Why I Hate Secure Email Portals

Many health care enterprises are using secure email ‘portals’ to send, or should I say ‘tell the recipient to come get,’ information and attachments in a way they were told would be ‘HIPAA Compliant’. What I mean by ‘portal’ is a third party to which plain text and any attachment is sent over a secure connection (‘plain text’ is unencrypted information; it can be formatted text that is just not encrypted). The ultimate recipient receives an email inviting them to visit the portal to see the content over a connection that is also encrypted. For example, if the hospital pharmacy director wants to send a secure message to me, the prickly anesthesiologist, they use their e-mail program and, depending on how it’s set up, the result is an email to me telling me there’s something I must read at some web address. I then have to go that URL and create an account or log in if I already have an account. More passwords? Each portal will ask me to create an account. If I’m doing things right, that password should be unique (not used at any other site), secure (not dictionary words, etc), and private (not accessible to others). Below is one example of the kinds of passwords they believe are good: I have a tool I use to do all this called 1Password. I wonder what percent of recipients of ePHI-containing e-mails have a way to create strong passwords and store them securely? My guess is well under 10%, and that may be generous. Guess what happens if, not understand...
Source: Waking Up Costs - Category: Anesthesiology Authors: Tags: Privacy Rant Security Software Source Type: blogs