Your health records contain a vast assortment of information, from your medical history to your prescriptions list, insurance and payment details, Social Security number, and more.
This makes these records amongst the most private and sensitive of all data about you.
It’s easy to understand, then, why there are so many different laws and regulations in place to ensure that patient records are appropriately protected. It’s also easy to understand why electronic health records have proven to be a tantalizing target for hackers, fraudsters, and other bad actors.
All of this means that businesses operating in the healthcare industry — particularly those that collect, handle, store, or transmit patient health records electronically — have a target on their back. Digital health providers, hospitals, clinics, individual providers, insurers, pharmacists (and more) are all potentially at risk of security breaches, regulatory enforcement, and legal action from patients.
The good news is that by implementing a robust identity and access management (IAM) process, including identity verification and authentication, it’s possible to better protect your patients’ health data and identity information.
Below, we define identity management in healthcare, take a look at the different kinds of threats that can put patient data at risk, and highlight the role that identity verification, reverification, and authentication can play in an effective IAM strategy.
What is identity and access management in healthcare?
Identity and access management (IAM) is a framework of technologies, policies, and processes that businesses follow to manage digital identities. It involves policies that dictate sign-in credentials (usernames and passwords), data governance, and who has access to what information.
In a healthcare setting, identity and access management refers to any party who may access, or attempt to access, a patient’s medical records. This includes individuals employed by your organization as well as partners, vendors, and the patients themselves.
What puts patient data at risk?
As mentioned above, patient records contain a lot of sensitive data. In recent years, this data has come under increased threats from bad actors.
According to data compiled by HIPAA Journal, between 2009 and 2021 there were 4,419 healthcare data breaches that involved 500 or more patient records. The annual number of such breaches has nearly doubled from 368 in 2018 to 714 in 2021.
What has caused this increase? There are a number of factors at play, including:
- The transition from paper records to electronic health records (EHRs): Paper records — while burdensome to handle, transmit, and store — are fairly secure simply due to the fact that accessing them requires proximity. As more providers and organizations digitize paper records and embrace digital-first record-keeping, it increases the risk that records may be inappropriately accessed by digital means.
- Increasingly concentrated healthcare systems: Since 2010, healthcare systems in the US have become increasingly concentrated due to mergers and acquisitions. This consolidation has ultimately led to an increased concentration of health records in fewer systems, meaning a single data breach can potentially impact a greater number of patients. These concentrated systems have also proven to be tempting targets for bad actors.
- The migration from in-person to digital healthcare: Digital health and telehealth services have grown popular in recent years, partially spurred by COVID-19 and the ensuing lockdown. In order to access these services, patients must create an account, which they must then subsequently log into for appointments. Unfortunately, each new account also offers bad actors a new potential path into your systems.
All of these factors make it easier for healthcare systems (and the massive amount of records they contain) to potentially fall victim to various types of hacking attacks. These include, but are by no means limited to:
- Credential stuffing attacks
- Password spraying attacks
- Phishing attacks
- Spear phishing attacks
- Man-in-the-middle attacks
- Ransomware attacks
- Malware attacks
- and other types of account takeover fraud
The role of identity verification and authentication
Unfortunately, there is no single silver bullet that will address all of the risks associated with protecting patient health records from inappropriate access. In most cases, identity and access management will require multiple policies, processes, and technologies working in tandem with one another.
That said, while identity verification and identity management cannot address all of the challenges associated with identity management in healthcare, they can play an important role.
Verifying your patients’ identity
Some bad actors may try to take advantage of your organization by opening an account using fake or stolen information. Doing so successfully may mean that they can defraud your business out of medical fees, gain access to prescriptions for controlled substances that they should not have access to, or engage in other kinds of medical and insurance fraud.
By verifying the identity of all new patients during the account opening and onboarding process — whether through government ID verification, document verification (think: insurance cards), database verification, selfie verification, and more — you can prevent these bad actors from even getting a foothold in your business.
Verification during the onboarding process also makes it easier to implement reverification measures, as discussed below.
Leveraging two-factor authentication during login
For as long as people have had digital accounts, those accounts have been protected by passwords. And ever since, bad actors have been developing new ways to steal, guess, intercept, or otherwise “crack” those passwords.
When a person’s login credentials are compromised, bad actors can use them to gain access to your systems — including potentially sensitive patient information. Strengthening the login process with two-factor authentication (2FA) adds an extra layer of defense against such attacks
Two-factor authentication (a form of multi-factor authentication) is the process of requiring a second form of authentication in addition to a user’s password before they are given access to an account, file, system, or other protected information. Examples include:
- Biometric 2FA, which requires a user to submit a piece of information, such as a selfie, for analysis
- Possession-based 2FA, which requires the user to have access to a trusted device such as a computer or smartphone, which receives a one-time security code
- Knowledge-based 2FA, which requires the user to answer a security question in addition to supplying their password
Importantly, multi-factor authentication should be implemented on both the internal side of your business (i.e., for employee accounts) as well as externally (i.e., for your patients), as each side offers bad actors a potential way into your system.
Reverifying users at high-risk moments
Reverification involves periodically reverifying a person’s identity after they have initially been onboarded into your systems.
While organizations leverage reverification for a variety of purposes, requiring users to reverify their identities just prior to initiating or completing high-risk actions on your platform can be a very effective way of safeguarding sensitive information. This is especially true in cases where login credentials have become compromised, or where a logged-on device has been stolen or perhaps left unattended.
So ask yourself, what high-risk actions can a user perform once they have logged into your platform, and does it make sense to place these actions behind a layer of reverification?
On the patient side of the equation, this might involve a patient trying to:
- Access or download their health records
- View or change their payment or insurance details
- Update their log-in credentials
- Renew a prescription for a controlled substance
- Update key account information (such as their address, phone number, billing information, etc.)
- and more.
On the employee side of the equation, it might involve an employee trying to:
- Access sensitive patient information
- Make changes to a patient record
- Download, share, or transmit sensitive data
- Perform other suspicious activities
Identifying potential fraudsters through link analysis
All of the suggestions above revolve around preventing bad actors from gaining access to your business. But what if you suspect that you may already have bad actors on your platform? How can you differentiate potential bad actors from legitimate users so you can flag and ultimately remove their accounts? Link analysis can help.
Link analysis is the process of understanding how different accounts on your platform may be linked to each other by shared account information, data, or other connections. It can be used to look for known fraud patterns, identify anomalies, and even detect new fraud patterns before they become obvious to the human eye.
By identifying, analyzing, and understanding these links, it’s possible for you to detect duplicate accounts, discover potential fraud rings, and more.
The right tools can help
Here at Persona, we understand the critical importance of protecting patient information in an increasingly digital healthcare landscape. That’s why HIPAA compliance is at the core of our identity verification platform, and why it informs each of our solutions — from how we handle PII storage to our verifications solution to our case management product to Graph, our link analysis solution, and more.
Interested in learning more? Get a demo today.