Virtru Security Insights

Join 10,000+ Security Professionals Who Receive Our Content Every Month

Secure Client Portals: An Idea Whose Time Has Come (and Gone!)

July 7, 2016

No one becomes a doctor, lawyer or finance professional to worry about security. However, data breaches have become a major occupational hazard for a wide range of industries. The news is filled with massive leaks and costly settlements on a daily basis. And often, professionals who were never trained in IT security are the ones who suffer the consequences when it fails.

The secure client portal was meant to be an IT security solution, giving professionals a simple and safe way to exchange data with clients. However, they never quite lived up to their promise.  Although portals enhance security somewhat, there are easier, safer and more convenient ways to communicate electronically.

What is the purpose of a secure client portal?

While email is the easiest way to send messages and attachments to clients, it is not sufficiently secure off-the-shelf. Until fairly recently, most accounts sent unencrypted email by default, meaning hackers could easily intercept and read confidential messages.

Many email providers now encrypt emails using Transport Layer Security (TLS). The email is encrypted (i.e. scrambled) using a string of characters called the key, then sent to the sender’s email server, which decrypts it. Then the message is re-encrypted and sent to the recipient’s server which repeats the process, finally sending it to it to the recipient.

Although it provides some security, TLS has vulnerabilities — particularly when used for email. If the recipient’s email server has been compromised, the message will be sent unencrypted, making it easy for hackers to spy on. Other problems, like outdated software or a compromised server can also undermine TLS.

Secure client portals were meant to provide a safer alternative for businesses to communicate with clients, by creating a secure connection. Portals are often specialized by industry, allowing accountants to share tax and financial information, doctors to provide medical records and schedule appointments and lawyers to securely share legal documents and obtain signatures. Many secure portals also have intra-office features that enable workers to exchange messages, collaborate on documents, or perform other tasks with coworkers.

How does a secure client portal work?

When a professional sends a message or file using a secure client portal, the client typically receives an email, with instructions on how to access it. The client has to log on, create an account, and in some cases, install client portal software.

Once signed in, the client can receive the message, view or download files. Depending on the portal and industry, the client may also be able to take other actions, like scheduling an appointment or checking past records.

Like email, portal security generally relies on TLS. If a portal is accessed via a browser, the user will see, “https” at the beginning of the address, indicating that the connection is secure. Portals are usually fairly safe when installed, configured and used correctly, but as we mentioned before, TLS is vulnerable to certain kinds of attacks.

Is a secure client portal the right solution?

One of the biggest problems with secure client portals is a lack of convenience. Users are required to create an entirely new login, and learn a new interface to communicate securely with the provider. Typically, portals are clunky and slow — especially when compared to the consumer grade email and file sharing services users are accustomed to.

Using a secure client portal also require vigilance from the organization. If the portal has not been correctly set up, or the IT department fails to patch or replace it when new security vulnerabilities are discovered, confidential client information can be compromised.

Mossack Fonseca — the law firm breached in the Panama Papers — was using a portal that hadn’t been updated since 2009, and was vulnerable to a wide assortment of attacks. In a world where 80% of top law firms have been breached, it’s likely that many other firms have outdated portals — and other industries are no better.

Perhaps most significantly, secure client portals aren’t mutually compatible. Most industries that use security portals need to be able to share confidential data with other organizations. Law firms negotiate with each other and collaborate with experts and witnesses; medical professionals forward medical records to other providers; and financial consultants need to mediate complex transactions between different parties.

But with each organization using its own online client portal software, there’s no good way to securely share information. In many cases, providers will use unencrypted email and other risky shortcuts. If they do attempt to use portals, they may have to download the data from one system and upload it to another, wasting time and posing unnecessary data security and error risks. Without an enterprise encryption solution they can use to talk to any organization, there’s no adequate way to protect sensitive data.

Is there a better alternative to secure client portals?

No matter how good portals get, they’ll never get around the compatibility problem. A better solution is to secure a tool everyone already uses: email. Email encryption has been overlooked by many organizations because, historically, it wasn’t easy to use. Users would have to install software, generate and manage keys (strings of characters used to protect messages) and verify the identities of recipients. Virtru encrypted email service has changed all of that, allowing users to easily send secure email to anyone.

Virtru is a web browser plugin that allows users to encrypt Gmail, Microsoft Outlook and other common email providers. Once installed, users will see a “v” slider in their message composition window, which can be activated with a single click. The user can then compose a message, add attachments and recipients like normal.

When the user clicks “send,” the message is encrypted and sent to the recipient Virtru uses client-side encryption, scrambling the message (along with any attachments) before it leaves your computer, and only decrypting it once it reaches the recipient’s inbox. Even if a hacker manages to intercept the message, they won’t be able to decrypt it, ensuring that only the provider and client can see the confidential data. See Virtru in action here:

Does the recipient need to install Virtru email encryption?

No. Virtru allows users to send messages to anyone with an email address, facilitating communication with clients and between organizations. If you contact a client who hasn’t installed Virtru secure email, they’ll receive an email notification from you. Once they click the Unlock Message button, they’ll be asked to verify their identity.

Then, they’ll be taken to Virtru’s Secure Reader, where they can read and respond to the message without installing software or creating a login ID. The secure reader will encrypt their email response, securing communication in both directions. You can see this in action here:

Virtru offers better security than client portal software with less inconvenience.

User-friendliness isn’t a bonus feature — it’s crucial to Virtru’s security. Customers are rarely willing to go out of their way for security, which is why it’s so hard to get them to use secure client portals. By streamlining secure communication so that it doesn’t disrupt workflow, Virtru dramatically increases adoption rates. After all, when you can make email secure with one click, there’s no incentive to take extra risks.

The convenience of Virtru is coupled with military-grade technology, originally designed to protect classified government information. We provide client-side encryption for business and government organizations, compliant with HIPAA, CJIS, CFPB, and other regimes. Whether your company deals with medical billing or military technology, Virtru provides an easier, safer alternative to secure client portals.

Contact us to learn how Virtru can work with your organization.