient porta...

Full description

Saved in:
Bibliographic Details
Published inRisk management and healthcare policy Vol. 17; pp. 1647 - 1656
Main Authors Yeh, Pei-Cheng, Yeh, Kuen-Wei, Huang, Jiun-Lang
Format Journal Article
LanguageEnglish
Published England Dove Medical Press Limited 30.06.2024
Dove
Dove Medical Press
Subjects
Online AccessGet full text

Cover

Loading…
More Information
Summary:Growing cyberattacks have made it more challenging to maintain healthcare information system (HIS) security in medical institutes, especially for hospitals that provide patient portals to access patient information, such as electronic health record (EHR). This work aims to evaluate the patient portal security risk of Taiwan's EEC (EMR Exchange Center) member hospitals and analyze the association between patient portal security, hospital location, contract category and hospital type. We first collected the basic information of EEC member hospitals, including hospital location, contract category and hospital type. Then, the patient portal security of individual hospitals was evaluated by a well-known vulnerability scanner, UPGUARD, to assess website if vulnerable to high-level attacks such as denial of service attacks or ransomware attacks. Based on their UPSCAN scores, hospitals were classified into four security ratings: absolute low risk, low to medium risk, medium to high risk and high risk. Finally, the associations between security rating, contract category and hospital type were analyzed using chi-square tests. We surveyed a total of 373 EEC member hospitals. Among them, 20 hospital patient portals were rated as "absolute low risk", 104 hospital patient portals as "low to medium risk", 99 hospital patient portals as "medium to high risk" and 150 hospital patient portals as "high risk". Further investigation revealed that the patient portal security of EEC member hospitals was significantly associated with the contract category and hospital type ( <0.001). The analysis results showed that large-scale hospitals generally had higher security levels, implying that the security of low-tier and small-scale hospitals may warrant reinforcement or strengthening. We suggest that hospitals should pay attention to the security risk assessment of their patient portals to preserve patient information privacy.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 23
ISSN:1179-1594
1179-1594
DOI:10.2147/RMHP.S463408