In the last decade, there have been over 2,550 healthcare data breaches, including 46 in April 2019 alone, the highest monthly tally in a decade. With each data breach, medical records are released on the dark web, exposing patients’ date of birth, place of birth, credit card details, Social Security number, addresses and emails. Because of the high amount of personal information, medical records can be listed for up to $1,000 each on the dark web—10 times more than the average credit card data breach record.
The number of exposed records more than doubled year-over-year, from about 5.1 million records in 2017 to 13.2 million records in 2018. And recent healthcare data breaches including Quest Diagnostics, LabCorp and Dominion National show this trend is rapidly increasing, posing significant and potentially devastating security threats for both patients and healthcare providers.
With each data breach, criminals gain access to endless patient login credentials and personal information, equipping them with everything they need to perpetrate account takeover and act as the patient online. Once logged in, fraudsters can use a patient’s insurance benefits to receive free care, refill prescription drugs, leverage government benefits and/or receive other financial gain acquired through the theft of another individual’s personal information. Because hackers sell stolen healthcare records on the black market and dark web, a patient’s information can be used by multiple different criminals in different locations to perpetuate fraud
By relying on passwords and knowledge-based authentication, it is impossible to know whether the person logging in to a patient portal is actually the real-world patient or a fraudster. Because these traditional authentication methods can be easily bypassed with information found on the dark web, healthcare agencies need to properly vet and verify their patients to ensure that they are who they claim to be.
But, how do healthcare agencies implement these stronger authentication processes?
Know Your Customer (KYC), the process of verifying the identity of your customers, is standard in financial transactions. KYC policies verify a customer’s identity and confirms they are not on any prohibited watch lists. By having customers verify themselves, these institutions can fight money laundering, terrorism financing and other run-of-the-mill fraud schemes.
Because of rising data breaches and growing security risks, it’s time healthcare organizations adopt a Know Your Patient (KYP) process to ensure medical information and insurance privileges stay with the patient and not an imposter.
To implement an effective KYP process, healthcare agencies must adopt an online digital identity verification system that verifies a patient is who they say they are by comparing a photo of a patient’s government-issued ID to a live photo. This allows hospitals, offices, clinics and pharmacies to approve or deny online accounts and attempted purchases.
After an online account has been created, medical offices and pharmacies can leverage online identity verification technology to automatically compare to the photo captured at enrollment.
KYP can help both health care agencies and patients with the following:
- Online prescriptions—ensures medications remain in the hands of the actual patients
- Age verification—ensures prescription holders are old enough to understand medication risks and will not misuse medications
- Automating data capture during patient intake—patient identity can be securely confirmed in seconds, saving time and efforts on patient enrollment
- Insurance fraud—prevents bad actors from filing claims, seeking care or obtaining medications under another person’s insurance/identity
- Reputation management—patients can trust their data and records will not fall into the wrong hands, while healthcare agencies can give patients peace of mind that their private information is secure
Because most patients are already comfortable with biometric authentication (such as Apple Face ID) to unlock devices and online accounts, biometric authentication is an easy transition for healthcare agencies.
A recent report from Carbon Black confirmed health care professionals need to consider a patient’s well being, which now includes privacy and security concerns. Even Congress is currently considering changes to an existing bill on consumer data privacy and security to reflect challenges posed by attacks on the healthcare industry.
It’s time to protect patient information and their digital identities, as near-daily data breaches continue to put patients at risk, demanding a new standard of authentication.
Robert Prigge is president of Jumio.
Favorite