Aug 30 2023

QR Codes Are a Double-Edged Sword for Patient Care

While QR codes create an easy way for healthcare organizations to communicate with patients, cybersecurity risks could put patient data in the hands of bad actors.

In the quest to deliver personalized, relevant and more immediate healthcare, automating selected processes is one way to meet the challenge. Streamlining data exchange between providers and patients has terrific applications, such as providing access to information about a diagnosis or wellness education. One way to direct patients to this information is by QR code (see this example from a rural healthcare organization in southwest Iowa).

A QR code is a 2D barcode used to access online information quickly, typically through a smartphone camera. QR codes were invented in Japan in 1994 for labeling automotive parts, adding speed and accuracy to that process. Today, QR codes can be found on everything from baked goods to restaurant menus, TV ads and posters. They are easy to generate and intended to take users to a specific web location to share or collect relevant information.

Patients tend to be passive participants in healthcare scenarios. However, after scanning a code for data collection, patients may be asked for personal information to schedule or preregister for an appointment. At this point — as patients share private information with a data collector — the risk of using QR codes becomes exceptionally high. The patient has no way to verify that the data collector is legitimate.

Click the banner below to explore zero trust and its benefits for healthcare.

Vulnerable to Cyberattacks, Risking Patient Privacy and Health

Here’s how this scam works: A QR code is replaced with a clone that redirects users to a fake website that looks like legitimate — duplicated logos and wording, similar enough to a trusted site. Once a patient arrives and begins providing data, it’s intercepted by bad actors. These scan scams have increased more than sevenfold in 2022 from previous years. 

Fake QR codes are also used in outbound email campaigns, encouraging patients to scan a QR code that directs to illegitimate sites aiming to collect personal information or login details. Information such as medical history, Social Security information, personal identifying identification, access to patient portals and more are gathered and potentially sold on the dark web.

In terms of cybersecurity, QR codes are considered part of the overall attack surface. It’s just one more thing to worry about. At the same time, communication staff want to use them and are training patients to engage in unsafe cyber behavior by asking them to trust something that seems innocuous. It’s frustrating — QR codes deliver real value when they’re used effectively, but they will never be without risk.

QR Codes Are Here to Stay in Healthcare

The sheer ease of engagement with patients and the ability for providers to easily update information creates a frictionless and near real-time experience. While it’s possible to generate QR codes with security features (such as single sign-on, multifactor authentication and more), every additional step removes the simplicity of using a QR code to direct patients to critical information.

Cyber adversaries will attempt to compromise QR codes because the volume of codes, combined with the targeted user base relying on them, provides a juicy target. The task of health IT teams is to outsmart the cyber adversaries and ensure the QR codes used are less likely to be tampered with.

EXPLORE: Tips on how to keep mobile devices secure in healthcare.

Protect Patient Privacy with Good Cybersecurity Habits

Reduce the opportunity for cyber adversaries to capture patient data by teaching patients good cybersecurity habits. Here are several best practices patients should follow when interacting with QR codes:

  • Check the web address of the scanned QR code for authenticity. Determine if the site looks legitimate. Are there typos or a character out of place? If so, do not proceed.
  • Use your smartphone’s camera to scan the code and ensure your OS is current.
  • Consider where the QR code is being displayed.
  • Don’t enter personal information from a site served up from a QR code.
  • Avoid downloading apps through a QR code. Use your smartphone app store instead.
  • Run mobile security software.

Creators of QR codes can help by using companies that offer secure QR code generation and the ability to customize the domain with the healthcare organization’s brand. Set a policy for the organization and ensure everyone on the team knows where to get approved codes.

Overall, QR codes safety comes down to good cybersecurity hygiene. Let patients know about the convenience and simplicity of QR codes and teach them how to be good QR code consumers by passing along these tips.

UP NEXT: Learn security best practices for modern workspace management in healthcare.

LordHenriVoton/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT